CVE-2021-36127

Published: Jul 2, 2021Modified: Nov 21, 2024

4.3

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Exploitability: 2.8 / Impact: 1.4

Source: NVD

Description

An issue was discovered in the CentralAuth extension in MediaWiki through 1.36. The Special:GlobalUserRights page provided search results which, for a suppressed MediaWiki user, were different than for any other user, thus easily disclosing suppressed accounts (which are supposed to be completely hidden).

Affected (1)

Products: Mediawiki: Mediawiki

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Mediawiki Mediawiki	Up to 1.36

Related CWEs

Insecure Storage of Sensitive Information

The product stores sensitive information without properly limiting read or write access by unauthorized actors.

References (4)

https://gerrit.wikimedia.org/r/q/I4e4dbcad61e1d4f6fd8b038bf63d19c69081a8ec

Source: cve@mitre.org

PatchVendor Advisory

https://phabricator.wikimedia.org/T285190

Source: cve@mitre.org

ExploitIssue TrackingPatchVendor Advisory

https://gerrit.wikimedia.org/r/q/I4e4dbcad61e1d4f6fd8b038bf63d19c69081a8ec

Source: af854a3a-2127-422b-91ae-364da2661108

PatchVendor Advisory

https://phabricator.wikimedia.org/T285190

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitIssue TrackingPatchVendor Advisory

Timeline

No history available yet.