WEB APPLICATION VULNERABILITIES Standard & Premium

MediaWiki Incorrect Default Permissions Vulnerability (CVE-2021-44858)

Description

An issue was discovered in MediaWiki before 1.35.5, 1.36.x before 1.36.3, and 1.37.x before 1.37.1. It is possible to use action=edit&undo= followed by action=mcrundo and action=mcrrestore to view private pages on a private wiki that has at least one page set in $wgWhitelistRead.

Remediation

References

Related Vulnerabilities

WebLogic Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression La Vulnerability (CVE-2021-28170)

Jenkins Other Vulnerability (CVE-2021-21696)

WordPress Plugin File Uploader Arbitrary File Upload (1.1)

WordPress Plugin Advanced Custom Fields PRO Arbitrary File Upload (5.12.2)

WordPress Plugin Unlimited Elements For Elementor (Free Widgets, Addons, Templates) Remote Code Execution (1.5.89)

Severity

High

Classification

CVE-2021-44858 CWE-276 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Tags

Missing Update Known Vulnerabilities