Description
MediaWiki before 1.19.6 and 1.20.x before 1.20.5 does not allow extensions to prevent password changes without using both Special:PasswordReset and Special:ChangePassword, which allows remote attackers to bypass the intended restrictions of an extension that only implements one of these blocks.
Remediation
References
Related Vulnerabilities
Magento Exposure of Sensitive Information to an Unauthorized Actor Vulnerability (CVE-2020-9591)
OpenSSL Integer Overflow or Wraparound Vulnerability (CVE-2016-2177)
SugarCRM Improper Control of Generation of Code ('Code Injection') Vulnerability (CVE-2019-17306)
WordPress Plugin Facebook Like Box Cross-Site Request Forgery (2.8.2)