CVE-2023-36674 — Improper Input Validation in Mediawiki

CWE-20 — Improper Input Validation5 documents5 sources

Severity

5.3MEDIUMNVD

EPSS

0.0%

top 86.68%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Mediawiki Debian Mediawiki

Timeline

PublishedAug 20

Description

An issue was discovered in MediaWiki before 1.35.11, 1.36.x through 1.38.x before 1.38.7, 1.39.x before 1.39.4, and 1.40.x before 1.40.1. It is possible to bypass the Bad image list (aka badFile) by using the thumb parameter (aka Manualthumb) of the File syntax.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:NExploitability: 3.9 | Impact: 1.4

Affected Packages3 packages

▶debiandebian/mediawiki< mediawiki 1:1.39.4-1~deb12u1 (bookworm)

▶NVDmediawiki/mediawiki1.36.0 — 1.38.7+3

▶Debianmediawiki/mediawiki< 1:1.35.11-1~deb11u1+3

Patches

Patch: phabricator.wikimedia.org ↗Patch: phabricator.wikimedia.org ↗

🔴Vulnerability Details

OSV

CVE-2023-36674: An issue was discovered in MediaWiki before 1↗2023-08-20

▶

GHSA

GHSA-5998-5c6q-8v55: An issue was discovered in MediaWiki before 1↗2023-08-20

▶

📋Vendor Advisories

Red Hat

MediaWiki: Manualthumb bypasses badFile lookup↗2023-06-30

▶

Debian

CVE-2023-36674: mediawiki - An issue was discovered in MediaWiki before 1.35.11, 1.36.x through 1.38.x befor...↗2023

▶