FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

mediawiki -- authenticated CSRF vulnerability

Affected packages
mediawiki < 1.15.3


VuXML ID 694da5b4-5877-11df-8d80-0015587e2cc1
Discovery 2010-04-07
Entry 2010-05-05

A MediaWiki security announcement reports:

MediaWiki was found to be vulnerable to login CSRF. An attacker who controls a user account on the target wiki can force the victim to log in as the attacker, via a script on an external website.

If the wiki is configured to allow user scripts, say with "$wgAllowUserJs = true" in LocalSettings.php, then the attacker can proceed to mount a phishing-style attack against the victim to obtain their password.


CVE Name CVE-2010-1150