CVE-2017-0362 in MediaWiki
Summary
by MITRE
Mediawiki before 1.28.1 / 1.27.2 / 1.23.16 contains a flaw where the "Mark all pages visited" on the watchlist does not require a CSRF token.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 02/27/2023
The vulnerability identified as CVE-2017-0362 affects MediaWiki versions prior to 1.28.1, 1.27.2, and 1.23.16, representing a critical security flaw in the web-based wiki platform's user interface. This issue specifically impacts the watchlist functionality where users can mark all pages as visited, a feature commonly used to track changes in watched content. The flaw stems from the absence of proper Cross-Site Request Forgery (CSRF) token validation within the affected implementation, creating a significant attack vector that could be exploited by malicious actors.
The technical nature of this vulnerability resides in the lack of CSRF protection for the "Mark all pages visited" action on user watchlists. In web applications, CSRF tokens serve as a critical defense mechanism against unauthorized actions performed on behalf of authenticated users. When such tokens are missing or improperly validated, attackers can craft malicious requests that exploit the legitimate user's authenticated session to perform unintended operations. This particular flaw allows attackers to manipulate the watchlist state without proper authorization, potentially leading to various security implications.
From an operational standpoint, this vulnerability poses substantial risks to MediaWiki installations as it enables unauthorized modification of user watchlists, which could be leveraged for more sophisticated attacks. Attackers could potentially mark pages as visited to hide malicious activity from users, manipulate watchlist data for social engineering purposes, or even use this capability as part of a broader attack chain to compromise user sessions. The impact extends beyond simple data manipulation, as watchlists often contain sensitive information about user interests and browsing patterns.
The vulnerability aligns with CWE-352, which specifically addresses Cross-Site Request Forgery, and can be mapped to ATT&CK technique T1078 for legitimate credential use and T1566 for social engineering tactics. Organizations running affected MediaWiki versions face increased risk of unauthorized access and data manipulation, particularly in environments where watchlists serve as indicators of user activity or contain sensitive information. The attack surface is particularly concerning given that watchlist functionality is commonly used by users who may not be security-conscious, making the exploitation more likely to succeed.
Mitigation strategies for this vulnerability include immediate upgrade to MediaWiki versions 1.28.1, 1.27.2, or 1.23.16, which contain the necessary CSRF token validation. System administrators should also implement additional monitoring of watchlist modifications and consider implementing web application firewalls to detect anomalous behavior patterns. Organizations should conduct comprehensive security assessments of their MediaWiki installations to identify any other potential CSRF vulnerabilities within the platform's interface components. The fix addresses the core issue by ensuring that all user actions requiring state changes on the server-side properly validate CSRF tokens, thereby preventing unauthorized operations through crafted requests that exploit the authenticated session.