Description

The CentralAuth extension for MediaWiki 1.19.x before 1.19.8, 1.20.x before 1.20.7, and 1.21.x before 1.21.2 caches a valid CentralAuthUser object in the centralauth_User cookie even when a user has not successfully logged in, which allows remote attackers to bypass authentication without a password.

Remediation

References

CVE-2013-4304

Related Vulnerabilities

WordPress Other Vulnerability (CVE-2005-2612)

WordPress Plugin Subscribe to Comments Multiple Cross-Site Scripting Vulnerabilities (2.0.4)

WordPress Plugin Spider Calendar Cross-Site Scripting (1.1.0)

Oracle Application Server CVE-2004-1368 Vulnerability (CVE-2004-1368)

WordPress Plugin 404 to 301-Redirect, Log and Notify 404 Errors Cloaking (2.2.9)

Severity

High

Classification

CVE-2013-4304 CWE-287

Tags

Missing Update Known Vulnerabilities