Description
An issue was discovered in the VisualEditor extension in MediaWiki before 1.31.13, and 1.32.x through 1.35.x before 1.35.2. . When using VisualEditor to edit a MediaWiki user page belonging to an existing, but hidden, user, VisualEditor will disclose that the user exists. (It shouldn't because they are hidden.) This is related to ApiVisualEditor.
References (3)
Core 3
Core References
Mailing List, Patch, Vendor Advisory
https://lists.wikimedia.org/pipermail/wikitech-l/2021-April/094418.html
Exploit, Vendor Advisory
https://phabricator.wikimedia.org/T270453
Scores
CVSS v3
4.3
EPSS
0.0022
EPSS Percentile
44.9%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-668
Status
published
Products (1)
mediawiki/mediawiki
< 1.31.13
Published
Apr 15, 2023
Tracked Since
Feb 18, 2026