The Echo extension for MediWiki does not properly implement the hideuser functionality, which allows remote authenticated users to see hidden usernames in "non-revision based" notifications, as demonstrated by viewing a hidden username in a Thanks notification.
References
Link | Resource |
---|---|
http://www.securitytracker.com/id/1034028 | |
https://lists.wikimedia.org/pipermail/mediawiki-announce/2015-October/000182.html | Patch Vendor Advisory |
https://phabricator.wikimedia.org/T110553 | Vendor Advisory |
Configurations
History
No history.
Information
Published : 2015-11-09 18:59
Updated : 2024-02-28 15:21
NVD link : CVE-2015-8007
Mitre link : CVE-2015-8007
CVE.ORG link : CVE-2015-8007
JSON object : View
Products Affected
echo_project
- echo
CWE
CWE-200
Exposure of Sensitive Information to an Unauthorized Actor