Description
ApiParse in MediaWiki before 1.23.15, 1.26.x before 1.26.4, and 1.27.x before 1.27.1 allows remote attackers to bypass intended per-title read restrictions via a parse action to api.php.
References (3)
Core 3
Core References
Mailing List, Patch, Vendor Advisory mailing-list
x_refsource_mlist
https://lists.wikimedia.org/pipermail/mediawiki-announce/2016-August/000195.html
Issue Tracking x_refsource_confirm
https://bugzilla.redhat.com/show_bug.cgi?id=1369613
Patch, Third Party Advisory x_refsource_confirm
https://phabricator.wikimedia.org/T115333
Scores
CVSS v3
7.5
EPSS
0.0017
EPSS Percentile
37.3%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Details
CWE
CWE-284
Status
published
Products (7)
mediawiki/mediawiki
1.26.0
mediawiki/mediawiki
1.26.1
mediawiki/mediawiki
1.26.2
mediawiki/mediawiki
1.26.3
mediawiki/mediawiki
1.26.4
mediawiki/mediawiki
1.27.0
mediawiki/mediawiki
< 1.23.14
Published
Apr 20, 2017
Tracked Since
Feb 18, 2026