Red Hat Bugzilla – Bug 806357
CVE-2012-1580 mediawiki (v1.18.2): CSRF due disabled token check by performing file uploads
Last modified: 2016-03-04 06:36:34 EST
A cross-site request forgery (CSRF) flaw was found in the way MediaWiki, a wiki engine, performed security token presence check for file uploads. A remote attacker could provide a specially-crafted web page, which once visited by a valid MediaWiki user could allow the attacker to upload file without victim's interaction, or, potentially to cause a further account compromise.
Upstream bug report:
This issue affects the versions of the mediawiki package, as shipped with Fedora release of 15 and 16.
This issue did not affect the version of the mediawiki package, as shipped with Fedora EPEL 5.
Created mediawiki tracking bugs for this issue
Affects: fedora-all [bug 806398]
The CVE identifier of CVE-2012-1580 has been assigned to this issue:
The current version of mediawiki in Fedora is not vulnerable to this issue (1.19.4), however EPEL5 still provides mediawiki 1.14 as well as 1.16; EPEL6 and Fedora also provide 1.16. It is unknown whether or not those versions are affected by this issue as they are no longer supported by upstream.