What is CVE-2023-36674?

CVE-2023-36674 is a vulnerability in MediaWiki versions before 1.35.11, 1.36.x through 1.38.x before 1.38.7, 1.39.x before 1.39.4, and 1.40.x before 1.40.1 that allows bypassing the Bad image list through the use of the thumb parameter in the File syntax.

How severe is CVE-2023-36674?

CVE-2023-36674 has a severity rating of 5.3 (medium).

How does CVE-2023-36674 affect MediaWiki?

CVE-2023-36674 affects MediaWiki versions before 1.35.11, 1.36.x through 1.38.x before 1.38.7, 1.39.x before 1.39.4, and 1.40.x before 1.40.1.

How can I fix CVE-2023-36674 in MediaWiki?

To fix CVE-2023-36674, you should update MediaWiki to version 1.35.11, 1.38.7, 1.39.4, or 1.40.1 depending on the branch you are using.

Where can I find more information about CVE-2023-36674?

You can find more information about CVE-2023-36674 in the references provided: [Phabricator](https://phabricator.wikimedia.org/T335612), [Gerrit](https://gerrit.wikimedia.org/r/c/mediawiki/core/+/934571/), and [Debian Security Tracker](https://security-tracker.debian.org/tracker/CVE-2023-36674).

Vulnerability/
CVE-2023-36674

medium

5.3

20/8/2023

15/9/2023

CVE-2023-36674

First published: Sun Aug 20 2023(Updated: )

An issue was discovered in MediaWiki before 1.35.11, 1.36.x through 1.38.x before 1.38.7, 1.39.x before 1.39.4, and 1.40.x before 1.40.1. It is possible to bypass the Bad image list (aka badFile) by using the thumb parameter (aka Manualthumb) of the File syntax.

Credit: cve@mitre.org cve@mitre.org

Affected Software	Affected Version	How to fix
debian/mediawiki		1:1.31.16-1+deb10u2 1:1.31.16-1+deb10u6 1:1.35.11-1~deb11u1 1:1.35.13-1~deb11u1 1:1.39.4-1~deb12u1 1:1.39.5-1~deb12u1 1:1.39.5-1
MediaWiki MediaWiki	<1.35.11
MediaWiki MediaWiki	>=1.36.0<1.38.7
MediaWiki MediaWiki	>=1.39.0<1.39.4
MediaWiki MediaWiki	=1.40.0

Remedy

https://phabricator.wikimedia.org/T335612

Never miss a vulnerability like this again

Reference Links

Frequently Asked Questions

What is CVE-2023-36674?
CVE-2023-36674 is a vulnerability in MediaWiki versions before 1.35.11, 1.36.x through 1.38.x before 1.38.7, 1.39.x before 1.39.4, and 1.40.x before 1.40.1 that allows bypassing the Bad image list through the use of the thumb parameter in the File syntax.
How severe is CVE-2023-36674?
CVE-2023-36674 has a severity rating of 5.3 (medium).
How does CVE-2023-36674 affect MediaWiki?
CVE-2023-36674 affects MediaWiki versions before 1.35.11, 1.36.x through 1.38.x before 1.38.7, 1.39.x before 1.39.4, and 1.40.x before 1.40.1.
How can I fix CVE-2023-36674 in MediaWiki?
To fix CVE-2023-36674, you should update MediaWiki to version 1.35.11, 1.38.7, 1.39.4, or 1.40.1 depending on the branch you are using.
Where can I find more information about CVE-2023-36674?
You can find more information about CVE-2023-36674 in the references provided: [Phabricator](https://phabricator.wikimedia.org/T335612), [Gerrit](https://gerrit.wikimedia.org/r/c/mediawiki/core/+/934571/), and [Debian Security Tracker](https://security-tracker.debian.org/tracker/CVE-2023-36674).

collector/security-tracker-debian
agent/author
agent/last-modified-date
agent/type
agent/references
collector/nvd-index
agent/software-canonical-lookup-request
collector/nvd-api
agent/severity
agent/remedy
agent/softwarecombine
agent/tags
agent/description
agent/first-publish-date
agent/event
package-manager/debian
vendor/mediawiki
canonical/mediawiki mediawiki
version/mediawiki mediawiki/1.36.0
version/mediawiki mediawiki/1.39.0
version/mediawiki mediawiki/1.40.0