CVE-2023-29137
4.3
MEDIUM
CVSS 3.1
EPSS 0.14%
Description
An issue was discovered in the GrowthExperiments extension for MediaWiki through 1.39.3. The UserImpactHandler for GrowthExperiments inadvertently returns the timezone preference for arbitrary users, which can be used to de-anonymize users.
How to fix CVE-2023-29137
To remediate CVE-2023-29137, upgrade the affected package to a fixed version below.
- Bitnami/mediawiki—upgrade to 1.39.4 or later
Is CVE-2023-29137 being exploited?
Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- from 0, < 1.39.4
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM4.3 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N |