-
CVSS Score
-Basic Information
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AIMiggo AIRoot Cause AnalysisThe vulnerability stems from missing account lock checks in the BotPassword authentication flow. The Phabricator task T194605 shows the security patch added a CentralAuthUser::isLocked() check in BotPasswordProvider.php. This indicates the provideAuthentication method was vulnerable because it didn't verify account lock status before granting access. The CWE-287 classification confirms this is an authentication bypass issue directly related to missing checks in the authentication provider.
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| mediawiki/core | composer | >= 1.27.0, < 1.27.5 | 1.27.5 |
| mediawiki/core | composer | >= 1.29.0, < 1.29.3 | 1.29.3 |
| mediawiki/core | composer | >= 1.30.0, < 1.30.1 | 1.30.1 |
| mediawiki/core | composer | >= 1.31.0, < 1.31.1 | 1.31.1 |