Vulnerabilities > CVE-2020-35477 - Always-Incorrect Control Flow Implementation vulnerability in multiple products
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
NONE Integrity impact
LOW Availability impact
NONE Summary
MediaWiki before 1.35.1 blocks legitimate attempts to hide log entries in some situations. If one sets MediaWiki:Mainpage to Special:MyLanguage/Main Page, visits a log entry on Special:Log, and toggles the "Change visibility of selected log entries" checkbox (or a tags checkbox) next to it, there is a redirection to the main page's action=historysubmit (instead of the desired behavior in which a revision-deletion form appears).
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 4 | |
| OS | 2 | |
| OS | 1 |
Common Weakness Enumeration (CWE)
References
- https://lists.wikimedia.org/pipermail/mediawiki-announce/2020-December/000268.html
- https://phabricator.wikimedia.org/T205908
- https://www.debian.org/security/2020/dsa-4816
- https://lists.debian.org/debian-lts-announce/2020/12/msg00034.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/STT5Z4A3BCXVH3WIPICWU2FP4IPIMUPC/