CVE-2021-29483 CRITICAL

CVE-2021-29483: wikiconfig API leaked private config variables set through ManageWiki

Vendor Miraheze
Product ManageWiki
Weakness CWE-200 · Info exposure
Published April 28, 2021
Last update August 3, 2024

CVSS base score

9.4/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality High
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:H

What the vulnerability does

01Description

ManageWiki is an extension to the MediaWiki project. The 'wikiconfig' API leaked the value of private configuration variables set through the ManageWiki variable to all users. This has been patched by https://github.com/miraheze/ManageWiki/compare/99f3b2c8af18...befb83c66f5b.patch. If you are unable to patch set `$wgAPIListModules['wikiconfig'] = 'ApiQueryDisabled';` or remove private config as a workaround.

Key dates

02Disclosure timeline

April 28, 2021 CVE published
August 3, 2024 Record updated