CVE-2016-6335

Published on: 04/20/2017 12:00:00 AM UTC

Last Modified on: 03/23/2021 11:27:11 PM UTC

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Certain versions of Mediawiki from Mediawiki contain the following vulnerability:

MediaWiki before 1.23.15, 1.26.x before 1.26.4, and 1.27.x before 1.27.1 does not generate head items in the context of a given title, which allows remote attackers to obtain sensitive information via a parse action to api.php.

  • CVE-2016-6335 has been assigned by URL Logo [email protected] to track the vulnerability - currently rated as HIGH severity.

CVSS3 Score: 7.5 - HIGH

Attack
Vector
Attack
Complexity
Privileges
Required
User
Interaction
NETWORK LOW NONE NONE
Scope Confidentiality
Impact
Integrity
Impact
Availability
Impact
UNCHANGED HIGH NONE NONE

CVSS2 Score: 5 - MEDIUM

Access
Vector
Access
Complexity
Authentication
NETWORK LOW NONE
Confidentiality
Impact
Integrity
Impact
Availability
Impact
PARTIAL NONE NONE

CVE References

Description Tags Link
⚓ T139565 API action=parse&prop=headhtml doesn't operate in the context of the page being requested Third Party Advisory
phabricator.wikimedia.org
text/html
URL Logo CONFIRM phabricator.wikimedia.org/T139565
⚓ T139570 API action=parse&prop=headhtml leaks current user and their tokens to third-party sites when used via JSONP Patch
Third Party Advisory
phabricator.wikimedia.org
text/html
URL Logo CONFIRM phabricator.wikimedia.org/T139570
[MediaWiki-announce] Security Release - 1.27.1, 1.26.4, 1.23.15 Mailing List
Patch
Vendor Advisory
lists.wikimedia.org
text/html
URL Logo MLIST [MediaWiki-announce] 20160823 Security Release - 1.27.1, 1.26.4, 1.23.15
1369613 – (CVE-2016-6331, CVE-2016-6332, CVE-2016-6333, CVE-2016-6334, CVE-2016-6335, CVE-2016-6336) CVE-2016-6331 CVE-2016-6332 CVE-2016-6333 CVE-2016-6334 CVE-2016-6335 CVE-2016-6336 mediawiki: multiple flaws fixed in 1.27.1, 1.26.4 and 1.23.15 Issue Tracking
bugzilla.redhat.com
text/html
URL Logo CONFIRM bugzilla.redhat.com/show_bug.cgi?id=1369613

Known Affected Configurations (CPE V2.3)

Type Vendor Product Version Update Edition Language
ApplicationMediawikiMediawiki1.26.0AllAllAll
ApplicationMediawikiMediawiki1.26.1AllAllAll
ApplicationMediawikiMediawiki1.26.2AllAllAll
ApplicationMediawikiMediawiki1.26.3AllAllAll
ApplicationMediawikiMediawiki1.26.4AllAllAll
ApplicationMediawikiMediawiki1.27.0AllAllAll
ApplicationMediawikiMediawiki1.26.0AllAllAll
ApplicationMediawikiMediawiki1.26.1AllAllAll
ApplicationMediawikiMediawiki1.26.2AllAllAll
ApplicationMediawikiMediawiki1.26.3AllAllAll
ApplicationMediawikiMediawiki1.26.4AllAllAll
ApplicationMediawikiMediawiki1.27.0AllAllAll
ApplicationMediawikiMediawikiAllAllAllAll
  • cpe:2.3:a:mediawiki:mediawiki:1.26.0:*:*:*:*:*:*:*:
  • cpe:2.3:a:mediawiki:mediawiki:1.26.1:*:*:*:*:*:*:*:
  • cpe:2.3:a:mediawiki:mediawiki:1.26.2:*:*:*:*:*:*:*:
  • cpe:2.3:a:mediawiki:mediawiki:1.26.3:*:*:*:*:*:*:*:
  • cpe:2.3:a:mediawiki:mediawiki:1.26.4:*:*:*:*:*:*:*:
  • cpe:2.3:a:mediawiki:mediawiki:1.27.0:*:*:*:*:*:*:*:
  • cpe:2.3:a:mediawiki:mediawiki:1.26.0:*:*:*:*:*:*:*:
  • cpe:2.3:a:mediawiki:mediawiki:1.26.1:*:*:*:*:*:*:*:
  • cpe:2.3:a:mediawiki:mediawiki:1.26.2:*:*:*:*:*:*:*:
  • cpe:2.3:a:mediawiki:mediawiki:1.26.3:*:*:*:*:*:*:*:
  • cpe:2.3:a:mediawiki:mediawiki:1.26.4:*:*:*:*:*:*:*:
  • cpe:2.3:a:mediawiki:mediawiki:1.27.0:*:*:*:*:*:*:*:
  • cpe:2.3:a:mediawiki:mediawiki:*:*:*:*:*:*:*:*: