CVE-2021-30153 Information

Description

An issue was discovered in the VisualEditor extension in MediaWiki before 1.31.13 and 1.32.x through 1.35.x before 1.35.2. . When using VisualEditor to edit a MediaWiki user page belonging to an existing but hidden user VisualEditor will disclose that the user exists. (It shouldn’t because they are hidden.) This is related to ApiVisualEditor.

Reference

https://lists.wikimedia.org/pipermail/wikitech-l/2021-April/094418.html https://lists.wikimedia.org/hyperkitty/list/[email protected]/message/XYBF5RSTJRMVCP7QBYK7643W75A3KCIY/ https://phabricator.wikimedia.org/T270453