Fluid Attacks Database

Description

Possible to circumvent title-blacklist MediaWiki through 1.33.1 allows attackers to bypass the Title_blacklist protection mechanism by starting with an arbitrary title, establishing a non-resolvable redirect for the associated page, and using redirect=1 in the action API when editing that page.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
debian 11	mediawiki	>=0 <1:1.31.6-1	1:1.31.6-1
debian 12	mediawiki	>=0 <1:1.31.6-1	1:1.31.6-1
packagist	mediawiki/core	>=1.31.0 <1.31.6 \|\| >=1.32.0 <1.32.6 \|\| >=1.33.0 <1.33.2 \|\| >=1.33.99 <1.34.0	1.31.6, 1.32.6, 1.33.2, 1.34.0
debian 13	mediawiki	>=0 <1:1.31.6-1	1:1.31.6-1
debian 14	mediawiki	>=0 <1:1.31.6-1	1:1.31.6-1

Aliases

1. CVE-2019-197092. NVD-2019-197093. OSV-DEBIAN-2019-197094. OSV-2019-197095. GCVE-2019-197096. SECURITY-TRACKER-CVE-2019-19709

References

1. https://gerrit.wikimedia.org/r/q/Ie54f366986056c876eade0fcad6c41f70b8b8de82. https://github.com/FriendsOfPHP/security-advisories/blob/master/mediawiki/core/CVE-2019-19709.yaml3. https://phabricator.wikimedia.org/T2394664. https://seclists.org/bugtraq/2019/Dec/485. https://www.debian.org/security/2019/dsa-4592