Page MenuHomePhabricator

Obtain CVEs for 1.31.8/1.33.4/1.34.2 security releases
Closed, ResolvedPublic

Description

T248947: img_auth.php may leak private extension images into the public cache (CVE-2020-15005): In MediaWiki before 1.31.8/1.33.4/1.34.2, private wikis behind a caching server using the img_auth.php image authorization security feature may have had their files cached publicly, so any unauthorized user could view them. All MediaWiki versions since 1.23.0 are vulnerable.

Event Timeline

Reedy created this task.Mar 26 2020, 12:37 AM
Reedy changed the subtype of this task from "Security Issue" to "Task".
Legoktm claimed this task.Jun 24 2020, 3:44 AM
Legoktm updated the task description. (Show Details)
Legoktm closed this task as Resolved.Jun 24 2020, 11:20 AM

CVE-2020-15005

Reedy changed the visibility from "Custom Policy" to "Public (No Login Required)".Jun 24 2020, 4:59 PM
Reedy changed the edit policy from "Custom Policy" to "All Users".