{"id":"CVE-2011-4361","details":"MediaWiki before 1.17.1 does not check for read permission before handling action=ajax requests, which allows remote attackers to obtain sensitive information by (1) leveraging the SpecialUpload::ajaxGetExistsWarning function, or by (2) leveraging an extension, as demonstrated by the CategoryTree, ExtTab, and InlineEditor extensions.","modified":"2026-04-10T03:42:06.168418Z","published":"2012-01-08T11:55:19Z","references":[{"type":"ADVISORY","url":"http://lists.wikimedia.org/pipermail/mediawiki-announce/2011-November/000104.html"},{"type":"ADVISORY","url":"http://openwall.com/lists/oss-security/2011/11/29/12"},{"type":"ADVISORY","url":"http://openwall.com/lists/oss-security/2011/11/29/6"},{"type":"ADVISORY","url":"http://www.debian.org/security/2011/dsa-2366"},{"type":"ADVISORY","url":"https://bugzilla.redhat.com/show_bug.cgi?id=758171"},{"type":"ADVISORY","url":"https://bugzilla.wikimedia.org/show_bug.cgi?id=32616"},{"type":"ARTICLE","url":"http://openwall.com/lists/oss-security/2011/11/29/12"},{"type":"ARTICLE","url":"http://openwall.com/lists/oss-security/2011/11/29/6"},{"type":"FIX","url":"http://lists.wikimedia.org/pipermail/mediawiki-announce/2011-November/000104.html"},{"type":"FIX","url":"https://bugzilla.wikimedia.org/show_bug.cgi?id=32616"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=758171"},{"type":"REPORT","url":"https://bugzilla.wikimedia.org/show_bug.cgi?id=32616"}],"schema_version":"1.7.5"}