Vulnerability Description
Cross-site request forgery (CSRF) vulnerability in api/ApiQueryCheckUser.php in the CheckUser extension for MediaWiki, possibly Checkuser before 2.3, allows remote attackers to hijack the authentication of arbitrary users for requests that "perform sensitive write actions" via unspecified vectors.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Mediawiki | Mediawiki | >= 1.19.0, < 1.19.8 |
Related Weaknesses (CWE)
References
- http://lists.wikimedia.org/pipermail/mediawiki-announce/2013-September/000133.htPatch
- http://osvdb.org/96908Broken Link
- http://seclists.org/oss-sec/2013/q3/553Mailing ListThird Party Advisory
- http://www.securityfocus.com/bid/62210Third Party AdvisoryVDB Entry
- https://bugzilla.wikimedia.org/show_bug.cgi?id=45019Issue TrackingPatch
- https://exchange.xforce.ibmcloud.com/vulnerabilities/86893VDB Entry
- https://git.wikimedia.org/commit/mediawiki%2Fextensions%2FCheckUser.git/99ad25d0Patch
- http://lists.wikimedia.org/pipermail/mediawiki-announce/2013-September/000133.htPatch
- http://osvdb.org/96908Broken Link
- http://seclists.org/oss-sec/2013/q3/553Mailing ListThird Party Advisory
- http://www.securityfocus.com/bid/62210Third Party AdvisoryVDB Entry
- https://bugzilla.wikimedia.org/show_bug.cgi?id=45019Issue TrackingPatch
- https://exchange.xforce.ibmcloud.com/vulnerabilities/86893VDB Entry
- https://git.wikimedia.org/commit/mediawiki%2Fextensions%2FCheckUser.git/99ad25d0Patch
FAQ
What is CVE-2013-4306?
CVE-2013-4306 is a vulnerability with a CVSS score of 6.8 (MEDIUM). Cross-site request forgery (CSRF) vulnerability in api/ApiQueryCheckUser.php in the CheckUser extension for MediaWiki, possibly Checkuser before 2.3, allows remote attackers to hijack the authenticati...
How severe is CVE-2013-4306?
CVE-2013-4306 has been rated MEDIUM with a CVSS base score of 6.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2013-4306?
Check the references section above for vendor advisories and patch information. Affected products include: Mediawiki Mediawiki.