CVE-2010-1150

CVSS V2 Medium 6 CVSS V3 None

Description

MediaWiki before 1.15.3, and 1.6.x before 1.16.0beta2, does not properly handle a correctly authenticated but unintended login attempt, which makes it easier for remote authenticated users to conduct phishing attacks by arranging for a victim to login to the attacker's account and then execute a crafted user script, related to a "login CSRF" issue.

Overview

CVE ID
CVE-2010-1150

Assigner
secalert@redhat.com

Vulnerability Status
Modified

Published Version
2010-04-20T15:30:00

Last Modified Date
2023-02-13T04:17:05

Weakness Enumerations

CWE	URL
CWE-352	http://cwe.mitre.org/data/definitions/352.html

CPE Configuration (Product)

CPE	Vulnerable	Operator	Version End
cpe:2.3:a:mediawiki:mediawiki::::::::	1	OR	1.15.2
cpe:2.3:a:mediawiki:mediawiki:1.6.0:::::::*	1	OR
cpe:2.3:a:mediawiki:mediawiki:1.6.1:::::::*	1	OR
cpe:2.3:a:mediawiki:mediawiki:1.6.2:::::::*	1	OR
cpe:2.3:a:mediawiki:mediawiki:1.6.3:::::::*	1	OR
cpe:2.3:a:mediawiki:mediawiki:1.6.4:::::::*	1	OR
cpe:2.3:a:mediawiki:mediawiki:1.6.5:::::::*	1	OR
cpe:2.3:a:mediawiki:mediawiki:1.6.6:::::::*	1	OR
cpe:2.3:a:mediawiki:mediawiki:1.6.7:::::::*	1	OR
cpe:2.3:a:mediawiki:mediawiki:1.6.8:::::::*	1	OR
cpe:2.3:a:mediawiki:mediawiki:1.6.9:::::::*	1	OR
cpe:2.3:a:mediawiki:mediawiki:1.6.10:::::::*	1	OR
cpe:2.3:a:mediawiki:mediawiki:1.6.11:::::::*	1	OR
cpe:2.3:a:mediawiki:mediawiki:1.6.12:::::::*	1	OR
cpe:2.3:a:mediawiki:mediawiki:1.7.0:::::::*	1	OR
cpe:2.3:a:mediawiki:mediawiki:1.7.1:::::::*	1	OR
cpe:2.3:a:mediawiki:mediawiki:1.7.2:::::::*	1	OR
cpe:2.3:a:mediawiki:mediawiki:1.7.3:::::::*	1	OR
cpe:2.3:a:mediawiki:mediawiki:1.8.0:::::::*	1	OR
cpe:2.3:a:mediawiki:mediawiki:1.8.1:::::::*	1	OR
cpe:2.3:a:mediawiki:mediawiki:1.8.2:::::::*	1	OR
cpe:2.3:a:mediawiki:mediawiki:1.8.3:::::::*	1	OR
cpe:2.3:a:mediawiki:mediawiki:1.8.4:::::::*	1	OR
cpe:2.3:a:mediawiki:mediawiki:1.8.5:::::::*	1	OR
cpe:2.3:a:mediawiki:mediawiki:1.9.0:::::::*	1	OR
cpe:2.3:a:mediawiki:mediawiki:1.9.0:rc2::::::	1	OR
cpe:2.3:a:mediawiki:mediawiki:1.9.1:::::::*	1	OR
cpe:2.3:a:mediawiki:mediawiki:1.9.2:::::::*	1	OR
cpe:2.3:a:mediawiki:mediawiki:1.9.3:::::::*	1	OR
cpe:2.3:a:mediawiki:mediawiki:1.9.4:::::::*	1	OR
cpe:2.3:a:mediawiki:mediawiki:1.9.5:::::::*	1	OR
cpe:2.3:a:mediawiki:mediawiki:1.9.6:::::::*	1	OR
cpe:2.3:a:mediawiki:mediawiki:1.10.0:::::::*	1	OR
cpe:2.3:a:mediawiki:mediawiki:1.10.0:rc1::::::	1	OR
cpe:2.3:a:mediawiki:mediawiki:1.10.0:rc2::::::	1	OR
cpe:2.3:a:mediawiki:mediawiki:1.10.1:::::::*	1	OR
cpe:2.3:a:mediawiki:mediawiki:1.10.2:::::::*	1	OR
cpe:2.3:a:mediawiki:mediawiki:1.10.3:::::::*	1	OR
cpe:2.3:a:mediawiki:mediawiki:1.10.4:::::::*	1	OR
cpe:2.3:a:mediawiki:mediawiki:1.11.0:::::::*	1	OR
cpe:2.3:a:mediawiki:mediawiki:1.11.0:rc1::::::	1	OR
cpe:2.3:a:mediawiki:mediawiki:1.11.1:::::::*	1	OR
cpe:2.3:a:mediawiki:mediawiki:1.11.2:::::::*	1	OR
cpe:2.3:a:mediawiki:mediawiki:1.12.0:::::::*	1	OR
cpe:2.3:a:mediawiki:mediawiki:1.12.0:rc1::::::	1	OR
cpe:2.3:a:mediawiki:mediawiki:1.12.1:::::::*	1	OR
cpe:2.3:a:mediawiki:mediawiki:1.12.2:::::::*	1	OR
cpe:2.3:a:mediawiki:mediawiki:1.12.3:::::::*	1	OR
cpe:2.3:a:mediawiki:mediawiki:1.12.4:::::::*	1	OR
cpe:2.3:a:mediawiki:mediawiki:1.13.0:::::::*	1	OR
cpe:2.3:a:mediawiki:mediawiki:1.13.0:rc1::::::	1	OR
cpe:2.3:a:mediawiki:mediawiki:1.13.0:rc2::::::	1	OR
cpe:2.3:a:mediawiki:mediawiki:1.13.1:::::::*	1	OR
cpe:2.3:a:mediawiki:mediawiki:1.13.2:::::::*	1	OR
cpe:2.3:a:mediawiki:mediawiki:1.13.3:::::::*	1	OR
cpe:2.3:a:mediawiki:mediawiki:1.13.4:::::::*	1	OR
cpe:2.3:a:mediawiki:mediawiki:1.14.0:::::::*	1	OR
cpe:2.3:a:mediawiki:mediawiki:1.14.0:rc1::::::	1	OR
cpe:2.3:a:mediawiki:mediawiki:1.14.1:::::::*	1	OR
cpe:2.3:a:mediawiki:mediawiki:1.15.0:::::::*	1	OR
cpe:2.3:a:mediawiki:mediawiki:1.15.0:rc1::::::	1	OR
cpe:2.3:a:mediawiki:mediawiki:1.15.1:::::::*	1	OR
cpe:2.3:a:mediawiki:mediawiki:1.16.0:::::::*	1	OR
cpe:2.3:a:mediawiki:mediawiki:1.16.0:beta1::::::	1	OR

CVSS Version 2

Version
2.0

Vector String
AV:N/AC:M/Au:S/C:P/I:P/A:P

Access Vector
NETWORK

Access Compatibility
MEDIUM

Authentication
SINGLE

Confidentiality Impact
PARTIAL

Integrity Impact
PARTIAL

Availability Impact
PARTIAL

Base Score
6

Severity
MEDIUM

Exploitability Score
6.8

Impact Score
6.4

References

Reference URL	Reference Tags
http://download.wikimedia.org/mediawiki/1.15/mediawiki-1.15.3.patch.gz	Patch
http://download.wikimedia.org/mediawiki/1.16/mediawiki-1.16.0beta2.patch.gz	Patch
http://lists.wikimedia.org/pipermail/mediawiki-announce/2010-April/000090.html	Patch Vendor Advisory
http://svn.wikimedia.org/svnroot/mediawiki/tags/REL1_15_3/phase3/RELEASE-NOTES
http://svn.wikimedia.org/svnroot/mediawiki/tags/REL1_16_0beta2/phase3/RELEASE-NOTES
http://www.debian.org/security/2010/dsa-2041
http://www.openwall.com/lists/oss-security/2010/04/07/1
http://www.openwall.com/lists/oss-security/2010/04/08/4
http://www.vupen.com/english/advisories/2010/1055
https://access.redhat.com/security/cve/CVE-2010-1150
https://bugzilla.redhat.com/show_bug.cgi?id=580418
https://bugzilla.wikimedia.org/show_bug.cgi?id=23076	Exploit

Sources

Source Name	Source URL
NIST	https://nvd.nist.gov/vuln/detail/CVE-2010-1150
MITRE	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1150

History

Created	Old Value	New Value	Data Type	Notes
2022-05-10 11:11:19				Added to TrackCVE
2023-02-02 19:02:46		2023-02-02T17:17:17	CVE Modified Date	updated
2023-02-02 19:02:47	MediaWiki before 1.15.3, and 1.6.x before 1.16.0beta2, does not properly handle a correctly authenticated but unintended login attempt, which makes it easier for remote authenticated users to conduct phishing attacks by arranging for a victim to login to the attacker's account and then execute a crafted user script, related to a "login CSRF" issue.	CVE-2010-1150 MediaWiki v.1.15.3: Login CSRF	Description	updated
2023-02-02 19:02:54			References	updated
2023-02-13 05:03:32		2023-02-13T04:17:05	CVE Modified Date	updated
2023-02-13 05:03:33	CVE-2010-1150 MediaWiki v.1.15.3: Login CSRF	MediaWiki before 1.15.3, and 1.6.x before 1.16.0beta2, does not properly handle a correctly authenticated but unintended login attempt, which makes it easier for remote authenticated users to conduct phishing attacks by arranging for a victim to login to the attacker's account and then execute a crafted user script, related to a "login CSRF" issue.	Description	updated