CVE-2016-6336

medium

Description

MediaWiki before 1.23.15, 1.26.x before 1.26.4, and 1.27.x before 1.27.1 allows remote authenticated users with undelete permissions to bypass intended suppressrevision and deleterevision restrictions and remove the revision deletion status of arbitrary file revisions by using Special:Undelete.

References

https://phabricator.wikimedia.org/T132926

https://lists.wikimedia.org/pipermail/mediawiki-announce/2016-August/000195.html

https://bugzilla.redhat.com/show_bug.cgi?id=1369613

Details

Source: Mitre, NVD

Published: 2017-04-20

Updated: 2017-04-24

Risk Information

CVSS v2

Base Score: 4

Vector: CVSS2#AV:N/AC:L/Au:S/C:N/I:P/A:N

Severity: Medium

CVSS v3

Base Score: 6.5

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Severity: Medium