CVE-2020-35624

Vulnerability

The SecurePoll extension for MediaWiki through version 1.35.1 exposes a full vote timestamp in the non-admin vote list. This occurs because the vote list view intended for non-administrators does not strip or obfuscate the precise timestamp associated with each vote. The affected versions include all MediaWiki installations using SecurePoll up to and including 1.35.1 [1].

Exploitation

An attacker with non-administrator access to a wiki running SecurePoll can view the non-admin vote list. No special privileges or authentication beyond a standard user account on the wiki are required. The attacker simply navigates to the vote list interface and observes the full timestamps displayed next to each vote entry [1].

Impact

By observing the exact timestamps of votes, an attacker can gain unintended insights into the timing and progression of a voting process. This information could reveal trends such as early or late voting surges, which may compromise the perceived anonymity or fairness of the election. No further system compromise or data modification is possible through this vulnerability; it is strictly an information disclosure issue [1].

Mitigation

MediaWiki addressed this issue in version 1.35.2, released in December 2020. Administrators should upgrade to MediaWiki 1.35.2 or later to ensure the timestamp is no longer exposed to non-admins. If upgrading is not immediately possible, restricting access to the non-admin vote list via custom configuration or access controls can serve as a temporary workaround [1].