First published: Thu Feb 06 2020(Updated: )
The CentralNotice extension for MediaWiki before 1.19.9, 1.20.x before 1.20.8, and 1.21.x before 1.21.3 sets the Cache-Control header to cache session cookies when a user is autocreated, which allows remote attackers to authenticate as the created user.
Credit: secalert@redhat.com
Affected Software | Affected Version | How to fix |
---|---|---|
MediaWiki MediaWiki | <1.19.9 | |
MediaWiki MediaWiki | >=1.20<1.20.8 | |
MediaWiki MediaWiki | >=1.21<1.21.3 | |
Fedoraproject Fedora | =18 | |
Fedoraproject Fedora | =19 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.