CVE-2023-36674
MEDIUM5.3EPSS 0.04%Published: 8/20/2023Modified: 4/28/2026
Description
An issue was discovered in MediaWiki before 1.35.11, 1.36.x through 1.38.x before 1.38.7, 1.39.x before 1.39.4, and 1.40.x before 1.40.1. It is possible to bypass the Bad image list (aka badFile) by using the thumb parameter (aka Manualthumb) of the File syntax.
Affected packages (2)
- Bitnami/mediawikifrom 0, < 1.35.11, >= 1.36.0, < 1.38.7, >= 1.39.0, < 1.39.4, >= 1.40.0, < 1.40.1
- Debian/mediawikifrom 0, < 1:1.35.11-1~deb11u1
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM5.3 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N |
References (6)
- ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2023-36674
- WEBhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2UIVGYECQGTUC2LLPVCZBPDLCTOHL2F6/
- WEBhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6CHRX6DSLAMVXCV2YMJEWOLTBEYSESE5/
- WEBhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DOAXEGYBOEM4JWB4J3BDH73NK2LCYC3O/
- WEBhttps://nvd.nist.gov/vuln/detail/CVE-2023-36674
- WEBhttps://phabricator.wikimedia.org/T335612