CVE-2023-29137

An issue was discovered in the GrowthExperiments extension for MediaWiki through 1.39.3. The UserImpactHandler for GrowthExperiments inadvertently returns the timezone preference for arbitrary users, which can be used to de-anonymize users.
References
Link Resource
https://phabricator.wikimedia.org/T328643 Issue Tracking Patch
Configurations

Configuration 1 (hide)

cpe:2.3:a:mediawiki:mediawiki:*:*:*:*:*:*:*:*

History

10 Apr 2023, 17:08

Type Values Removed Values Added
First Time Mediawiki
Mediawiki mediawiki
References (MISC) https://phabricator.wikimedia.org/T328643 - (MISC) https://phabricator.wikimedia.org/T328643 - Issue Tracking, Patch
CPE cpe:2.3:a:mediawiki:mediawiki:*:*:*:*:*:*:*:*
CVSS v2 : unknown
v3 : unknown
v2 : unknown
v3 : 4.3
CWE NVD-CWE-noinfo

31 Mar 2023, 19:17

Type Values Removed Values Added
New CVE

Information

Published : 2023-03-31 19:15

Updated : 2023-12-10 15:01


NVD link : CVE-2023-29137

Mitre link : CVE-2023-29137

CVE.ORG link : CVE-2023-29137


JSON object : View

Products Affected

mediawiki

  • mediawiki