Vulnerability Details : CVE-2013-4302
(1) ApiBlock.php, (2) ApiCreateAccount.php, (3) ApiLogin.php, (4) ApiMain.php, (5) ApiQueryDeletedrevs.php, (6) ApiTokens.php, and (7) ApiUnblock.php in includes/api/ in MediaWiki 1.19.x before 1.19.8, 1.20.x before 1.20.7, and 1.21.x before 1.21.2 allow remote attackers to obtain CSRF tokens and bypass the cross-site request forgery (CSRF) protection mechanism via a JSONP request to wiki/api.php.
Vulnerability category: Cross-site request forgery (CSRF)
Products affected by CVE-2013-4302
- cpe:2.3:a:mediawiki:mediawiki:1.19.0:*:*:*:*:*:*:*
- cpe:2.3:a:mediawiki:mediawiki:1.19.1:*:*:*:*:*:*:*
- cpe:2.3:a:mediawiki:mediawiki:1.19.2:*:*:*:*:*:*:*
- cpe:2.3:a:mediawiki:mediawiki:1.20:*:*:*:*:*:*:*
- cpe:2.3:a:mediawiki:mediawiki:1.20.5:*:*:*:*:*:*:*
- cpe:2.3:a:mediawiki:mediawiki:1.20.4:*:*:*:*:*:*:*
- cpe:2.3:a:mediawiki:mediawiki:1.20.3:*:*:*:*:*:*:*
- cpe:2.3:a:mediawiki:mediawiki:1.20.2:*:*:*:*:*:*:*
- cpe:2.3:a:mediawiki:mediawiki:1.20.1:*:*:*:*:*:*:*
- cpe:2.3:a:mediawiki:mediawiki:1.20.6:*:*:*:*:*:*:*
- cpe:2.3:a:mediawiki:mediawiki:1.21:*:*:*:*:*:*:*
- cpe:2.3:a:mediawiki:mediawiki:1.21.1:*:*:*:*:*:*:*
- cpe:2.3:a:mediawiki:mediawiki:1.19.5:*:*:*:*:*:*:*
- cpe:2.3:a:mediawiki:mediawiki:1.19.3:*:*:*:*:*:*:*
- cpe:2.3:a:mediawiki:mediawiki:1.19.7:*:*:*:*:*:*:*
- cpe:2.3:a:mediawiki:mediawiki:1.19.6:*:*:*:*:*:*:*
- cpe:2.3:a:mediawiki:mediawiki:1.19.4:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2013-4302
0.55%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 78 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2013-4302
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
5.0
|
MEDIUM | AV:N/AC:L/Au:N/C:P/I:N/A:N |
10.0
|
2.9
|
NIST |
CWE ids for CVE-2013-4302
-
Assigned by: nvd@nist.gov (Primary)
References for CVE-2013-4302
-
http://lists.wikimedia.org/pipermail/mediawiki-announce/2013-September/000133.html
[MediaWiki-announce] MediaWiki Security Release: 1.21.2, 1.20.7 and 1.19.8Patch
-
https://bugzilla.wikimedia.org/show_bug.cgi?id=49090
⚓ T51090 Login API doesn't prevent getting csrf tokens via jsonpPatch
-
https://www.mediawiki.org/wiki/Release_notes/1.20
Release notes/1.20 - MediaWiki
-
http://www.debian.org/security/2013/dsa-2753
Debian -- Security Information -- DSA-2753-1 mediawiki
-
https://www.mediawiki.org/wiki/Release_notes/1.19
Release notes/1.19 - MediaWiki
-
https://www.mediawiki.org/wiki/Release_notes/1.21
Release notes/1.21 - MediaWiki
-
https://exchange.xforce.ibmcloud.com/vulnerabilities/86896
MediaWiki multiple modules information disclosure CVE-2013-4302 Vulnerability Report
-
http://seclists.org/oss-sec/2013/q3/553
oss-sec: Re: CVE request: MediaWiki Security Release: 1.21.2, 1.20.7 and 1.19.8Patch
Jump to