CVE-2016-6335
HIGHMediaWiki <1.23.15, <1.26.4, <1.27.1 - Info Disclosure
Title source: llmDescription
MediaWiki before 1.23.15, 1.26.x before 1.26.4, and 1.27.x before 1.27.1 does not generate head items in the context of a given title, which allows remote attackers to obtain sensitive information via a parse action to api.php.
References (4)
Core 4
Core References
Patch, Third Party Advisory x_refsource_confirm
https://phabricator.wikimedia.org/T139570
Mailing List, Patch, Vendor Advisory mailing-list
x_refsource_mlist
https://lists.wikimedia.org/pipermail/mediawiki-announce/2016-August/000195.html
Issue Tracking x_refsource_confirm
https://bugzilla.redhat.com/show_bug.cgi?id=1369613
Third Party Advisory x_refsource_confirm
https://phabricator.wikimedia.org/T139565
Scores
CVSS v3
7.5
EPSS
0.0027
EPSS Percentile
50.7%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Details
CWE
CWE-200
Status
published
Products (7)
mediawiki/mediawiki
1.26.0
mediawiki/mediawiki
1.26.1
mediawiki/mediawiki
1.26.2
mediawiki/mediawiki
1.26.3
mediawiki/mediawiki
1.26.4
mediawiki/mediawiki
1.27.0
mediawiki/mediawiki
< 1.23.14
Published
Apr 20, 2017
Tracked Since
Feb 18, 2026