CVE-2024-47913 – mediawiki/abuse-filter

Package

Manager: composer
Name: mediawiki/abuse-filter
Vulnerable Version: >=0 <1.39.9 || >=1.40.0 <1.41.3 || >=1.42.0 <1.42.2

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00196 pctl0.41817

Details

Improper permissions handling in MediaWiki AbuseFilter An issue was discovered in the AbuseFilter extension for MediaWiki before 1.39.9, 1.40.x and 1.41.x before 1.41.3, and 1.42.x before 1.42.2. An API caller can match a filter condition against AbuseFilter logs even if the caller is not authorized to view the log details for the filter.

Metadata

Created: 2024-10-05T00:34:19Z
Modified: 2024-12-06T22:11:48Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/10/GHSA-rmcp-9fhq-58pv/GHSA-rmcp-9fhq-58pv.json
CWE IDs: ["CWE-532"]
Alternative ID: GHSA-rmcp-9fhq-58pv
Finding: F039
Auto approve: 1