CVE-2010-2787

high

Description

api.php in MediaWiki before 1.15.5 does not prevent use of public caching headers for private data, which allows remote attackers to bypass intended access restrictions and obtain sensitive information by retrieving documents from an HTTP proxy cache that has been used by a victim.

References

https://bugzilla.wikimedia.org/show_bug.cgi?id=24565

https://bugzilla.redhat.com/show_bug.cgi?id=620226

https://bugzilla.redhat.com/show_bug.cgi?id=620224

http://www.securityfocus.com/bid/42019

http://svn.wikimedia.org/viewvc/mediawiki?view=revision&revision=69776

http://openwall.com/lists/oss-security/2010/07/29/4

http://lists.wikimedia.org/pipermail/mediawiki-announce/2010-July/000092.html

http://lists.fedoraproject.org/pipermail/package-announce/2011-April/059235.html

http://lists.fedoraproject.org/pipermail/package-announce/2011-April/059232.html

http://lists.fedoraproject.org/pipermail/package-announce/2011-April/058910.html

http://lists.fedoraproject.org/pipermail/package-announce/2011-April/058588.html

Details

Source: Mitre, NVD

Published: 2011-04-27

Updated: 2011-09-07

Risk Information

CVSS v2

Base Score: 4.3

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N

Severity: Medium

CVSS v3

Base Score: 7.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Severity: High