Lucene search

PRIOn knowledge basePRION:CVE-2023-36674

HistoryAug 20, 2023 - 6:15 p.m.

Design/Logic Flaw

2023-08-2018:15:00

PRIOn knowledge base

www.prio-n.com

mediawiki

bypassing

bad image list

manualthumb

5.7 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

20.7%

JSON

An issue was discovered in MediaWiki before 1.35.11, 1.36.x through 1.38.x before 1.38.7, 1.39.x before 1.39.4, and 1.40.x before 1.40.1. It is possible to bypass the Bad image list (aka badFile) by using the thumb parameter (aka Manualthumb) of the File syntax.

CPENameOperatorVersion
mediawikige1.39.0
mediawikilt1.39.4
mediawikige1.36.0
mediawikilt1.38.7
mediawikilt1.35.11
mediawikieq1.40.0

Name	Operator	Version
mediawiki	ge	1.39.0
mediawiki	lt	1.39.4
mediawiki	ge	1.36.0
mediawiki	lt	1.38.7
mediawiki	lt	1.35.11
mediawiki	eq	1.40.0

References

lists.fedoraproject.org/archives/list/[email protected]/message/2UIVGYECQGTUC2LLPVCZBPDLCTOHL2F6/

lists.fedoraproject.org/archives/list/[email protected]/message/6CHRX6DSLAMVXCV2YMJEWOLTBEYSESE5/

lists.fedoraproject.org/archives/list/[email protected]/message/DOAXEGYBOEM4JWB4J3BDH73NK2LCYC3O/

phabricator.wikimedia.org/T335612