Wikimedia Foundation MediaWiki CampaignEvents Extension Missing Authorization Vulnerability Allowing Privilege Abuse
Vulnerability
A missing authorization vulnerability has been identified in the Wikimedia Foundation MediaWiki CampaignEvents extension, specifically in versions 1.39, 1.43, 1.44, and 1.45. This vulnerability allows privilege abuse by exposing meeting and chat URLs through the 'GET campaignevents/v0/event_registration/{id}' REST endpoint, without proper authorization checks. While the UI restricts this information to registered participants, the API leak affects all users, regardless of their registration status.
Impact
Exploitation of this vulnerability leads to unauthorized access to event-related meeting and chat URLs, which could be misused by individuals not involved in the events.
Remediation
A patch has been developed and deployed in the Wikimedia production environment. It is included in the supplemental security release for MediaWiki CampaignEvents extension versions 1.39.16, 1.43.6, 1.44.3, and 1.45.1.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.