CVE-2021-30153
MEDIUM4.3EPSS 0.22%Published: 4/15/2023Modified: 4/28/2026
Description
An issue was discovered in the VisualEditor extension in MediaWiki before 1.31.13, and 1.32.x through 1.35.x before 1.35.2. . When using VisualEditor to edit a MediaWiki user page belonging to an existing, but hidden, user, VisualEditor will disclose that the user exists. (It shouldn't because they are hidden.) This is related to ApiVisualEditor.
Affected packages (2)
- Bitnami/mediawikifrom 0, < 1.31.13, >= 1.32.0, < 1.35.2
- Debian/mediawikifrom 0, < 1:1.35.2-1
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM4.3 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N |
References (5)
- ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2021-30153
- WEBhttps://lists.wikimedia.org/hyperkitty/list/wikitech-l%40lists.wikimedia.org/message/XYBF5RSTJRMVCP7QBYK7643W75A3KCIY/
- WEBhttps://lists.wikimedia.org/pipermail/wikitech-l/2021-April/094418.html
- WEBhttps://nvd.nist.gov/vuln/detail/CVE-2021-30153
- WEBhttps://phabricator.wikimedia.org/T270453