CVE-2019-12470 — Missing Authorization in Mediawiki

CWE-862 — Missing Authorization CWE-284 — Improper Access Control5 documents4 sources

Severity

6.5MEDIUMNVD

EPSS

0.2%

top 62.06%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Mediawiki Mediawiki Core Debian Mediawiki +1 more

Timeline

PublishedJul 10

Latest updateMay 24

Description

Wikimedia MediaWiki through 1.32.1 has Incorrect Access Control. Suppressed log in RevisionDelete page is exposed. Fixed in 1.32.2, 1.31.2, 1.30.2 and 1.27.6.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages4 packages

▶Packagistmediawiki/core1.27.0 — 1.27.6+3

▶debiandebian/mediawiki< mediawiki 1:1.31.2-1 (bookworm)

▶NVDmediawiki/mediawiki1.27.7 — 1.30.2+3

▶Debianmediawiki/mediawiki< 1:1.31.2-1+3

Also affects: Debian Linux 9.0

🔴Vulnerability Details

GHSA

Wikimedia MediaWik exposed suppressed log in RevisionDelete page↗2022-05-24

▶

OSV

Wikimedia MediaWik exposed suppressed log in RevisionDelete page↗2022-05-24

▶

OSV

CVE-2019-12470: Wikimedia MediaWiki through 1↗2019-07-10

▶

📋Vendor Advisories

Debian

CVE-2019-12470: mediawiki - Wikimedia MediaWiki through 1.32.1 has Incorrect Access Control. Suppressed log ...↗2019

▶