Description
MediaWiki before 1.19.6 and 1.20.x before 1.20.5 does not allow extensions to prevent password changes without using both Special:PasswordReset and Special:ChangePassword, which allows remote attackers to bypass the intended restrictions of an extension that only implements one of these blocks.
Remediation
References
Related Vulnerabilities
WordPress Deserialization of Untrusted Data Vulnerability (CVE-2020-28032)
Joomla Other Vulnerability (CVE-2005-3771)
XWiki Improper Control of Generation of Code ('Code Injection') Vulnerability (CVE-2023-35152)
WordPress Plugin WP Mail Logging Security Bypass (1.11.2)
Oracle Database Server Improper Input Validation Vulnerability (CVE-2016-2381)