CVE-2025-23074 Special:EditProfile exposes the contents of profile fields marked "hidden"/friends or "friends of friends" when the privileged user isn't a friend of the user whose profile they edit(ed)

🗓️ 14 Jan 2025 18:58:20Reported by wikimedia-foundationType

Special:EditProfile exposes hidden profile fields to unauthorized users in Mediawiki versions affected.

Reporter	Title	Published	Views	Family All 7
Circl	CVE-2025-23074	14 Jan 202519:10	–	circl
CNNVD	MediaWiki 信息泄露漏洞	14 Jan 202500:00	–	cnnvd
CVE	CVE-2025-23074	14 Jan 202518:58	–	cve
EUVD	EUVD-2025-3106	3 Oct 202520:07	–	euvd
NVD	CVE-2025-23074	14 Jan 202519:15	–	nvd
RedhatCVE	CVE-2025-23074	9 Jan 202610:58	–	redhatcve
Vulnrichment	CVE-2025-23074 Special:EditProfile exposes the contents of profile fields marked "hidden"/friends or "friends of friends" when the privileged user isn't a friend of the user whose profile they edit(ed)	14 Jan 202518:58	–	vulnrichment

[
  {
    "defaultStatus": "unaffected",
    "product": "Mediawiki - SocialProfile Extension",
    "vendor": "Wikimedia Foundation",
    "versions": [
      {
        "lessThan": "1.39.11",
        "status": "affected",
        "version": "1.39.x",
        "versionType": "semver"
      },
      {
        "lessThan": "1.41.3",
        "status": "affected",
        "version": "1.41.x",
        "versionType": "semver"
      },
      {
        "lessThan": "1.42.2",
        "status": "affected",
        "version": "1.42.x",
        "versionType": "semver"
      }
    ]
  }
]

Source	Link
phabricator	www.phabricator.wikimedia.org/T373265
gerrit	www.gerrit.wikimedia.org/r/q/I4b77ced314bc6cea0ef3657a82e7467d3661fe2a

14 Jan 2025 18:58Current

EPSS0.00334

CWE-200