Main Vulnerability Database Vulnerabilities #VU39170

Improper access control in MediaWiki - CVE-2016-6336

Published: April 20, 2017 / Updated: August 8, 2020

Vulnerability identifier: #VU39170

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2016-6336

CWE-ID: CWE-284

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: MediaWiki.org

Affected software:
MediaWiki

Detailed vulnerability description

The vulnerability allows a remote authenticated user to manipulate data.

MediaWiki before 1.23.15, 1.26.x before 1.26.4, and 1.27.x before 1.27.1 allows remote authenticated users with undelete permissions to bypass intended suppressrevision and deleterevision restrictions and remove the revision deletion status of arbitrary file revisions by using Special:Undelete.

How to mitigate CVE-2016-6336

Install update from vendor's website.

Sources

https://bugzilla.redhat.com/show_bug.cgi?id=1369613
https://lists.wikimedia.org/pipermail/mediawiki-announce/2016-August/000195.html
https://phabricator.wikimedia.org/T132926

Improper access control in MediaWiki - CVE-2016-6336

Detailed vulnerability description

How to mitigate CVE-2016-6336

Sources

Please verify you're human