CVE-2020-35625
First published: Mon Dec 21 2020(Updated: )
An issue was discovered in the Widgets extension for MediaWiki through 1.35.1. Any user with the ability to edit pages within the Widgets namespace could call any static function within any class (defined within PHP or MediaWiki) via a crafted HTML comment, related to a Smarty template. For example, a person in the Widget Editors group could use \MediaWiki\Shell\Shell::command within a comment.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| MediaWiki | <=1.35.1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the severity of CVE-2020-35625?
CVE-2020-35625 has a medium severity rating due to its potential for allowing unauthorized access to execute static functions.
How do I fix CVE-2020-35625?
To fix CVE-2020-35625, upgrade MediaWiki to version 1.35.2 or later, which addresses the vulnerability.
Who is affected by CVE-2020-35625?
Any user with edit permissions in the Widgets namespace of MediaWiki versions up to and including 1.35.1 is affected by CVE-2020-35625.
What type of vulnerability is CVE-2020-35625?
CVE-2020-35625 is a code execution vulnerability that can be exploited via crafted HTML comments.
Is CVE-2020-35625 still a risk if I have updated my MediaWiki?
No, if you have updated your MediaWiki to version 1.35.2 or later, CVE-2020-35625 is no longer a risk.
- agent/references
- agent/type
- agent/weakness
- agent/severity
- agent/author
- agent/description
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/first-publish-date
- agent/event
- agent/source
- agent/softwarecombine
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- vendor/mediawiki
- canonical/mediawiki
- version/mediawiki/1.35.1