CVE-2020-10959
Description
resources/src/mediawiki.page.ready/ready.js in MediaWiki before 1.35 allows remote attackers to force a logout and external redirection via HTML content in a MediaWiki page.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
MediaWiki before 1.35 allows remote attackers to force a logout and redirect users to an external URL via crafted HTML in a wiki page.
Vulnerability
Overview
The vulnerability, identified as CVE-2020-10959, resides in the resources/src/mediawiki.page.ready/ready.js component of MediaWiki versions prior to 1.35 [1]. The root cause is that the client-side JavaScript used for handling logout button clicks did not sufficiently restrict the destination URL [2]. An attacker can inject crafted HTML content into a wiki page that manipulates the logout button's target, enabling an open redirect upon user interaction [1].
Exploitation
Details
To exploit this flaw, an attacker must have the ability to create or edit wiki pages (which often requires an authenticated account with appropriate permissions) [1]. The attacker inserts HTML such as [https://www.example.com/ click] into the page content [1]. When a logged-in victim views the manipulated page and clicks the logout button, the browser performs the logout action but is then redirected to the attacker-controlled URL [1][2]. The attack is low-complexity, requires no special privileges beyond the ability to add content, and can be triggered without any user interaction beyond loading the manipulated page [1].
Impact
A successful exploit allows an attacker to force a user's logout from the wiki and subsequently redirect the browser to an arbitrary external website [1]. This can be abused for information disclosure through post-logout redirects to credential harvesting sites or to deliver phishing attacks, thereby undermining the integrity of the wiki's security [1][2]. The vulnerability does not directly enable code execution or privilege escalation but facilitates social engineering and session manipulation.
Mitigation
Status
The issue was fixed in MediaWiki 1.35 by adding the data-mw="interface" HTML attribute to the logout button and updating the jQuery selector to target [data-mw="interface"] [1][2]. This attribute is automatically filtered from user-generated content, preventing the redirect manipulation [1]. The patch was committed as Gerrit change 536725 (commit rMWd4a552e65bdf) and is also documented in the FriendsOfPHP security advisory [3]. Users are strongly advised to upgrade to the latest stable version to mitigate the risk [2][4].
- T232932 User content can redirect the logout button to different URL (CVE-2020-10959)
- NVD - CVE-2020-10959
- security-advisories/mediawiki/core/CVE-2020-10959.yaml at master · FriendsOfPHP/security-advisories
- GitHub - wikimedia/mediawiki: 🌻 The collaborative editing software that runs Wikipedia. Mirror from https://gerrit.wikimedia.org/g/mediawiki/core. See https://mediawiki.org/wiki/Developer_access for contributing.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
mediawiki/corePackagist | < 1.34.0-rc.0 | 1.34.0-rc.0 |
Affected products
3- MediaWiki/MediaWikidescription
- osv-coords2 versions
< 1.35.0+ 1 more
- (no CPE)range: < 1.35.0
- (no CPE)range: < 1.34.0-rc.0
Patches
1d4a552e65bdfmediawiki.page.ready: Avoid duplicate DOM query on logout click
1 file changed · +5 −5
resources/src/mediawiki.page.ready/ready.js+5 −5 modified@@ -21,7 +21,7 @@ mw.hook( 'wikipage.content' ).add( function ( $content ) { checkboxShift( $content.find( 'input[type="checkbox"]:not(.noshiftselect)' ) ); } ); -// Things outside the wikipage content +// Handle elements outside the wikipage content $( function () { var $nodes; @@ -56,7 +56,7 @@ $( function () { // Turn logout to a POST action $( '#pt-logout a' ).on( 'click', function ( e ) { var api = new mw.Api(), - returnUrl = $( '#pt-logout a' ).attr( 'href' ); + url = this.href; mw.notify( mw.message( 'logging-out-notify' ), { tag: 'logout', autoHide: false } @@ -65,11 +65,11 @@ $( function () { action: 'logout' } ).then( function () { - location.href = returnUrl; + location.href = url; }, - function ( e ) { + function ( err ) { mw.notify( - mw.message( 'logout-failed', e ), + mw.message( 'logout-failed', err ), { type: 'error', tag: 'logout', autoHide: false } ); }
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
7- github.com/advisories/GHSA-mqhw-wq8p-vf5rghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2020-10959ghsaADVISORY
- gerrit.wikimedia.org/r/c/mediawiki/core/+/536725ghsax_refsource_MISCWEB
- github.com/FriendsOfPHP/security-advisories/blob/master/mediawiki/core/CVE-2020-10959.yamlghsaWEB
- github.com/wikimedia/mediawiki/commit/d4a552e65bdfd7309a9b8537e9dbe69c5e2991ebghsaWEB
- phabricator.wikimedia.org/T232932ghsax_refsource_MISCWEB
- phabricator.wikimedia.org/T240393ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.