Headline
CVE-2023-45362: diff-multi-sameuser ("X intermediate revisions by the same user not shown") ignores username suppression
An issue was discovered in DifferenceEngine.php in MediaWiki before 1.35.12, 1.36.x through 1.39.x before 1.39.5, and 1.40.x before 1.40.1. diff-multi-sameuser (aka “X intermediate revisions by the same user not shown”) ignores username suppression. This is an information leak.
Edit Task
Mute Notifications
Protect as security issue
Award Token
Flag For Later
Risk Rating
Medium
Author Affiliation
Wikimedia Communities
- Task Graph
Event Timeline
Restricted Application added a subscriber: Aklapper.
sbassett changed the task status from Open to In Progress.
sbassett triaged this task as Medium priority.
Mstyles added a parent task: Restricted Task.
Reedy renamed this task from diff-multi-sameuser (“X intermediate revisions by the same user not shown”) ignores username suppression to CVE-2023-45362: diff-multi-sameuser (“X intermediate revisions by the same user not shown”) ignores username suppression.
sbassett changed Author Affiliation from N/A to Wikimedia Communities.
sbassett changed the visibility from “Custom Policy” to "Public (No Login Required)".
sbassett changed Risk Rating from N/A to Medium.
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL