SetTranslationHandler.php does not validate that the user is an election admin, allowing any (even unauthenticated) user to change election-related translation text. While partially broken in newer MediaWiki versions, the check is still missing.
This issue affects Mediawiki - SecurePoll extension: from 1.39.X before 1.39.13, from 1.42.X before 1.42.7, from 1.43.X before 1.43.2.
CVSS
No CVSS.
References
Configurations
No configuration.
History
04 Jul 2025, 18:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2025-07-04 18:15
Updated : 2025-07-04 18:15
NVD link : CVE-2025-53485
Mitre link : CVE-2025-53485
CVE.ORG link : CVE-2025-53485
JSON object : View
Products Affected
No product.
CWE
CWE-862
Missing Authorization