CVE-2022-28209 in MediaWiki
Summary
by MITRE • 03/30/2022
An issue was discovered in Mediawiki through 1.37.1. The check for the override-antispoof permission in the AntiSpoof extension is incorrect.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 05/16/2026
The vulnerability identified as CVE-2022-28209 resides within the MediaWiki content management system and specifically affects versions through 1.37.1. This issue manifests within the AntiSpoof extension, which is designed to prevent user name spoofing attacks by implementing checks that should verify whether users possess the appropriate permissions to override anti-spoofing protections. The fundamental flaw lies in the incorrect implementation of permission validation logic that fails to properly authenticate administrative privileges required for bypassing anti-spoofing mechanisms. This misconfiguration creates a potential security gap where unauthorized actors might exploit the permission system to gain elevated privileges or manipulate user account creation processes that should be restricted.
The technical nature of this vulnerability stems from improper access control implementation within the AntiSpoof extension's permission checking mechanism. According to CWE classification, this represents a weakness in permission checking and access control validation. The flaw allows for privilege escalation through incorrect permission verification, where the system fails to properly distinguish between users who should and should not be granted override-antispoof permissions. This misimplementation creates a direct pathway for attackers to bypass intended security controls that protect against malicious user name spoofing attempts. The vulnerability specifically affects the authorization logic that should enforce administrative restrictions on anti-spoofing overrides, potentially allowing malicious users to create or modify accounts with names that could confuse other users or impersonate legitimate administrators.
The operational impact of CVE-2022-28209 extends beyond simple privilege escalation to encompass broader security implications for MediaWiki installations. Attackers could exploit this vulnerability to create user accounts that mimic legitimate administrators or other trusted users, leading to potential social engineering attacks, account takeover scenarios, and disruption of normal user authentication processes. The vulnerability creates a persistent threat vector that could be leveraged in various attack scenarios including credential stuffing, session hijacking, and reputation damage through spoofed user activities. Organizations running MediaWiki systems are particularly vulnerable because the flaw exists in a core security extension that is typically enabled by default, making the attack surface immediately exploitable without requiring additional malicious code or complex attack chains. This vulnerability directly impacts the integrity of user authentication systems and undermines the trust model that MediaWiki relies upon for maintaining secure collaborative environments.
Mitigation strategies for CVE-2022-28209 should prioritize immediate patching of affected MediaWiki installations to version 1.37.2 or later, where the permission checking logic has been corrected. Organizations should also implement additional monitoring for suspicious user account creation patterns and unusual permission modifications that might indicate exploitation attempts. Security teams should review and validate existing user permission assignments to ensure that only authorized administrators possess the override-antispoof capabilities. The ATT&CK framework categorizes this vulnerability under privilege escalation techniques where attackers leverage misconfigured access controls to gain elevated system privileges. Network administrators should consider implementing additional access control measures such as multi-factor authentication for administrative accounts and enhanced audit logging to detect unauthorized permission changes. Organizations should also conduct comprehensive security assessments of their MediaWiki installations to identify any other potential misconfigurations within the AntiSpoof extension or related security components. Regular security updates and patch management procedures should be reinforced to prevent similar permission validation flaws from occurring in other extensions or system components.