Skip to main content

Incorrect Permission Assignment for Critical Resource

CVE-2021-36129

Severity Medium
Score 4.3/10

Summary

An issue was discovered in the Translate extension in MediaWiki through 1.36. The Aggregategroups Action API module does not validate the parameter for aggregategroup when action=remove is set, thus allowing users with the translate-manage right to silently delete various groups' metadata. This issue affects Mediawiki Translate extension package versions prior to 2021.07.

  • LOW
  • NETWORK
  • LOW
  • UNCHANGED
  • NONE
  • LOW
  • NONE
  • NONE

CWE-732 - Incorrect Permission Assignment for Critical Resource

The product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors.

References

Advisory Timeline

  • Published