Get a demo
100% Signal 0% Noise Invicti Logo - The Largest Dynamic Application Security Solutions Provider In The World Get a demo
MediaWiki Incorrect Permission Assignment for Critical Resource Vulnerability - CVE-2020-35625 - Vulnerability Database
MediaWiki

MediaWiki Incorrect Permission Assignment for Critical Resource Vulnerability - CVE-2020-35625

High
Reference: CVE-2020-35625
NVD Link: https://nvd.nist.gov/vuln/detail/CVE-2020-35625
Title: MediaWiki Incorrect Permission Assignment for Critical Resource Vulnerability
Overview:

An issue was discovered in the Widgets extension for MediaWiki through 1.35.1. Any user with the ability to edit pages within the Widgets namespace could call any static function within any class (defined within PHP or MediaWiki) via a crafted HTML comment related to a Smarty template. For example a person in the Widget Editors group could use MediaWikiShellShell::command within a comment.