Description
An issue was discovered in the FileImporter extension for MediaWiki before 1.34.4. An attacker can import a file even when the target page is protected against "page creation" and the attacker should not be able to create it. This occurs because of a mishandled distinction between an upload restriction and a create restriction. An attacker cannot leverage this to overwrite anything, but can leverage this to force a wiki to have a page with a disallowed title.
Remediation
References
Related Vulnerabilities
Jboss EAP Improper Access Control Vulnerability (CVE-2013-4213)
Mailman Improper Restriction of Excessive Authentication Attempts Vulnerability (CVE-2021-42096)
SeoPanel Cross-site Scripting (XSS) Vulnerability (CVE-2020-35930)
PHP Numeric Errors Vulnerability (CVE-2014-3669)
Jboss EAP Permissions, Privileges, and Access Controls Vulnerability (CVE-2013-2133)