{"id":"CVE-2021-41801","details":"The ReplaceText extension through 1.41 for MediaWiki has Incorrect Access Control. When a user is blocked after submitting a replace job, the job is still run, even if it may be run at a later time (due to the job queue backlog)","aliases":["BIT-mediawiki-2021-41801"],"modified":"2026-03-13T05:14:00.105046Z","published":"2021-10-11T08:15:06.857Z","related":["MGASA-2021-0477"],"references":[{"type":"WEB","url":"https://lists.wikimedia.org/hyperkitty/list/wikitech-l%40lists.wikimedia.org/thread/2IFS5CM2YV4VMSODPX3J2LFHKSEWVFV5/"},{"type":"FIX","url":"https://phabricator.wikimedia.org/T279090"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/wikimedia/mediawiki","events":[{"introduced":"0"},{"fixed":"8d00acfb43e9bd03ba7711126b03e9e6eaa918d5"},{"introduced":"9b8a1684d4a81d1e617bfb7c9b39a347fc454b53"},{"fixed":"4a3d6a63f4656877f454f050355ee565b97f40f4"},{"introduced":"bc542ec6d8573dfb906b468901799e0017875f1e"},{"fixed":"f65f9d6971578b301ef9fc915a729e6a13266a5e"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"1.31.16"},{"introduced":"1.35.0"},{"fixed":"1.35.4"},{"introduced":"1.36.0"},{"fixed":"1.36.2"}]}}],"versions":["1.35.0","1.35.1","1.35.2","1.35.3","1.36.0","1.36.1"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2021-41801.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}]}