CVE-2016-6336
MEDIUMMediaWiki <1.23.15, <1.26.x-1.26.4, <1.27.x-1.27.1 - Auth Bypass
Title source: llmDescription
MediaWiki before 1.23.15, 1.26.x before 1.26.4, and 1.27.x before 1.27.1 allows remote authenticated users with undelete permissions to bypass intended suppressrevision and deleterevision restrictions and remove the revision deletion status of arbitrary file revisions by using Special:Undelete.
References (3)
Core 3
Core References
Mailing List, Patch, Vendor Advisory mailing-list
x_refsource_mlist
https://lists.wikimedia.org/pipermail/mediawiki-announce/2016-August/000195.html
Issue Tracking x_refsource_confirm
https://bugzilla.redhat.com/show_bug.cgi?id=1369613
Patch, Third Party Advisory x_refsource_confirm
https://phabricator.wikimedia.org/T132926
Scores
CVSS v3
6.5
EPSS
0.0010
EPSS Percentile
28.0%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Details
CWE
CWE-284
Status
published
Products (7)
mediawiki/mediawiki
1.26.0
mediawiki/mediawiki
1.26.1
mediawiki/mediawiki
1.26.2
mediawiki/mediawiki
1.26.3
mediawiki/mediawiki
1.26.4
mediawiki/mediawiki
1.27.0
mediawiki/mediawiki
< 1.23.14
Published
Apr 20, 2017
Tracked Since
Feb 18, 2026