Red Hat Bugzilla – Bug 806343
CVE-2012-1578 mediawiki (v1.18.2): CSRF in the block / unblock API modules
Last modified: 2016-03-04 06:03:20 EST
It was found that the block / unblock API modules of MediaWiki, a wiki engine, did not verify if the security token was being present in the operations performing blocking / unblocking of another user account. A valid MediaWiki user with block privileges could use this flaw to block or unblock user account of another user without providing a security token (CSRF).
Upstream bug report:
Included within revision:
This issue affects the versions of the mediawiki package, as shipped with Fedora release of 15 and 16.
This issue did NOT affect the version of the mediawiki package, as shipped with Fedora EPEL 5.
Created mediawiki tracking bugs for this issue
Affects: fedora-all [bug 806398]
The CVE identifier of CVE-2012-1578 has been assigned to this issue:
The current version of mediawiki in Fedora is not vulnerable to this issue (1.19.4), however EPEL5 still provides mediawiki 1.14 as well as 1.16; EPEL6 and Fedora also provide 1.16. It is unknown whether or not those versions are affected by this issue as they are no longer supported by upstream.