In MediaWiki before 1.31.8, 1.32.x and 1.33.x before 1.33.4, and 1.34.x before 1.34.2, private wikis behind a caching server using the img_auth.php image authorization security feature may have had their files cached publicly, so any unauthorized user could view them. This occurs because Cache-Control and Vary headers were mishandled.
| Package (Ecosystem) | Introduced | Fixed | Limit |
|---|---|---|---|
| mediawiki/core(Packagist) | 0 | 1.31.8 | N/A |
| mediawiki/core(Packagist) | 1.32.0 | 1.33.4 | N/A |
| mediawiki/core(Packagist) | 1.34.0 | 1.34.2 | N/A |
CVSS Metrics
