CVE-2020-35625
N/A
N/A
Summary
An issue was discovered in the Widgets extension for MediaWiki through 1.35.1. Any user with the ability to edit pages within the Widgets namespace could call any static function within any class (defined within PHP or MediaWiki) via a crafted HTML comment, related to a Smarty template. For example, a person in the Widget Editors group could use \MediaWiki\Shell\Shell::command within a comment.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| n/a | n/a | n/a | affected |
Weaknesses
- n/a
ADP Enrichment
CVE Program Container
Additional References
- https://phabricator.wikimedia.org/T269718
- https://gerrit.wikimedia.org/r/q/Ic899a8b15bc510e61cdacb5c024af2d226a2dbeb
References
- https://phabricator.wikimedia.org/T269718
- https://gerrit.wikimedia.org/r/q/Ic899a8b15bc510e61cdacb5c024af2d226a2dbeb
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.