CVE-2021-30153
Published: 15 April 2023
An issue was discovered in the VisualEditor extension in MediaWiki before 1.31.13, and 1.32.x through 1.35.x before 1.35.2. . When using VisualEditor to edit a MediaWiki user page belonging to an existing, but hidden, user, VisualEditor will disclose that the user exists. (It shouldn't because they are hidden.) This is related to ApiVisualEditor.
Priority
Status
Package | Release | Status |
---|---|---|
mediawiki Launchpad, Ubuntu, Debian |
jammy |
Not vulnerable
(code not present)
|
impish |
Not vulnerable
(code not present)
|
|
bionic |
Not vulnerable
(code not present)
|
|
focal |
Not vulnerable
(code not present)
|
|
groovy |
Ignored
(end of life)
|
|
hirsute |
Not vulnerable
(code not present)
|
|
trusty |
Does not exist
|
|
upstream |
Released
(1:1.35.2-1)
|
|
xenial |
Does not exist
|
Severity score breakdown
Parameter | Value |
---|---|
Base score | 4.3 |
Attack vector | Network |
Attack complexity | Low |
Privileges required | Low |
User interaction | None |
Scope | Unchanged |
Confidentiality | Low |
Integrity impact | None |
Availability impact | None |
Vector | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N |
References
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-30153
- https://phabricator.wikimedia.org/T270453
- https://lists.wikimedia.org/pipermail/wikitech-l/2021-April/094418.html
- https://gerrit.wikimedia.org/r/plugins/gitiles/mediawiki/extensions/VisualEditor/+/1b34b59aa72b6cad2eb2b4c622828b08db9aa7ef%5E%21/#F0
- NVD
- Launchpad
- Debian