Description

An issue was discovered in the VisualEditor extension in MediaWiki before 1.31.13, and 1.32.x through 1.35.x before 1.35.2. . When using VisualEditor to edit a MediaWiki user page belonging to an existing, but hidden, user, VisualEditor will disclose that the user exists. (It shouldn't because they are hidden.) This is related to ApiVisualEditor.

Remediation

References

CVE-2021-30153

Related Vulnerabilities

WordPress Plugin Product Catalog Cross-Site Scripting (4.2.8)

Oracle JRE CVE-2019-2975 Vulnerability (CVE-2019-2975)

jPlayer Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2013-2023)

WordPress Plugin GN Publisher: Google News Compatible RSS Feeds Cross-Site Scripting (1.5.5)

MediaWiki Exposure of Sensitive Information to an Unauthorized Actor Vulnerability (CVE-2011-4360)

Severity

Medium

Classification

CVE-2021-30153 CWE-668 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Tags

Missing Update Known Vulnerabilities