Vulnerability Description
in Scratch Login (MediaWiki extension) before version 1.1, any account can be logged into by using the same username with leading, trailing, or repeated underscore(s), since those are treated as whitespace and trimmed by MediaWiki. This affects all users on any wiki using this extension. Since version 1.1, comments by users whose usernames would be trimmed on MediaWiki are ignored when searching for the verification code.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Scratch-Wiki | Scratch Login | < 1.1 |
Related Weaknesses (CWE)
References
- https://github.com/InternationalScratchWiki/mediawiki-scratch-login/commit/70849PatchThird Party Advisory
- https://github.com/InternationalScratchWiki/mediawiki-scratch-login/security/advThird Party Advisory
- https://github.com/InternationalScratchWiki/mediawiki-scratch-login/commit/70849PatchThird Party Advisory
- https://github.com/InternationalScratchWiki/mediawiki-scratch-login/security/advThird Party Advisory
FAQ
What is CVE-2020-15164?
CVE-2020-15164 is a vulnerability with a CVSS score of 10.0 (CRITICAL). in Scratch Login (MediaWiki extension) before version 1.1, any account can be logged into by using the same username with leading, trailing, or repeated underscore(s), since those are treated as white...
How severe is CVE-2020-15164?
CVE-2020-15164 has been rated CRITICAL with a CVSS base score of 10.0/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2020-15164?
Check the references section above for vendor advisories and patch information. Affected products include: Scratch-Wiki Scratch Login.