Vulnerabilites related to Wikimedia Foundation - MediaWiki
CVE-2025-32697 (GCVE-0-2025-32697)
Vulnerability from cvelistv5
Published
2025-04-10 18:29
Modified
2025-04-10 19:05
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-281 - Improper Preservation of Permissions
Summary
Improper Preservation of Permissions vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/editpage/IntroMessageBuilder.Php, includes/Permissions/PermissionManager.Php, includes/Permissions/RestrictionStore.Php.
This issue affects MediaWiki: before 1.42.6, 1.43.1.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Wikimedia Foundation | MediaWiki |
Version: 0 ≤ |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-32697",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-10T19:05:19.090332Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-10T19:05:48.098Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "MediaWiki",
"programFiles": [
"includes/editpage/IntroMessageBuilder.php",
"includes/Permissions/PermissionManager.php",
"includes/Permissions/RestrictionStore.php"
],
"repo": "https://gerrit.wikimedia.org/g/mediawiki/core/+/refs/heads/master",
"vendor": "Wikimedia Foundation",
"versions": [
{
"lessThan": "1.42.6, 1.43.1",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Preservation of Permissions vulnerability in Wikimedia Foundation MediaWiki.\u003cp\u003e This vulnerability is associated with program files \u003ctt\u003eincludes/editpage/IntroMessageBuilder.Php\u003c/tt\u003e, \u003ctt\u003eincludes/Permissions/PermissionManager.Php\u003c/tt\u003e, \u003ctt\u003eincludes/Permissions/RestrictionStore.Php\u003c/tt\u003e.\u003c/p\u003e\u003cp\u003eThis issue affects MediaWiki: before 1.42.6, 1.43.1.\u003c/p\u003e"
}
],
"value": "Improper Preservation of Permissions vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/editpage/IntroMessageBuilder.Php, includes/Permissions/PermissionManager.Php, includes/Permissions/RestrictionStore.Php.\n\nThis issue affects MediaWiki: before 1.42.6, 1.43.1."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 0,
"baseSeverity": "NONE",
"privilegesRequired": "LOW",
"providerUrgency": "GREEN",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "PASSIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:N/SI:N/SA:N/RE:M/U:Green",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "MODERATE"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-281",
"description": "CWE-281 Improper Preservation of Permissions",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-10T18:29:17.482Z",
"orgId": "c4f26cc8-17ff-4c99-b5e2-38fc1793eacc",
"shortName": "wikimedia-foundation"
},
"references": [
{
"url": "https://phabricator.wikimedia.org/T140010"
},
{
"url": "https://phabricator.wikimedia.org/T62109"
},
{
"url": "https://phabricator.wikimedia.org/T24521"
}
],
"source": {
"defect": [
"https://phabricator.wikimedia.org/T140010"
],
"discovery": "UNKNOWN"
},
"title": "Cascading protection is not preventing file reversions",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "c4f26cc8-17ff-4c99-b5e2-38fc1793eacc",
"assignerShortName": "wikimedia-foundation",
"cveId": "CVE-2025-32697",
"datePublished": "2025-04-10T18:29:17.482Z",
"dateReserved": "2025-04-09T12:54:49.385Z",
"dateUpdated": "2025-04-10T19:05:48.098Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-3469 (GCVE-0-2025-3469)
Vulnerability from cvelistv5
Published
2025-04-10 18:28
Modified
2025-04-10 19:06
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
Summary
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/htmlform/fields/HTMLMultiSelectField.Php.
This issue affects MediaWiki: before 1.39.12, 1.42.6, 1.43.1.
References
| ► | URL | Tags |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Wikimedia Foundation | MediaWiki |
Version: 0 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-3469",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-10T19:06:28.941077Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-10T19:06:36.330Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "MediaWiki",
"programFiles": [
"includes/htmlform/fields/HTMLMultiSelectField.php"
],
"repo": "https://gerrit.wikimedia.org/g/mediawiki/core/+/refs/heads/master",
"vendor": "Wikimedia Foundation",
"versions": [
{
"lessThan": "1.39.12, 1.42.6, 1.43.1",
"status": "affected",
"version": "0",
"versionType": "semv"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Daimona"
},
{
"lang": "en",
"type": "reporter",
"value": "Daimona"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Daimona"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027) vulnerability in Wikimedia Foundation MediaWiki.\u003cp\u003e This vulnerability is associated with program files \u003ctt\u003eincludes/htmlform/fields/HTMLMultiSelectField.Php\u003c/tt\u003e.\u003c/p\u003e\u003cp\u003eThis issue affects MediaWiki: before 1.39.12, 1.42.6, 1.43.1.\u003c/p\u003e"
}
],
"value": "Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027) vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/htmlform/fields/HTMLMultiSelectField.Php.\n\nThis issue affects MediaWiki: before 1.39.12, 1.42.6, 1.43.1."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 0,
"baseSeverity": "NONE",
"privilegesRequired": "NONE",
"providerUrgency": "GREEN",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:N/RE:M/U:Green",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "MODERATE"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-10T18:28:13.370Z",
"orgId": "c4f26cc8-17ff-4c99-b5e2-38fc1793eacc",
"shortName": "wikimedia-foundation"
},
"references": [
{
"url": "https://phabricator.wikimedia.org/T358689"
}
],
"source": {
"defect": [
"https://phabricator.wikimedia.org/T358689"
],
"discovery": "INTERNAL"
},
"title": "i18n XSS vulnerability in HTMLMultiSelectField when sections are used",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "c4f26cc8-17ff-4c99-b5e2-38fc1793eacc",
"assignerShortName": "wikimedia-foundation",
"cveId": "CVE-2025-3469",
"datePublished": "2025-04-10T18:28:13.370Z",
"dateReserved": "2025-04-09T14:30:16.780Z",
"dateUpdated": "2025-04-10T19:06:36.330Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2013-6451 (GCVE-0-2013-6451)
Vulnerability from cvelistv5
Published
2020-01-28 14:56
Modified
2024-08-06 17:39
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- Cross-Site Scripting
Summary
Cross-site scripting (XSS) vulnerability in MediaWiki 1.19.9 before 1.19.10, 1.2x before 1.21.4, and 1.22.x before 1.22.1 allows remote attackers to inject arbitrary web script or HTML via unspecified CSS values.
References
| ► | URL | Tags |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Wikimedia Foundation | MediaWiki |
Version: 1.19.9 before 1.19.10 Version: 1.2x before 1.21.4 Version: 1.22.x before 1.22.1 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T17:39:01.483Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://lists.wikimedia.org/pipermail/mediawiki-announce/2014-January/000138.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "MediaWiki",
"vendor": "Wikimedia Foundation",
"versions": [
{
"status": "affected",
"version": "1.19.9 before 1.19.10"
},
{
"status": "affected",
"version": "1.2x before 1.21.4"
},
{
"status": "affected",
"version": "1.22.x before 1.22.1"
}
]
}
],
"datePublic": "2014-01-14T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in MediaWiki 1.19.9 before 1.19.10, 1.2x before 1.21.4, and 1.22.x before 1.22.1 allows remote attackers to inject arbitrary web script or HTML via unspecified CSS values."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Cross-Site Scripting",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-01-28T14:56:22",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "http://lists.wikimedia.org/pipermail/mediawiki-announce/2014-January/000138.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2013-6451",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "MediaWiki",
"version": {
"version_data": [
{
"version_value": "1.19.9 before 1.19.10"
},
{
"version_value": "1.2x before 1.21.4"
},
{
"version_value": "1.22.x before 1.22.1"
}
]
}
}
]
},
"vendor_name": "Wikimedia Foundation"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-site scripting (XSS) vulnerability in MediaWiki 1.19.9 before 1.19.10, 1.2x before 1.21.4, and 1.22.x before 1.22.1 allows remote attackers to inject arbitrary web script or HTML via unspecified CSS values."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Cross-Site Scripting"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://lists.wikimedia.org/pipermail/mediawiki-announce/2014-January/000138.html",
"refsource": "MISC",
"url": "http://lists.wikimedia.org/pipermail/mediawiki-announce/2014-January/000138.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2013-6451",
"datePublished": "2020-01-28T14:56:22",
"dateReserved": "2013-11-04T00:00:00",
"dateUpdated": "2024-08-06T17:39:01.483Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2013-6455 (GCVE-0-2013-6455)
Vulnerability from cvelistv5
Published
2020-01-28 14:54
Modified
2024-08-06 17:39
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- Path Disclosure
Summary
The CentralAuth extension for MediaWiki before 1.19.10, 1.2x before 1.21.4, and 1.22.x before 1.22.1 allows remote attackers to obtain usernames via vectors related to writing the names to the DOM of a page.
References
| ► | URL | Tags |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Wikimedia Foundation | MediaWiki |
Version: before 1.19.10 Version: 1.2x before 1.21.4 Version: 1.22.x before 1.22.1 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T17:39:01.461Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://lists.wikimedia.org/pipermail/mediawiki-announce/2014-January/000138.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "MediaWiki",
"vendor": "Wikimedia Foundation",
"versions": [
{
"status": "affected",
"version": "before 1.19.10"
},
{
"status": "affected",
"version": "1.2x before 1.21.4"
},
{
"status": "affected",
"version": "1.22.x before 1.22.1"
}
]
}
],
"datePublic": "2014-01-14T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The CentralAuth extension for MediaWiki before 1.19.10, 1.2x before 1.21.4, and 1.22.x before 1.22.1 allows remote attackers to obtain usernames via vectors related to writing the names to the DOM of a page."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Path Disclosure",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-01-28T14:54:22",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "http://lists.wikimedia.org/pipermail/mediawiki-announce/2014-January/000138.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2013-6455",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "MediaWiki",
"version": {
"version_data": [
{
"version_value": "before 1.19.10"
},
{
"version_value": "1.2x before 1.21.4"
},
{
"version_value": "1.22.x before 1.22.1"
}
]
}
}
]
},
"vendor_name": "Wikimedia Foundation"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The CentralAuth extension for MediaWiki before 1.19.10, 1.2x before 1.21.4, and 1.22.x before 1.22.1 allows remote attackers to obtain usernames via vectors related to writing the names to the DOM of a page."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Path Disclosure"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://lists.wikimedia.org/pipermail/mediawiki-announce/2014-January/000138.html",
"refsource": "MISC",
"url": "http://lists.wikimedia.org/pipermail/mediawiki-announce/2014-January/000138.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2013-6455",
"datePublished": "2020-01-28T14:54:22",
"dateReserved": "2013-11-04T00:00:00",
"dateUpdated": "2024-08-06T17:39:01.461Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2013-4303 (GCVE-0-2013-4303)
Vulnerability from cvelistv5
Published
2019-12-11 18:30
Modified
2024-08-06 16:38
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- Cross-Site Scripting
Summary
includes/libs/IEUrlExtension.php in the MediaWiki API in MediaWiki 1.19.x before 1.19.8, 1.20.x before 1.20.7, and 1.21.x before 1.21.2 does not properly detect extensions when there are an even number of "." (period) characters in a string, which allows remote attackers to conduct cross-site scripting (XSS) attacks via the siprop parameter in a query action to wiki/api.php.
References
| ► | URL | Tags | |||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Wikimedia Foundation | MediaWiki |
Version: 1.19.x before 1.19.8 Version: 1.20.x before 1.20.7 Version: and 1.21.x before 1.21.2 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T16:38:01.957Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://lists.wikimedia.org/pipermail/mediawiki-announce/2013-September/000133.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://seclists.org/oss-sec/2013/q3/553"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://bugzilla.wikimedia.org/show_bug.cgi?id=52746"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/62194"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/86897"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "MediaWiki",
"vendor": "Wikimedia Foundation",
"versions": [
{
"status": "affected",
"version": "1.19.x before 1.19.8"
},
{
"status": "affected",
"version": "1.20.x before 1.20.7"
},
{
"status": "affected",
"version": "and 1.21.x before 1.21.2"
}
]
}
],
"datePublic": "2013-09-03T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "includes/libs/IEUrlExtension.php in the MediaWiki API in MediaWiki 1.19.x before 1.19.8, 1.20.x before 1.20.7, and 1.21.x before 1.21.2 does not properly detect extensions when there are an even number of \".\" (period) characters in a string, which allows remote attackers to conduct cross-site scripting (XSS) attacks via the siprop parameter in a query action to wiki/api.php."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Cross-Site Scripting",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-12-11T18:30:37",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "http://lists.wikimedia.org/pipermail/mediawiki-announce/2013-September/000133.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://seclists.org/oss-sec/2013/q3/553"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://bugzilla.wikimedia.org/show_bug.cgi?id=52746"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://www.securityfocus.com/bid/62194"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/86897"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2013-4303",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "MediaWiki",
"version": {
"version_data": [
{
"version_value": "1.19.x before 1.19.8"
},
{
"version_value": "1.20.x before 1.20.7"
},
{
"version_value": "and 1.21.x before 1.21.2"
}
]
}
}
]
},
"vendor_name": "Wikimedia Foundation"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "includes/libs/IEUrlExtension.php in the MediaWiki API in MediaWiki 1.19.x before 1.19.8, 1.20.x before 1.20.7, and 1.21.x before 1.21.2 does not properly detect extensions when there are an even number of \".\" (period) characters in a string, which allows remote attackers to conduct cross-site scripting (XSS) attacks via the siprop parameter in a query action to wiki/api.php."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Cross-Site Scripting"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://lists.wikimedia.org/pipermail/mediawiki-announce/2013-September/000133.html",
"refsource": "MISC",
"url": "http://lists.wikimedia.org/pipermail/mediawiki-announce/2013-September/000133.html"
},
{
"name": "http://seclists.org/oss-sec/2013/q3/553",
"refsource": "MISC",
"url": "http://seclists.org/oss-sec/2013/q3/553"
},
{
"name": "https://bugzilla.wikimedia.org/show_bug.cgi?id=52746",
"refsource": "MISC",
"url": "https://bugzilla.wikimedia.org/show_bug.cgi?id=52746"
},
{
"name": "http://www.securityfocus.com/bid/62194",
"refsource": "MISC",
"url": "http://www.securityfocus.com/bid/62194"
},
{
"name": "https://exchange.xforce.ibmcloud.com/vulnerabilities/86897",
"refsource": "MISC",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/86897"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2013-4303",
"datePublished": "2019-12-11T18:30:37",
"dateReserved": "2013-06-12T00:00:00",
"dateUpdated": "2024-08-06T16:38:01.957Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-32700 (GCVE-0-2025-32700)
Vulnerability from cvelistv5
Published
2025-04-10 18:31
Modified
2025-04-10 18:49
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Summary
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Wikimedia Foundation AbuseFilter. This vulnerability is associated with program files includes/Api/QueryAbuseLog.Php, includes/Pager/AbuseLogPager.Php, includes/Special/SpecialAbuseLog.Php, includes/View/AbuseFilterViewExamine.Php.
This issue affects AbuseFilter: from >= 1.43.0 before 1.43.1.
References
| ► | URL | Tags |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Wikimedia Foundation | MediaWiki |
Version: >= 1.43.0 ≤ |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-32700",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-10T18:49:42.892657Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-10T18:49:53.510Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"packageName": "AbuseFilter",
"product": "MediaWiki",
"programFiles": [
"includes/Api/QueryAbuseLog.php",
"includes/Pager/AbuseLogPager.php",
"includes/Special/SpecialAbuseLog.php",
"includes/View/AbuseFilterViewExamine.php"
],
"repo": "https://gerrit.wikimedia.org/g/mediawiki/extensions/AbuseFilter/+/refs/heads/master",
"vendor": "Wikimedia Foundation",
"versions": [
{
"lessThan": "1.43.1",
"status": "affected",
"version": "\u003e= 1.43.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Dreamy_Jazz"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Dreamy_Jazz"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Wikimedia Foundation AbuseFilter.\u003cp\u003e This vulnerability is associated with program files \u003ctt\u003eincludes/Api/QueryAbuseLog.Php\u003c/tt\u003e, \u003ctt\u003eincludes/Pager/AbuseLogPager.Php\u003c/tt\u003e, \u003ctt\u003eincludes/Special/SpecialAbuseLog.Php\u003c/tt\u003e, \u003ctt\u003eincludes/View/AbuseFilterViewExamine.Php\u003c/tt\u003e.\u003c/p\u003e\u003cp\u003eThis issue affects AbuseFilter: from \u0026gt;= 1.43.0 before 1.43.1.\u003c/p\u003e"
}
],
"value": "Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Wikimedia Foundation AbuseFilter. This vulnerability is associated with program files includes/Api/QueryAbuseLog.Php, includes/Pager/AbuseLogPager.Php, includes/Special/SpecialAbuseLog.Php, includes/View/AbuseFilterViewExamine.Php.\n\nThis issue affects AbuseFilter: from \u003e= 1.43.0 before 1.43.1."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 2.3,
"baseSeverity": "LOW",
"privilegesRequired": "NONE",
"providerUrgency": "GREEN",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "NONE",
"userInteraction": "PASSIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N/RE:M/U:Green",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "MODERATE"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-10T18:31:03.497Z",
"orgId": "c4f26cc8-17ff-4c99-b5e2-38fc1793eacc",
"shortName": "wikimedia-foundation"
},
"references": [
{
"url": "https://phabricator.wikimedia.org/T389235"
}
],
"source": {
"defect": [
"https://phabricator.wikimedia.org/T389235"
],
"discovery": "INTERNAL"
},
"title": "AbuseFilter log interfaces expose global private and hidden filters when central DB is not available",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "c4f26cc8-17ff-4c99-b5e2-38fc1793eacc",
"assignerShortName": "wikimedia-foundation",
"cveId": "CVE-2025-32700",
"datePublished": "2025-04-10T18:31:03.497Z",
"dateReserved": "2025-04-09T12:54:49.385Z",
"dateUpdated": "2025-04-10T18:49:53.510Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-32696 (GCVE-0-2025-32696)
Vulnerability from cvelistv5
Published
2025-04-10 18:28
Modified
2025-04-10 19:06
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-281 - Improper Preservation of Permissions
Summary
Improper Preservation of Permissions vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/actions/RevertAction.Php, includes/api/ApiFileRevert.Php.
This issue affects MediaWiki: before 1.39.12, 1.42.6, 1.43.1.
References
| ► | URL | Tags |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Wikimedia Foundation | MediaWiki |
Version: 0 ≤ |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-32696",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-10T19:06:02.895680Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-10T19:06:14.490Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "MediaWiki",
"programFiles": [
"includes/actions/RevertAction.php",
"includes/api/ApiFileRevert.php"
],
"repo": "https://gerrit.wikimedia.org/g/mediawiki/core/+/refs/heads/master",
"vendor": "Wikimedia Foundation",
"versions": [
{
"lessThan": "1.39.12, 1.42.6, 1.43.1",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Porplemontage"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Bartosz Dziewo\u0144ski"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Preservation of Permissions vulnerability in Wikimedia Foundation MediaWiki.\u003cp\u003e This vulnerability is associated with program files \u003ctt\u003eincludes/actions/RevertAction.Php\u003c/tt\u003e, \u003ctt\u003eincludes/api/ApiFileRevert.Php\u003c/tt\u003e.\u003c/p\u003e\u003cp\u003eThis issue affects MediaWiki: before 1.39.12, 1.42.6, 1.43.1.\u003c/p\u003e"
}
],
"value": "Improper Preservation of Permissions vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/actions/RevertAction.Php, includes/api/ApiFileRevert.Php.\n\nThis issue affects MediaWiki: before 1.39.12, 1.42.6, 1.43.1."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 0,
"baseSeverity": "NONE",
"privilegesRequired": "LOW",
"providerUrgency": "GREEN",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "PASSIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:N/VA:N/SC:N/SI:N/SA:N/RE:M/U:Green",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "MODERATE"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-281",
"description": "CWE-281 Improper Preservation of Permissions",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-10T18:28:48.161Z",
"orgId": "c4f26cc8-17ff-4c99-b5e2-38fc1793eacc",
"shortName": "wikimedia-foundation"
},
"references": [
{
"url": "https://phabricator.wikimedia.org/T304474"
}
],
"source": {
"defect": [
"https://phabricator.wikimedia.org/T304474"
],
"discovery": "UNKNOWN"
},
"title": "\"reupload-own\" restriction can be bypassed by reverting file",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "c4f26cc8-17ff-4c99-b5e2-38fc1793eacc",
"assignerShortName": "wikimedia-foundation",
"cveId": "CVE-2025-32696",
"datePublished": "2025-04-10T18:28:48.161Z",
"dateReserved": "2025-04-09T12:54:49.385Z",
"dateUpdated": "2025-04-10T19:06:14.490Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-32699 (GCVE-0-2025-32699)
Vulnerability from cvelistv5
Published
2025-04-10 18:30
Modified
2025-04-10 18:51
Severity ?
VLAI Severity ?
EPSS score ?
CWE
Summary
Vulnerability in Wikimedia Foundation MediaWiki, Wikimedia Foundation Parsoid.This issue affects MediaWiki: before 1.39.12, 1.42.6, 1.43.1; Parsoid: before 0.16.5, 0.19.2, 0.20.2.
References
| ► | URL | Tags |
|---|---|---|
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ► | Wikimedia Foundation | MediaWiki |
Version: 0 ≤ |
||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-32699",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-10T18:51:20.639216Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-10T18:51:28.531Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "MediaWiki",
"repo": "https://gerrit.wikimedia.org/g/mediawiki/core/+/refs/heads/master",
"vendor": "Wikimedia Foundation",
"versions": [
{
"lessThan": "1.39.12, 1.42.6, 1.43.1",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Parsoid",
"repo": "https://gerrit.wikimedia.org/g/mediawiki/services/parsoid/+/refs/heads/master",
"vendor": "Wikimedia Foundation",
"versions": [
{
"lessThan": "0.16.5, 0.19.2, 0.20.2",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Vulnerability in Wikimedia Foundation MediaWiki, Wikimedia Foundation Parsoid.\u003cp\u003eThis issue affects MediaWiki: before 1.39.12, 1.42.6, 1.43.1; Parsoid: before 0.16.5, 0.19.2, 0.20.2.\u003c/p\u003e"
}
],
"value": "Vulnerability in Wikimedia Foundation MediaWiki, Wikimedia Foundation Parsoid.This issue affects MediaWiki: before 1.39.12, 1.42.6, 1.43.1; Parsoid: before 0.16.5, 0.19.2, 0.20.2."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "HIGH",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 2.1,
"baseSeverity": "LOW",
"privilegesRequired": "NONE",
"providerUrgency": "AMBER",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "ACTIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/RE:M/U:Amber",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "MODERATE"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-74",
"description": "CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component (\u0027Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-10T18:30:24.238Z",
"orgId": "c4f26cc8-17ff-4c99-b5e2-38fc1793eacc",
"shortName": "wikimedia-foundation"
},
"references": [
{
"url": "https://phabricator.wikimedia.org/T387130"
}
],
"source": {
"defect": [
"https://phabricator.wikimedia.org/T387130"
],
"discovery": "INTERNAL"
},
"title": "Potential javascript injection attack enabled by Unicode normalization in Action API",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "c4f26cc8-17ff-4c99-b5e2-38fc1793eacc",
"assignerShortName": "wikimedia-foundation",
"cveId": "CVE-2025-32699",
"datePublished": "2025-04-10T18:30:24.238Z",
"dateReserved": "2025-04-09T12:54:49.385Z",
"dateUpdated": "2025-04-10T18:51:28.531Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2013-4572 (GCVE-0-2013-4572)
Vulnerability from cvelistv5
Published
2020-02-06 14:40
Modified
2024-08-06 16:45
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- Other
Summary
The CentralNotice extension for MediaWiki before 1.19.9, 1.20.x before 1.20.8, and 1.21.x before 1.21.3 sets the Cache-Control header to cache session cookies when a user is autocreated, which allows remote attackers to authenticate as the created user.
References
| ► | URL | Tags |
|---|---|---|
|
|
||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Wikimedia Foundation | MediaWiki |
Version: before 1.19.9 Version: 1.20.x before 1.20.8 Version: 1.21.x before 1.21.3 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T16:45:15.240Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://bugzilla.wikimedia.org/show_bug.cgi?id=53032"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2013-December/123011.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2013-December/122998.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://lists.wikimedia.org/pipermail/mediawiki-announce/2013-November/000135.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "MediaWiki",
"vendor": "Wikimedia Foundation",
"versions": [
{
"status": "affected",
"version": "before 1.19.9"
},
{
"status": "affected",
"version": "1.20.x before 1.20.8"
},
{
"status": "affected",
"version": "1.21.x before 1.21.3"
}
]
}
],
"datePublic": "2013-08-19T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The CentralNotice extension for MediaWiki before 1.19.9, 1.20.x before 1.20.8, and 1.21.x before 1.21.3 sets the Cache-Control header to cache session cookies when a user is autocreated, which allows remote attackers to authenticate as the created user."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Other",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-02-06T14:40:13",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://bugzilla.wikimedia.org/show_bug.cgi?id=53032"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2013-December/123011.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2013-December/122998.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://lists.wikimedia.org/pipermail/mediawiki-announce/2013-November/000135.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2013-4572",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "MediaWiki",
"version": {
"version_data": [
{
"version_value": "before 1.19.9"
},
{
"version_value": "1.20.x before 1.20.8"
},
{
"version_value": "1.21.x before 1.21.3"
}
]
}
}
]
},
"vendor_name": "Wikimedia Foundation"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The CentralNotice extension for MediaWiki before 1.19.9, 1.20.x before 1.20.8, and 1.21.x before 1.21.3 sets the Cache-Control header to cache session cookies when a user is autocreated, which allows remote attackers to authenticate as the created user."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Other"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://bugzilla.wikimedia.org/show_bug.cgi?id=53032",
"refsource": "MISC",
"url": "https://bugzilla.wikimedia.org/show_bug.cgi?id=53032"
},
{
"name": "http://lists.fedoraproject.org/pipermail/package-announce/2013-December/123011.html",
"refsource": "MISC",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2013-December/123011.html"
},
{
"name": "http://lists.fedoraproject.org/pipermail/package-announce/2013-December/122998.html",
"refsource": "MISC",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2013-December/122998.html"
},
{
"name": "http://lists.wikimedia.org/pipermail/mediawiki-announce/2013-November/000135.html",
"refsource": "CONFIRM",
"url": "http://lists.wikimedia.org/pipermail/mediawiki-announce/2013-November/000135.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2013-4572",
"datePublished": "2020-02-06T14:40:13",
"dateReserved": "2013-06-12T00:00:00",
"dateUpdated": "2024-08-06T16:45:15.240Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-32698 (GCVE-0-2025-32698)
Vulnerability from cvelistv5
Published
2025-04-10 18:29
Modified
2025-04-10 18:51
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Summary
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/logging/LogPager.Php.
This issue affects MediaWiki: before 1.39.12, 1.42.6, 1.43.1.
References
| ► | URL | Tags |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Wikimedia Foundation | MediaWiki |
Version: 0 ≤ |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-32698",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-10T18:51:46.269330Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-10T18:51:57.692Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "MediaWiki",
"programFiles": [
"includes/logging/LogPager.php"
],
"repo": "https://gerrit.wikimedia.org/g/mediawiki/core/+/refs/heads/master",
"vendor": "Wikimedia Foundation",
"versions": [
{
"lessThan": "1.39.12, 1.42.6, 1.43.1",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "A_smart_kitten"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Bartosz Dziewo\u0144ski"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Wikimedia Foundation MediaWiki.\u003cp\u003e This vulnerability is associated with program files \u003ctt\u003eincludes/logging/LogPager.Php\u003c/tt\u003e.\u003c/p\u003e\u003cp\u003eThis issue affects MediaWiki: before 1.39.12, 1.42.6, 1.43.1.\u003c/p\u003e"
}
],
"value": "Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/logging/LogPager.Php.\n\nThis issue affects MediaWiki: before 1.39.12, 1.42.6, 1.43.1."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 2.1,
"baseSeverity": "LOW",
"privilegesRequired": "NONE",
"providerUrgency": "GREEN",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "ACTIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/RE:M/U:Green",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "MODERATE"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-10T18:29:52.354Z",
"orgId": "c4f26cc8-17ff-4c99-b5e2-38fc1793eacc",
"shortName": "wikimedia-foundation"
},
"references": [
{
"url": "https://phabricator.wikimedia.org/T385958"
}
],
"source": {
"defect": [
"https://phabricator.wikimedia.org/T385958"
],
"discovery": "UNKNOWN"
},
"title": "LogPager.php: Restriction enforcer functions do not correctly enforce suppression restrictions",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "c4f26cc8-17ff-4c99-b5e2-38fc1793eacc",
"assignerShortName": "wikimedia-foundation",
"cveId": "CVE-2025-32698",
"datePublished": "2025-04-10T18:29:52.354Z",
"dateReserved": "2025-04-09T12:54:49.385Z",
"dateUpdated": "2025-04-10T18:51:57.692Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}