CVE-2021-30153

An issue was discovered in the VisualEditor extension in MediaWiki before 1.31.13, and 1.32.x through 1.35.x before 1.35.2. . When using VisualEditor to edit a MediaWiki user page belonging to an existing, but hidden, user, VisualEditor will disclose that the user exists. (It shouldn't because they are hidden.) This is related to ApiVisualEditor.

CVSS v3 4.3 MEDIUM

4.3^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://lists.wikimedia.org/hyperkitty/list/wikitech-l%40lists.wikimedia.org/message/XYBF5RSTJRMVCP7QBYK7643W75A3KCIY/
https://lists.wikimedia.org/pipermail/wikitech-l/2021-April/094418.html	Mailing List Patch Vendor Advisory
https://phabricator.wikimedia.org/T270453	Exploit Vendor Advisory
https://lists.wikimedia.org/hyperkitty/list/wikitech-l%40lists.wikimedia.org/message/XYBF5RSTJRMVCP7QBYK7643W75A3KCIY/
https://lists.wikimedia.org/pipermail/wikitech-l/2021-April/094418.html	Mailing List Patch Vendor Advisory
https://phabricator.wikimedia.org/T270453	Exploit Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:mediawiki:mediawiki::::::::
	cpe:2.3:a:mediawiki:mediawiki::::::::

History

21 Nov 2024, 06:03

Type	Values Removed	Values Added
References	~~() https://lists.wikimedia.org/hyperkitty/list/wikitech-l%40lists.wikimedia.org/message/XYBF5RSTJRMVCP7QBYK7643W75A3KCIY/ -~~	() https://lists.wikimedia.org/hyperkitty/list/wikitech-l%40lists.wikimedia.org/message/XYBF5RSTJRMVCP7QBYK7643W75A3KCIY/ -
References	~~() https://lists.wikimedia.org/pipermail/wikitech-l/2021-April/094418.html - Mailing List, Patch, Vendor Advisory~~	() https://lists.wikimedia.org/pipermail/wikitech-l/2021-April/094418.html - Mailing List, Patch, Vendor Advisory
References	~~() https://phabricator.wikimedia.org/T270453 - Exploit, Vendor Advisory~~	() https://phabricator.wikimedia.org/T270453 - Exploit, Vendor Advisory

25 Apr 2023, 18:12

Type	Values Removed	Values Added
CPE		cpe:2.3:a:mediawiki:mediawiki::::::::
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 4.3
CWE		CWE-668
References	~~(MISC) https://phabricator.wikimedia.org/T270453 -~~	(MISC) https://phabricator.wikimedia.org/T270453 - Exploit, Vendor Advisory
References	~~(CONFIRM) https://lists.wikimedia.org/pipermail/wikitech-l/2021-April/094418.html -~~	(CONFIRM) https://lists.wikimedia.org/pipermail/wikitech-l/2021-April/094418.html - Mailing List, Patch, Vendor Advisory
References	~~(CONFIRM) https://lists.wikimedia.org/hyperkitty/list/wikitech-l@lists.wikimedia.org/message/XYBF5RSTJRMVCP7QBYK7643W75A3KCIY/ -~~	(CONFIRM) https://lists.wikimedia.org/hyperkitty/list/wikitech-l@lists.wikimedia.org/message/XYBF5RSTJRMVCP7QBYK7643W75A3KCIY/ - Mailing List, Patch, Vendor Advisory

17 Apr 2023, 13:12

Type	Values Removed	Values Added
New CVE

Information

Published : 2023-04-15 20:16

Updated : 2025-02-06 17:15

NVD link : CVE-2021-30153

Mitre link : CVE-2021-30153

CVE.ORG link : CVE-2021-30153

JSON object : View

Products Affected

mediawiki

mediawiki

CWE

CWE-668

Exposure of Resource to Wrong Sphere

{"id": "CVE-2021-30153", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 2.8}, {"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 2.8}]}, "published": "2023-04-15T20:16:00.570", "references": [{"url": "https://lists.wikimedia.org/hyperkitty/list/wikitech-l%40lists.wikimedia.org/message/XYBF5RSTJRMVCP7QBYK7643W75A3KCIY/", "source": "cve@mitre.org"}, {"url": "https://lists.wikimedia.org/pipermail/wikitech-l/2021-April/094418.html", "tags": ["Mailing List", "Patch", "Vendor Advisory"], "source": "cve@mitre.org"}, {"url": "https://phabricator.wikimedia.org/T270453", "tags": ["Exploit", "Vendor Advisory"], "source": "cve@mitre.org"}, {"url": "https://lists.wikimedia.org/hyperkitty/list/wikitech-l%40lists.wikimedia.org/message/XYBF5RSTJRMVCP7QBYK7643W75A3KCIY/", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://lists.wikimedia.org/pipermail/wikitech-l/2021-April/094418.html", "tags": ["Mailing List", "Patch", "Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://phabricator.wikimedia.org/T270453", "tags": ["Exploit", "Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-668"}]}, {"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "description": [{"lang": "en", "value": "CWE-668"}]}], "descriptions": [{"lang": "en", "value": "An issue was discovered in the VisualEditor extension in MediaWiki before 1.31.13, and 1.32.x through 1.35.x before 1.35.2. . When using VisualEditor to edit a MediaWiki user page belonging to an existing, but hidden, user, VisualEditor will disclose that the user exists. (It shouldn't because they are hidden.) This is related to ApiVisualEditor."}], "lastModified": "2025-02-06T17:15:12.217", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:mediawiki:mediawiki:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "130F776B-EE19-44AF-A088-072E5B0EDB1B", "versionEndExcluding": "1.31.13"}, {"criteria": "cpe:2.3:a:mediawiki:mediawiki:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "16A05863-89D9-435E-B92D-5FC6396C5B3D", "versionEndExcluding": "1.35.2", "versionStartIncluding": "1.32.0"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}

4.3 /10