MediaWiki before 1.23.15, 1.26.x before 1.26.4, and 1.27.x before 1.27.1 does not generate head items in the context of a given title, which allows remote attackers to obtain sensitive information via a parse action to api.php.
References
Link | Resource |
---|---|
https://phabricator.wikimedia.org/T139570 | Patch Third Party Advisory |
https://phabricator.wikimedia.org/T139565 | Third Party Advisory |
https://lists.wikimedia.org/pipermail/mediawiki-announce/2016-August/000195.html | Mailing List Patch Vendor Advisory |
https://bugzilla.redhat.com/show_bug.cgi?id=1369613 | Issue Tracking |
Configurations
Configuration 1 (hide)
|
Information
Published : 2017-04-20 10:59
Updated : 2017-04-24 13:24
NVD link : CVE-2016-6335
Mitre link : CVE-2016-6335
JSON object : View
CWE
CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
Products Affected
mediawiki
- mediawiki