An issue was discovered in MediaWiki before 1.35.8, 1.36.x and 1.37.x before 1.37.5, and 1.38.x before 1.38.3. Upon an action=rollback operation, the alreadyrolled message can leak a user name (when the user has been revision deleted/suppressed).
The product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors.
Name | Vendor | Start Version | End Version |
---|---|---|---|
Mediawiki | Mediawiki | * | 1.35.8 (excluding) |
Mediawiki | Mediawiki | 1.36.0 (including) | 1.37.5 (excluding) |
Mediawiki | Mediawiki | 1.38.0 (including) | 1.38.3 (excluding) |
Mediawiki | Ubuntu | bionic | * |
Mediawiki | Ubuntu | kinetic | * |
Mediawiki | Ubuntu | lunar | * |
Mediawiki | Ubuntu | mantic | * |
Mediawiki | Ubuntu | trusty | * |
Mediawiki | Ubuntu | xenial | * |