CVE-2021-29483
9.4
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:H
Summary
ManageWiki is an extension to the MediaWiki project. The 'wikiconfig' API leaked the value of private configuration variables set through the ManageWiki variable to all users. This has been patched by https://github.com/miraheze/ManageWiki/compare/99f3b2c8af18...befb83c66f5b.patch. If you are unable to patch set $wgAPIListModules['wikiconfig'] = 'ApiQueryDisabled'; or remove private config as a workaround.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| miraheze | ManageWiki | < befb83c66f5b643e174897ea41a8a46679b26304 | affected |
Weaknesses
- CWE-200: {"CWE-200":"Exposure of Sensitive Information to an Unauthorized Actor"}
ADP Enrichment
CVE Program Container
Additional References
- https://github.com/miraheze/ManageWiki/security/advisories/GHSA-jmc9-rv2f-g8vv
- https://github.com/miraheze/ManageWiki/commit/befb83c66f5b643e174897ea41a8a46679b26304
- https://phabricator.miraheze.org/T7213
References
- https://github.com/miraheze/ManageWiki/security/advisories/GHSA-jmc9-rv2f-g8vv
- https://github.com/miraheze/ManageWiki/commit/befb83c66f5b643e174897ea41a8a46679b26304
- https://phabricator.miraheze.org/T7213
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.