Description

An issue was discovered in the CasAuth extension for MediaWiki through 1.35.1. Due to improper username validation, it allowed user impersonation with trivial manipulations of certain characters within a given username. An ordinary user may be able to login as a "bureaucrat user" who has a similar username, as demonstrated by usernames that differ only in (1) bidirectional override symbols or (2) blank space.

Remediation

References

CVE-2020-35623

Related Vulnerabilities

Dolibarr Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2018-19995)

WordPress Plugin The Plus Addons for Elementor Open Redirect (4.1.9)

WordPress Plugin W3 Total Cache Multiple Unspecified Vulnerabilities (0.9.5.1)

WordPress Plugin PHP Everywhere Multiple Remote Code Execution Vulnerabilities (2.0.3)

WordPress Plugin Ultimate Member-User Profile, Registration, Login, Member Directory, Content Restriction & Membership Cross-Site Scripting (2.8.4)

Severity

High

Classification

CVE-2020-35623 CWE-522 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Tags

Missing Update Known Vulnerabilities