Vulnerability Description
An issue was discovered in the VisualEditor extension in MediaWiki before 1.31.13, and 1.32.x through 1.35.x before 1.35.2. . When using VisualEditor to edit a MediaWiki user page belonging to an existing, but hidden, user, VisualEditor will disclose that the user exists. (It shouldn't because they are hidden.) This is related to ApiVisualEditor.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Mediawiki | Mediawiki | < 1.31.13 |
Related Weaknesses (CWE)
References
- https://lists.wikimedia.org/hyperkitty/list/wikitech-l%40lists.wikimedia.org/mes
- https://lists.wikimedia.org/pipermail/wikitech-l/2021-April/094418.htmlMailing ListPatchVendor Advisory
- https://phabricator.wikimedia.org/T270453ExploitVendor Advisory
- https://lists.wikimedia.org/hyperkitty/list/wikitech-l%40lists.wikimedia.org/mes
- https://lists.wikimedia.org/pipermail/wikitech-l/2021-April/094418.htmlMailing ListPatchVendor Advisory
- https://phabricator.wikimedia.org/T270453ExploitVendor Advisory
FAQ
What is CVE-2021-30153?
CVE-2021-30153 is a vulnerability with a CVSS score of 4.3 (MEDIUM). An issue was discovered in the VisualEditor extension in MediaWiki before 1.31.13, and 1.32.x through 1.35.x before 1.35.2. . When using VisualEditor to edit a MediaWiki user page belonging to an exis...
How severe is CVE-2021-30153?
CVE-2021-30153 has been rated MEDIUM with a CVSS base score of 4.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2021-30153?
Check the references section above for vendor advisories and patch information. Affected products include: Mediawiki Mediawiki.