Auth bypass in Internationalscratchwiki Mediawiki-scratch-login
CVE-2020-15164
in Scratch Login (MediaWiki extension) before version 1.1, any account can be logged into by using the same username with leading, trailing, or repeated underscore(s), since those are treated as whitespace and trimmed by MediaWiki. This af…
Vulnerability class: Broken Authentication
EPSS: 0.012 (63.6th percentile) — read the EPSS interpretation.
CVSS v3 metric
CVSS v3 base score 10.0 (Critical). Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N.
Affected products
Weakness classification (CWE)
References
- security-advisories@github.com (x_refsource_CONFIRM, Third Party Advisory)
- security-advisories@github.com (Patch, Third Party Advisory, x_refsource_MISC)
Frequently asked questions
- What is CVE-2020-15164?
- CVE-2020-15164 is a critical-severity vulnerability in Internationalscratchwiki Mediawiki-scratch-login, classified under Improper Authentication. CVSS score: 10.0/10. Published 2020-08-28.
- How severe is CVE-2020-15164?
- Critical severity. CVSS v3 base score is 10.0 out of 10.