CVE-2020-35480 Information
Share on:Description
An issue was discovered in MediaWiki before 1.35.1. Missing users (accounts that don’t exist) and hidden users (accounts that have been explicitly hidden due to being abusive or similar) that the viewer cannot see are handled differently exposing sensitive information about the hidden status to unprivileged viewers. This exists on various code paths.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Reference
https://lists.wikimedia.org/pipermail/mediawiki-announce/2020-December/000268.html https://phabricator.wikimedia.org/T120883 https://www.debian.org/security/2020/dsa-4816 https://lists.debian.org/debian-lts-announce/2020/12/msg00034.html https://lists.fedoraproject.org/archives/list/[email protected]/message/STT5Z4A3BCXVH3WIPICWU2FP4IPIMUPC/
Attack Complexity
LOW
Privileges Required
NONE
User Interaction Required
NONE
Scope
NONE
Confidentiality Impact
UNCHANGED
Integrity Impact
LOW
Availability Impact
NONE
Base Score
NONE
Base Severity
5.3