Platform
php
Component
mediawiki-scratch-login
Fixed in
1.1.1
CVE-2020-15164 describes an authentication bypass vulnerability in Scratch Login, a MediaWiki extension. This flaw allows attackers to log into any account by manipulating the username with leading, trailing, or repeated underscores, which are incorrectly treated as whitespace. The vulnerability affects installations of Scratch Login prior to version 1.1. A fix was released in version 1.1, addressing the issue by ignoring comments from users with usernames that would be trimmed.
The impact of this vulnerability is significant due to its ease of exploitation and potential for widespread compromise. An attacker can gain unauthorized access to any user account on a MediaWiki installation utilizing Scratch Login. This could lead to data breaches, unauthorized modifications to wiki content, and potential disruption of services. The ability to bypass authentication without needing valid credentials makes this a high-risk vulnerability, particularly for wikis with sensitive information or critical functionality. The simplicity of the attack vector means that even non-technical users could potentially exploit this flaw.
CVE-2020-15164 was publicly disclosed on August 28, 2020. While no active exploitation campaigns have been definitively linked to this vulnerability, its ease of exploitation makes it a potential target. It is not currently listed on CISA KEV. Public proof-of-concept exploits are readily available, increasing the risk of opportunistic attacks.
Exploit Status
EPSS
0.26% (49% percentile)
CVSS Vector
The primary mitigation for CVE-2020-15164 is to upgrade Scratch Login to version 1.1 or later. If an immediate upgrade is not feasible due to compatibility issues or testing requirements, consider implementing temporary workarounds. While no direct WAF rules can prevent this, strict input validation on username fields within the MediaWiki installation could offer some limited protection. Regularly review user accounts and audit logs for suspicious activity, particularly logins with unusual usernames. After upgrading, confirm the fix by attempting to log in with a username containing leading, trailing, or repeated underscores; the login should fail.
Update the Scratch Login extension to version 1.1 or higher. This version fixes the authentication bypass vulnerability by validating usernames. The update will prevent unauthorized users from accessing accounts using usernames manipulated with whitespace.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2020-15164 is a critical vulnerability in the Scratch Login MediaWiki extension allowing attackers to bypass authentication by manipulating usernames with underscores.
You are affected if you are using Scratch Login version 1.1 or earlier. Check your extension version immediately.
Upgrade Scratch Login to version 1.1 or later to resolve the authentication bypass vulnerability.
While no confirmed active campaigns are known, the ease of exploitation makes it a potential target for opportunistic attacks.
Refer to the MediaWiki security page for details: https://www.mediawiki.org/wiki/Security_alerts
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.