Auth bypass in Internationalscratchwiki Mediawiki-scratch-login

CVE-2020-15164

in Scratch Login (MediaWiki extension) before version 1.1, any account can be logged into by using the same username with leading, trailing, or repeated underscore(s), since those are treated as whitespace and trimmed by MediaWiki. This af…

Vulnerability class: Broken Authentication

EPSS: 0.012 (63.6th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 10.0 (Critical). Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N.

Affected products

Weakness classification (CWE)

References

Frequently asked questions

What is CVE-2020-15164?
CVE-2020-15164 is a critical-severity vulnerability in Internationalscratchwiki Mediawiki-scratch-login, classified under Improper Authentication. CVSS score: 10.0/10. Published 2020-08-28.
How severe is CVE-2020-15164?
Critical severity. CVSS v3 base score is 10.0 out of 10.