Description
MediaWiki before 1.23.11, 1.24.x before 1.24.4, and 1.25.x before 1.25.3 uses the thumbnail ImageMagick command line argument, which allows remote attackers to obtain the installation path by reading the metadata of a PNG thumbnail file.
References (3)
Core 3
Core References
Third Party Advisory, VDB Entry vdb-entry
x_refsource_sectrack
http://www.securitytracker.com/id/1034028
Vendor Advisory x_refsource_confirm
https://phabricator.wikimedia.org/T108616
Patch, Vendor Advisory mailing-list
x_refsource_mlist
https://lists.wikimedia.org/pipermail/mediawiki-announce/2015-October/000181.html
Scores
EPSS
0.0025
EPSS Percentile
48.6%
Details
CWE
CWE-200
Status
published
Products (8)
mediawiki/mediawiki
1.24.0
mediawiki/mediawiki
1.24.1
mediawiki/mediawiki
1.24.2
mediawiki/mediawiki
1.24.3
mediawiki/mediawiki
1.25.0
mediawiki/mediawiki
1.25.1
mediawiki/mediawiki
1.25.2
mediawiki/mediawiki
< 1.23.10
Published
Nov 09, 2015
Tracked Since
Feb 18, 2026