CVE-2019-19709: Possible to circumvent title denylist
(updated )
MediaWiki through 1.33.1 allows attackers to bypass the title denylist protection mechanism by starting with an arbitrary title, establishing a non-resolvable redirect for the associated page, and using redirect=1 in the action API when editing that page.
References
- gerrit.wikimedia.org/r/q/Ie54f366986056c876eade0fcad6c41f70b8b8de8
- github.com/FriendsOfPHP/security-advisories/blob/master/mediawiki/core/CVE-2019-19709.yaml
- github.com/advisories/GHSA-pjv5-vv93-p648
- github.com/wikimedia/mediawiki
- nvd.nist.gov/vuln/detail/CVE-2019-19709
- phabricator.wikimedia.org/T239466
- seclists.org/bugtraq/2019/Dec/48
- www.debian.org/security/2019/dsa-4592
Detect and mitigate CVE-2019-19709 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →