CVE-2021-30153
Published: 15 April 2023
An issue was discovered in the VisualEditor extension in MediaWiki before 1.31.13, and 1.32.x through 1.35.x before 1.35.2. . When using VisualEditor to edit a MediaWiki user page belonging to an existing, but hidden, user, VisualEditor will disclose that the user exists. (It shouldn't because they are hidden.) This is related to ApiVisualEditor.
Priority
Status
| Package | Release | Status |
|---|---|---|
|
mediawiki Launchpad, Ubuntu, Debian |
bionic |
Not vulnerable
(code not present)
|
| focal |
Not vulnerable
(code not present)
|
|
| groovy |
Ignored
(end of life)
|
|
| hirsute |
Not vulnerable
(code not present)
|
|
| impish |
Not vulnerable
(code not present)
|
|
| jammy |
Not vulnerable
(code not present)
|
|
| trusty |
Does not exist
|
|
| upstream |
Released
(1:1.35.2-1)
|
|
| xenial |
Does not exist
|
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score | 4.3 |
| Attack vector | Network |
| Attack complexity | Low |
| Privileges required | Low |
| User interaction | None |
| Scope | Unchanged |
| Confidentiality | Low |
| Integrity impact | None |
| Availability impact | None |
| Vector | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N |
References
- https://phabricator.wikimedia.org/T270453
- https://lists.wikimedia.org/pipermail/wikitech-l/2021-April/094418.html
- https://gerrit.wikimedia.org/r/plugins/gitiles/mediawiki/extensions/VisualEditor/+/1b34b59aa72b6cad2eb2b4c622828b08db9aa7ef%5E%21/#F0
- https://www.cve.org/CVERecord?id=CVE-2021-30153
- NVD
- Launchpad
- Debian