CVE-2020-15164 Information
Feb 14, 2021
cve
Description
in Scratch Login (MediaWiki extension) before version 1.1 any account can be logged into by using the same username with leading trailing or repeated underscore(s) since those are treated as whitespace and trimmed by MediaWiki. This affects all users on any wiki using this extension. Since version 1.1 comments by users whose usernames would be trimmed on MediaWiki are ignored when searching for the verification code.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N
Reference
https://github.com/InternationalScratchWiki/mediawiki-scratch-login/commit/70849ef375016a1061490c8c4744046dbfc3e679 https://github.com/InternationalScratchWiki/mediawiki-scratch-login/security/advisories/GHSA-8fq5-g4m5-6j43
Attack Complexity
LOW
Privileges Required
NONE
User Interaction Required
NONE
Scope
NONE
Confidentiality Impact
CHANGED
Integrity Impact
HIGH
Availability Impact
HIGH
Base Score
NONE
Base Severity
10.0
Share on: