CVE-2021-30153

Published: Apr 15, 2023Modified: Feb 6, 2025

4.3

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Exploitability: 2.8 / Impact: 1.4

Source: NVD

Description

An issue was discovered in the VisualEditor extension in MediaWiki before 1.31.13, and 1.32.x through 1.35.x before 1.35.2. . When using VisualEditor to edit a MediaWiki user page belonging to an existing, but hidden, user, VisualEditor will disclose that the user exists. (It shouldn't because they are hidden.) This is related to ApiVisualEditor.

Affected (2)

Products: Mediawiki: Mediawiki

1 product

Configuration A

2 vulnerable

Vulnerable Software	Affected Versions
Mediawiki Mediawiki	Before 1.31.13
Mediawiki Mediawiki	From 1.32.0 to 1.35.2

Related CWEs

Exposure of Resource to Wrong Sphere

The product exposes a resource to the wrong control sphere, providing unintended actors with inappropriate access to the resource.

References (6)

https://lists.wikimedia.org/hyperkitty/list/wikitech-l%40lists.wikimedia.org/message/XYBF5RSTJRMVCP7QBYK7643W75A3KCIY/

Source: cve@mitre.org

https://lists.wikimedia.org/pipermail/wikitech-l/2021-April/094418.html

Source: cve@mitre.org

Mailing ListPatchVendor Advisory

https://phabricator.wikimedia.org/T270453

Source: cve@mitre.org

ExploitVendor Advisory

https://lists.wikimedia.org/hyperkitty/list/wikitech-l%40lists.wikimedia.org/message/XYBF5RSTJRMVCP7QBYK7643W75A3KCIY/

Source: af854a3a-2127-422b-91ae-364da2661108

https://lists.wikimedia.org/pipermail/wikitech-l/2021-April/094418.html

Source: af854a3a-2127-422b-91ae-364da2661108

Mailing ListPatchVendor Advisory

https://phabricator.wikimedia.org/T270453

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitVendor Advisory

Timeline

No history available yet.