CVE-2023-45370

An issue was discovered in the SportsTeams extension for MediaWiki before 1.35.12, 1.36.x through 1.39.x before 1.39.5, and 1.40.x before 1.40.1. SportsTeams: Special:SportsManagerLogo and Special:SportsTeamsManagerLogo do not check for the sportsteamsmanager user right, and thus an attacker may be able to affect pages that are concerned with sports teams.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
5.3 MEDIUM
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: Unknown
Affected Products (NVD)
VendorProductVersion
mediawikimediawiki
𝑥
< 1.35.12
mediawikimediawiki
1.36.0 ≤
𝑥
< 1.39.5
mediawikimediawiki
1.40.0
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://gerrit.wikimedia.org/r/c/mediawiki/extensions/SportsTeams/+/959699/
https://phabricator.wikimedia.org/T345680
https://gerrit.wikimedia.org/r/c/mediawiki/extensions/SportsTeams/+/959699/
https://phabricator.wikimedia.org/T345680