Mediawiki: >> Mediawiki >> 1.35.0 Security Vulnerabilities
An issue was discovered in MediaWiki before 1.35.1. Missing users (accounts that don't exist) and hidden users (accounts that have been explicitly hidden due to being abusive, or similar) that the viewer cannot see are handled differently, exposing sensitive information about the hidden status to unprivileged viewers. This exists on various code paths.
CVSS Score
5.3
EPSS Score
0.015
Published
2020-12-18
The FileImporter extension in MediaWiki through 1.35.0 was not properly attributing various user actions to a specific user's IP address. Instead, for various actions, it would report the IP address of an internal Wikimedia Foundation server by omitting X-Forwarded-For data. This resulted in an inability to properly audit and attribute various user actions performed via the FileImporter extension.
CVSS Score
4.3
EPSS Score
0.007
Published
2020-10-22
Page 17