CVE-2022-28323 - OpenCVE

An issue was discovered in MediaWiki through 1.37.2. The SecurePoll extension allows a leak because sorting by timestamp is supported,

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

AV:N/AC:L/Au:N/C:P/I:N/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Mediawiki	Mediawiki

Configuration 1 [-]

cpe:2.3:a:mediawiki:mediawiki:*:*:*:*:*:*:*:*

References

Link	Resource
https://gerrit.wikimedia.org/r/q/93758c4c13b972d240a6313e0472df1667118893	Vendor Advisory
https://gerrit.wikimedia.org/r/q/I9d3b9a942ea71d777ec32121fa36262f549d283d	Vendor Advisory
https://phabricator.wikimedia.org/T298434	Permissions Required

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: mitre

Published: 2022-04-30T15:05:46

Updated: 2022-04-30T15:05:46

Reserved: 2022-04-01T00:00:00

Link: CVE-2022-28323

JSON object: View

NVD Information

Status : Analyzed

Published: 2022-04-30T16:15:07.673

Modified: 2022-05-10T12:32:24.843

Link: CVE-2022-28323

JSON object: View

Redhat Information

No data.

CWE

NVD-CWE-noinfo

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "descriptions": [{"lang": "en", "value": "An issue was discovered in MediaWiki through 1.37.2. The SecurePoll extension allows a leak because sorting by timestamp is supported,"}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2022-04-30T15:05:46", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://phabricator.wikimedia.org/T298434"}, {"tags": ["x_refsource_MISC"], "url": "https://gerrit.wikimedia.org/r/q/I9d3b9a942ea71d777ec32121fa36262f549d283d"}, {"tags": ["x_refsource_MISC"], "url": "https://gerrit.wikimedia.org/r/q/93758c4c13b972d240a6313e0472df1667118893"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2022-28323", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "An issue was discovered in MediaWiki through 1.37.2. The SecurePoll extension allows a leak because sorting by timestamp is supported,"}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://phabricator.wikimedia.org/T298434", "refsource": "MISC", "url": "https://phabricator.wikimedia.org/T298434"}, {"name": "https://gerrit.wikimedia.org/r/q/I9d3b9a942ea71d777ec32121fa36262f549d283d", "refsource": "MISC", "url": "https://gerrit.wikimedia.org/r/q/I9d3b9a942ea71d777ec32121fa36262f549d283d"}, {"name": "https://gerrit.wikimedia.org/r/q/93758c4c13b972d240a6313e0472df1667118893", "refsource": "MISC", "url": "https://gerrit.wikimedia.org/r/q/93758c4c13b972d240a6313e0472df1667118893"}]}}}}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2022-28323", "datePublished": "2022-04-30T15:05:46", "dateReserved": "2022-04-01T00:00:00", "dateUpdated": "2022-04-30T15:05:46", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:mediawiki:mediawiki:*:*:*:*:*:*:*:*", "matchCriteriaId": "40FFFEA4-A471-43C1-870B-10960DE725CF", "versionEndIncluding": "1.37.2", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "An issue was discovered in MediaWiki through 1.37.2. The SecurePoll extension allows a leak because sorting by timestamp is supported,"}, {"lang": "es", "value": "Se ha detectado un problema en MediaWiki versiones hasta 1.37.2. La extensi\u00f3n SecurePoll permite un filtrado porque es admitida una ordenaci\u00f3n por marca de tiempo"}], "id": "CVE-2022-28323", "lastModified": "2022-05-10T12:32:24.843", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-04-30T16:15:07.673", "references": [{"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "https://gerrit.wikimedia.org/r/q/93758c4c13b972d240a6313e0472df1667118893"}, {"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "https://gerrit.wikimedia.org/r/q/I9d3b9a942ea71d777ec32121fa36262f549d283d"}, {"source": "cve@mitre.org", "tags": ["Permissions Required"], "url": "https://phabricator.wikimedia.org/T298434"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}