CVE-2023-29137

An issue was discovered in the GrowthExperiments extension for MediaWiki through 1.39.3. The UserImpactHandler for GrowthExperiments inadvertently returns the timezone preference for arbitrary users, which can be used to de-anonymize users.

Published: Mar 31, 2023
Updated: Apr 14, 2023
CVE: CVE-2023-29137
Severity: Low
Exploit:

CVSS v3:

Severity: Low
Score: 4.3
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

No CWE or OWASP classifications available.

Affected Software
References

Software	From	Fixed in
mediawiki / mediawiki	-	1.39.3.x

https://phabricator.wikimedia.org/T328643

Vulnerability Database

289,697

CVE-2023-29137