CVE-2021-30153

MEDIUM

MediaWiki <1.35.2 - Info Disclosure

Title source: llm

Description

An issue was discovered in the VisualEditor extension in MediaWiki before 1.31.13, and 1.32.x through 1.35.x before 1.35.2. . When using VisualEditor to edit a MediaWiki user page belonging to an existing, but hidden, user, VisualEditor will disclose that the user exists. (It shouldn't because they are hidden.) This is related to ApiVisualEditor.

References (3)

[Mailing List, Patch, Vendor Advisory] https://lists.wikimedia.org/pipermail/wikitech-l/2021-April/094418.html

[Exploit, Vendor Advisory] https://phabricator.wikimedia.org/T270453

[Third Party Advisory] https://lists.wikimedia.org/hyperkitty/list/wikitech-l%40lists.wikimedia.org/message/XYBF5RSTJRMVCP7QBYK7643W75A3KCIY/

Scores

CVSS v3 4.3

EPSS 0.0020

EPSS Percentile 41.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Classification

CWE

CWE-668

Status published

Affected Products (1)

mediawiki/mediawiki < 1.31.13

Timeline

Published Apr 15, 2023

Tracked Since Feb 18, 2026