CVE-2023-45362 — Mediawiki vulnerability

5 documents5 sources

Severity

4.3MEDIUMNVD

EPSS

0.4%

top 39.73%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Mediawiki Debian Mediawiki

Timeline

PublishedNov 3

Description

An issue was discovered in DifferenceEngine.php in MediaWiki before 1.35.12, 1.36.x through 1.39.x before 1.39.5, and 1.40.x before 1.40.1. diff-multi-sameuser (aka "X intermediate revisions by the same user not shown") ignores username suppression. This is an information leak.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages3 packages

▶debiandebian/mediawiki< mediawiki 1:1.39.5-1~deb12u1 (bookworm)

▶NVDmediawiki/mediawiki1.36.0 — 1.39.5+2

▶Debianmediawiki/mediawiki< 1:1.35.13-1~deb11u1+3

Patches

Patch: phabricator.wikimedia.org ↗Patch: phabricator.wikimedia.org ↗

🔴Vulnerability Details

OSV

CVE-2023-45362: An issue was discovered in DifferenceEngine↗2023-11-03

▶

GHSA

GHSA-vpqp-jxq3-5x89: An issue was discovered in DifferenceEngine↗2023-11-03

▶

📋Vendor Advisories

Red Hat

mediawiki: diff-multi-sameuser ("X intermediate revisions by the same user not shown") ignores username suppression↗2023-10-12

▶

Debian

CVE-2023-45362: mediawiki - An issue was discovered in DifferenceEngine.php in MediaWiki before 1.35.12, 1.3...↗2023

▶