Page MenuHomePhabricator

Obtain CVEs for 1.31.8/1.33.4/1.34.2 security releases
Closed, ResolvedPublic


T248947: img_auth.php may leak private extension images into the public cache (CVE-2020-15005): In MediaWiki before 1.31.8/1.33.4/1.34.2, private wikis behind a caching server using the img_auth.php image authorization security feature may have had their files cached publicly, so any unauthorized user could view them. All MediaWiki versions since 1.23.0 are vulnerable.

Event Timeline

Reedy changed the subtype of this task from "Security Issue" to "Task".
Legoktm updated the task description. (Show Details)
Reedy changed the visibility from "Custom Policy" to "Public (No Login Required)".Jun 24 2020, 4:59 PM
Reedy changed the edit policy from "Custom Policy" to "All Users".