CVE-2019-19709

MEDIUM6.1EPSS 0.32%

Possible to circumvent title-blacklist

Published: 5/24/2022Modified: 4/28/2026

Also known as:GHSA-pjv5-vv93-p648DEBIAN-CVE-2019-19709

Description

MediaWiki through 1.33.1 allows attackers to bypass the Title_blacklist protection mechanism by starting with an arbitrary title, establishing a non-resolvable redirect for the associated page, and using redirect=1 in the action API when editing that page.

Affected packages (3)

Debian/mediawikifrom 0, < 1:1.31.6-1
Debian/mediawikifrom 0, < 1:1.27.7-1~deb9u3
Packagist/mediawiki/core>= 1.31.0, < 1.31.6

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM6.1	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References (8)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2019-19709
ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2019-19709
PATCHhttps://github.com/wikimedia/mediawiki
WEBhttps://gerrit.wikimedia.org/r/q/Ie54f366986056c876eade0fcad6c41f70b8b8de8
WEBhttps://github.com/FriendsOfPHP/security-advisories/blob/master/mediawiki/core/CVE-2019-19709.yaml
WEBhttps://phabricator.wikimedia.org/T239466
WEBhttps://seclists.org/bugtraq/2019/Dec/48
WEBhttps://www.debian.org/security/2019/dsa-4592