An issue was discovered in MediaWiki before 1.35.5, 1.36.x before 1.36.3, and 1.37.x before 1.37.1. It is possible to use action=edit&undo= followed by action=mcrundo and action=mcrrestore to view private pages on a private wiki that has at least one page set in $wgWhitelistRead.
References
Link | Resource |
---|---|
https://phabricator.wikimedia.org/T297322 | Patch Vendor Advisory |
https://security.gentoo.org/glsa/202305-24 | |
https://www.mediawiki.org/wiki/2021-12_security_release/FAQ | Mitigation Vendor Advisory |
Configurations
Configuration 1 (hide)
|
History
21 May 2023, 22:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
29 Dec 2021, 18:18
Type | Values Removed | Values Added |
---|---|---|
First Time |
Mediawiki
Mediawiki mediawiki |
|
CVSS |
v2 : v3 : |
v2 : 5.0
v3 : 7.5 |
References | (CONFIRM) https://www.mediawiki.org/wiki/2021-12_security_release/FAQ - Mitigation, Vendor Advisory | |
References | (MISC) https://phabricator.wikimedia.org/T297322 - Patch, Vendor Advisory | |
CWE | CWE-276 | |
CPE | cpe:2.3:a:mediawiki:mediawiki:*:*:*:*:*:*:*:* |
20 Dec 2021, 09:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2021-12-20 09:15
Updated : 2023-12-10 14:09
NVD link : CVE-2021-44858
Mitre link : CVE-2021-44858
CVE.ORG link : CVE-2021-44858
JSON object : View
Products Affected
mediawiki
- mediawiki
CWE
CWE-276
Incorrect Default Permissions