CVE-2016-6337

Published: Apr 20, 2017Modified: May 13, 2026

7.5

Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Exploitability: 3.9 / Impact: 3.6

Source: NVD

Description

MediaWiki 1.27.x before 1.27.1 might allow remote attackers to bypass intended session access restrictions by leveraging a call to the UserGetRights function after Session::getAllowedUserRights.

Affected (1)

Products: Mediawiki: Mediawiki

Mediawiki

1 product

Mediawiki

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Mediawiki Mediawiki	Version 1.27.0

Related CWEs

CWE-284

Improper Access Control

The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

References (4)

https://lists.wikimedia.org/pipermail/mediawiki-announce/2016-August/000195.html

Source: secalert@redhat.com

Mailing ListPatchVendor Advisory

https://phabricator.wikimedia.org/T139670

Source: secalert@redhat.com

PatchThird Party Advisory

https://lists.wikimedia.org/pipermail/mediawiki-announce/2016-August/000195.html

Source: af854a3a-2127-422b-91ae-364da2661108

Mailing ListPatchVendor Advisory

https://phabricator.wikimedia.org/T139670

Source: af854a3a-2127-422b-91ae-364da2661108

PatchThird Party Advisory

Timeline

No history available yet.