CVE-2023-29137

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2023-29137

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-29137.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2023-29137

Aliases

BIT-mediawiki-2023-29137

Published

2023-03-31T19:15:07Z

Modified

2024-10-12T10:56:26.805029Z

Severity

4.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N CVSS Calculator

Summary

[none]

Details

An issue was discovered in the GrowthExperiments extension for MediaWiki through 1.39.3. The UserImpactHandler for GrowthExperiments inadvertently returns the timezone preference for arbitrary users, which can be used to de-anonymize users.

References

https://phabricator.wikimedia.org/T328643

Affected packages

Git / github.com/wikimedia/mediawiki

Affected ranges

Type: GIT
Repo: https://github.com/wikimedia/mediawiki
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Last affected

2fdadd4096268cebab8fbc2f245dd441e2f05536

Affected versions

1.*

1.1.0

1.3.0beta1

1.39.0

1.39.0-rc.0

1.39.0-rc.1

1.39.1

1.39.2

1.39.3

1.5.0alpha1

1.5.0alpha2

1.5.0beta1

1.5.0beta2

1.5.0beta3

1.5.0beta4

1.6.0