The CentralAuth extension for MediaWiki 1.19.x before 1.19.8, 1.20.x before 1.20.7, and 1.21.x before 1.21.2 caches a valid CentralAuthUser object in the centralauth_User cookie even when a user has not successfully logged in, which allows remote attackers to bypass authentication without a password.
References
History
No history.
MITRE Information
Status: PUBLISHED
Assigner: redhat
Published: 2014-01-26T20:00:00
Updated: 2017-08-28T12:57:01
Reserved: 2013-06-12T00:00:00
Link: CVE-2013-4304
JSON object: View
NVD Information
Status : Modified
Published: 2014-01-26T20:55:04.173
Modified: 2017-08-29T01:33:36.950
Link: CVE-2013-4304
JSON object: View
Redhat Information
No data.
CWE