CVE-2020-35480

MEDIUM

MediaWiki < 1.35.1 - Information Disclosure of Hidden User Accounts

Title source: llm

Description

An issue was discovered in MediaWiki before 1.35.1. Missing users (accounts that don't exist) and hidden users (accounts that have been explicitly hidden due to being abusive, or similar) that the viewer cannot see are handled differently, exposing sensitive information about the hidden status to unprivileged viewers. This exists on various code paths.

References (5)

Core 5

Core References

Permissions Required x_refsource_misc

https://phabricator.wikimedia.org/T120883

Mailing List, Release Notes, Vendor Advisory x_refsource_misc

https://lists.wikimedia.org/pipermail/mediawiki-announce/2020-December/000268.html

Mailing List, Third Party Advisory vendor-advisory x_refsource_debian

https://www.debian.org/security/2020/dsa-4816

Mailing List, Third Party Advisory mailing-list x_refsource_mlist

https://lists.debian.org/debian-lts-announce/2020/12/msg00034.html

Mailing List, Third Party Advisory vendor-advisory x_refsource_fedora

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/STT5Z4A3BCXVH3WIPICWU2FP4IPIMUPC/

Scores

CVSS v3 5.3

EPSS 0.0034

EPSS Percentile 57.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Details

CWE

CWE-203

Status published

Products (4)

debian/debian_linux 9.0

debian/debian_linux 10.0

fedoraproject/fedora 33

mediawiki/mediawiki < 1.35.1

Published Dec 18, 2020

Tracked Since Feb 18, 2026