CVE-2016-6332

Published: Apr 20, 2017Modified: May 13, 2026

7.5

Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Exploitability: 3.9 / Impact: 3.6

Source: NVD

Description

MediaWiki before 1.23.15, 1.26.x before 1.26.4, and 1.27.x before 1.27.1, when $wgBlockDisablesLogin is true, might allow remote attackers to obtain sensitive information by leveraging failure to terminate sessions when a user account is blocked.

Affected (7)

Products: Mediawiki: Mediawiki

1 product

Configuration A

7 vulnerable

Vulnerable Software	Affected Versions
Mediawiki Mediawiki	Up to 1.23.14
Mediawiki Mediawiki	Version 1.26.0
Mediawiki Mediawiki	Version 1.26.1
Mediawiki Mediawiki	Version 1.26.2
Mediawiki Mediawiki	Version 1.26.3
Mediawiki Mediawiki	Version 1.26.4
Mediawiki Mediawiki	Version 1.27.0

Related CWEs

Exposure of Sensitive Information to an Unauthorized Actor

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

References (6)

https://bugzilla.redhat.com/show_bug.cgi?id=1369613

Source: secalert@redhat.com

Issue Tracking

https://lists.wikimedia.org/pipermail/mediawiki-announce/2016-August/000195.html

Source: secalert@redhat.com

Mailing ListPatchVendor Advisory

https://phabricator.wikimedia.org/T129738

Source: secalert@redhat.com

PatchThird Party Advisory

https://bugzilla.redhat.com/show_bug.cgi?id=1369613

Source: af854a3a-2127-422b-91ae-364da2661108

Issue Tracking

https://lists.wikimedia.org/pipermail/mediawiki-announce/2016-August/000195.html

Source: af854a3a-2127-422b-91ae-364da2661108

Mailing ListPatchVendor Advisory

https://phabricator.wikimedia.org/T129738

Source: af854a3a-2127-422b-91ae-364da2661108

PatchThird Party Advisory

Timeline

No history available yet.