-
CVSS Score
-Basic Information
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AIMiggo AIRoot Cause AnalysisThe vulnerability stemmed from OATHAuth's TOTP verification using per-wiki user-based rate limits (User::pingLimiter('badoath')) rather than global limits. Phabricator T251661 shows the fix involved: 1) Adding 'user-global' rate limit type in User::pingLimiter, and 2) Modifying OATHAuth to use this new limit type. The pre-patch TOTPSecondaryAuthenticationProvider::continueSecondaryAuthentication function called the rate limiter without cross-wiki enforcement, and User::pingLimiter's original design lacked the mechanism to enforce global user-based limits required for clustered environments.
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| mediawiki/core | composer | >= 1.31.0, < 1.31.9 | 1.31.9 |
| mediawiki/core | composer | >= 1.32.0, < 1.34.3 | 1.34.3 |
A Semantic Attack on Google Gemini - Read the Latest Research