fkie_cve-2013-4302
Vulnerability from fkie_nvd
Published
2013-10-27 00:55
Modified
2025-04-11 00:51
Severity ?
Summary
(1) ApiBlock.php, (2) ApiCreateAccount.php, (3) ApiLogin.php, (4) ApiMain.php, (5) ApiQueryDeletedrevs.php, (6) ApiTokens.php, and (7) ApiUnblock.php in includes/api/ in MediaWiki 1.19.x before 1.19.8, 1.20.x before 1.20.7, and 1.21.x before 1.21.2 allow remote attackers to obtain CSRF tokens and bypass the cross-site request forgery (CSRF) protection mechanism via a JSONP request to wiki/api.php.
References
secalert@redhat.comhttp://lists.wikimedia.org/pipermail/mediawiki-announce/2013-September/000133.htmlPatch
secalert@redhat.comhttp://osvdb.org/96912
secalert@redhat.comhttp://seclists.org/oss-sec/2013/q3/553Patch
secalert@redhat.comhttp://secunia.com/advisories/54715Vendor Advisory
secalert@redhat.comhttp://www.debian.org/security/2013/dsa-2753
secalert@redhat.comhttps://bugzilla.wikimedia.org/show_bug.cgi?id=49090Patch
secalert@redhat.comhttps://exchange.xforce.ibmcloud.com/vulnerabilities/86896
secalert@redhat.comhttps://www.mediawiki.org/wiki/Release_notes/1.19
secalert@redhat.comhttps://www.mediawiki.org/wiki/Release_notes/1.20
secalert@redhat.comhttps://www.mediawiki.org/wiki/Release_notes/1.21
af854a3a-2127-422b-91ae-364da2661108http://lists.wikimedia.org/pipermail/mediawiki-announce/2013-September/000133.htmlPatch
af854a3a-2127-422b-91ae-364da2661108http://osvdb.org/96912
af854a3a-2127-422b-91ae-364da2661108http://seclists.org/oss-sec/2013/q3/553Patch
af854a3a-2127-422b-91ae-364da2661108http://secunia.com/advisories/54715Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108http://www.debian.org/security/2013/dsa-2753
af854a3a-2127-422b-91ae-364da2661108https://bugzilla.wikimedia.org/show_bug.cgi?id=49090Patch
af854a3a-2127-422b-91ae-364da2661108https://exchange.xforce.ibmcloud.com/vulnerabilities/86896
af854a3a-2127-422b-91ae-364da2661108https://www.mediawiki.org/wiki/Release_notes/1.19
af854a3a-2127-422b-91ae-364da2661108https://www.mediawiki.org/wiki/Release_notes/1.20
af854a3a-2127-422b-91ae-364da2661108https://www.mediawiki.org/wiki/Release_notes/1.21
Impacted products
Vendor Product Version
mediawiki mediawiki 1.19.0
mediawiki mediawiki 1.19.1
mediawiki mediawiki 1.19.2
mediawiki mediawiki 1.19.3
mediawiki mediawiki 1.19.4
mediawiki mediawiki 1.19.5
mediawiki mediawiki 1.19.6
mediawiki mediawiki 1.19.7
mediawiki mediawiki 1.20
mediawiki mediawiki 1.20.1
mediawiki mediawiki 1.20.2
mediawiki mediawiki 1.20.3
mediawiki mediawiki 1.20.4
mediawiki mediawiki 1.20.5
mediawiki mediawiki 1.20.6
mediawiki mediawiki 1.21
mediawiki mediawiki 1.21.1


To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:mediawiki:mediawiki:1.19.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "A7C29D44-2964-483F-B672-27B5CE471DA6",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:mediawiki:mediawiki:1.19.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "172FEFE5-9900-49D0-9E14-2FA4A7912D23",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:mediawiki:mediawiki:1.19.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "CA3205F5-3A29-4D45-AC95-83174F8969BB",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:mediawiki:mediawiki:1.19.3:*:*:*:*:*:*:*",
              "matchCriteriaId": "5547DA02-3BEC-4278-A714-25CCB820AA79",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:mediawiki:mediawiki:1.19.4:*:*:*:*:*:*:*",
              "matchCriteriaId": "A3E5609D-EC04-4088-9B61-ABDD256200F7",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:mediawiki:mediawiki:1.19.5:*:*:*:*:*:*:*",
              "matchCriteriaId": "B23B09BB-8F43-4D60-A37F-D8685584AF4B",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:mediawiki:mediawiki:1.19.6:*:*:*:*:*:*:*",
              "matchCriteriaId": "9A8A3F38-9A86-4346-9337-5C2A1DED37C0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:mediawiki:mediawiki:1.19.7:*:*:*:*:*:*:*",
              "matchCriteriaId": "49CCC3B5-9BD4-40B4-AF1A-DF4B2A6DC12D",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:mediawiki:mediawiki:1.20:*:*:*:*:*:*:*",
              "matchCriteriaId": "8FA45494-185A-4ED1-8818-D9F14EB9B59B",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:mediawiki:mediawiki:1.20.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "59319309-D926-4353-8E0C-1FE0CB97E4D5",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:mediawiki:mediawiki:1.20.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "DA15B197-EC42-49F0-8764-E315CDA7EA03",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:mediawiki:mediawiki:1.20.3:*:*:*:*:*:*:*",
              "matchCriteriaId": "ECD4CD3D-6022-4F75-A524-5A5247EF23AD",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:mediawiki:mediawiki:1.20.4:*:*:*:*:*:*:*",
              "matchCriteriaId": "75B95AE3-6FA0-44BD-A78A-F059613B57EC",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:mediawiki:mediawiki:1.20.5:*:*:*:*:*:*:*",
              "matchCriteriaId": "94646567-FF30-4FBA-96C5-914EB3C85D7F",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:mediawiki:mediawiki:1.20.6:*:*:*:*:*:*:*",
              "matchCriteriaId": "AF088531-6875-49A2-B220-D7EC38ECC50F",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:mediawiki:mediawiki:1.21:*:*:*:*:*:*:*",
              "matchCriteriaId": "383CE1D8-7A58-4C24-8898-8C592F98EFCC",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:mediawiki:mediawiki:1.21.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "3DA12531-818E-4AD7-A3E7-467604775416",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "(1) ApiBlock.php, (2) ApiCreateAccount.php, (3) ApiLogin.php, (4) ApiMain.php, (5) ApiQueryDeletedrevs.php, (6) ApiTokens.php, and (7) ApiUnblock.php in includes/api/ in MediaWiki 1.19.x before 1.19.8, 1.20.x before 1.20.7, and 1.21.x before 1.21.2 allow remote attackers to obtain CSRF tokens and bypass the cross-site request forgery (CSRF) protection mechanism via a JSONP request to wiki/api.php."
    },
    {
      "lang": "es",
      "value": "Los scripts ApiBlock.php,  ApiCreateAccount.php,  ApiLogin.php, ApiMain.php,  ApiQueryDeletedrevs.php,  ApiTokens.php, y ApiUnblock.php en includes/api en MediaWiki 1.19.x anterior a 1.19.8, 1.20.x anterior a 1.20.7, y 1.21.x anterior a  1.21.2  permite a atacantes remotos obtener tokens CSFR y evitar la protecci\u00f3n contra CSFR via peticiones  JSON a  wiki/api.php"
    }
  ],
  "id": "CVE-2013-4302",
  "lastModified": "2025-04-11T00:51:21.963",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "MEDIUM",
        "cvssData": {
          "accessComplexity": "LOW",
          "accessVector": "NETWORK",
          "authentication": "NONE",
          "availabilityImpact": "NONE",
          "baseScore": 5.0,
          "confidentialityImpact": "PARTIAL",
          "integrityImpact": "NONE",
          "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
          "version": "2.0"
        },
        "exploitabilityScore": 10.0,
        "impactScore": 2.9,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ]
  },
  "published": "2013-10-27T00:55:03.883",
  "references": [
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Patch"
      ],
      "url": "http://lists.wikimedia.org/pipermail/mediawiki-announce/2013-September/000133.html"
    },
    {
      "source": "secalert@redhat.com",
      "url": "http://osvdb.org/96912"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Patch"
      ],
      "url": "http://seclists.org/oss-sec/2013/q3/553"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "http://secunia.com/advisories/54715"
    },
    {
      "source": "secalert@redhat.com",
      "url": "http://www.debian.org/security/2013/dsa-2753"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Patch"
      ],
      "url": "https://bugzilla.wikimedia.org/show_bug.cgi?id=49090"
    },
    {
      "source": "secalert@redhat.com",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/86896"
    },
    {
      "source": "secalert@redhat.com",
      "url": "https://www.mediawiki.org/wiki/Release_notes/1.19"
    },
    {
      "source": "secalert@redhat.com",
      "url": "https://www.mediawiki.org/wiki/Release_notes/1.20"
    },
    {
      "source": "secalert@redhat.com",
      "url": "https://www.mediawiki.org/wiki/Release_notes/1.21"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch"
      ],
      "url": "http://lists.wikimedia.org/pipermail/mediawiki-announce/2013-September/000133.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://osvdb.org/96912"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch"
      ],
      "url": "http://seclists.org/oss-sec/2013/q3/553"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "http://secunia.com/advisories/54715"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://www.debian.org/security/2013/dsa-2753"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch"
      ],
      "url": "https://bugzilla.wikimedia.org/show_bug.cgi?id=49090"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/86896"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://www.mediawiki.org/wiki/Release_notes/1.19"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://www.mediawiki.org/wiki/Release_notes/1.20"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://www.mediawiki.org/wiki/Release_notes/1.21"
    }
  ],
  "sourceIdentifier": "secalert@redhat.com",
  "vulnStatus": "Deferred",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-264"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.