CVE-2020-35625
Last modified
CVE-2020-35625 is a high-severity vulnerability rated 8.8/10 on the CVSS scale. An issue was discovered in the Widgets extension for MediaWiki through 1.35.1. Any user with the ability to edit pages within the Widgets namespace could call any static function within any class (defined within PHP or MediaWiki) via a crafted HTML comment, related to a Smarty template. EPSS estimates a 1.03% chance of exploitation in the next 30 days.
Description
An issue was discovered in the Widgets extension for MediaWiki through 1.35.1. Any user with the ability to edit pages within the Widgets namespace could call any static function within any class (defined within PHP or MediaWiki) via a crafted HTML comment, related to a Smarty template. For example, a person in the Widget Editors group could use \MediaWiki\Shell\Shell::command within a comment.
Metrics
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Mediawiki | Mediawiki | <= 1.35.1 |
References
- https://gerrit.wikimedia.org/r/q/Ic899a8b15bc510e61cdacb5c024af2d226a2dbebThird Party Advisory
- https://phabricator.wikimedia.org/T269718Third Party Advisory
- https://gerrit.wikimedia.org/r/q/Ic899a8b15bc510e61cdacb5c024af2d226a2dbebThird Party Advisory
- https://phabricator.wikimedia.org/T269718Third Party Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2020-35625?
How severe is CVE-2020-35625?
How do I fix CVE-2020-35625?
Are you affected by CVE-2020-35625?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST