{"id":"CVE-2023-36674","details":"An issue was discovered in MediaWiki before 1.35.11, 1.36.x through 1.38.x before 1.38.7, 1.39.x before 1.39.4, and 1.40.x before 1.40.1. It is possible to bypass the Bad image list (aka badFile) by using the thumb parameter (aka Manualthumb) of the File syntax.","aliases":["BIT-mediawiki-2023-36674"],"modified":"2026-04-16T00:10:23.450949999Z","published":"2023-08-20T18:15:09.930Z","references":[{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2UIVGYECQGTUC2LLPVCZBPDLCTOHL2F6/"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6CHRX6DSLAMVXCV2YMJEWOLTBEYSESE5/"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DOAXEGYBOEM4JWB4J3BDH73NK2LCYC3O/"},{"type":"REPORT","url":"https://phabricator.wikimedia.org/T335612"},{"type":"FIX","url":"https://phabricator.wikimedia.org/T335612"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/wikimedia/mediawiki","events":[{"introduced":"0"},{"fixed":"b8d14e9d292f1199b959b9ce26d99f72bf935406"},{"introduced":"bc542ec6d8573dfb906b468901799e0017875f1e"},{"fixed":"059c8e1b9a315c36ae827f929ea9a077acbba2eb"},{"introduced":"c95fc4786beba034fa643062b98a60ccbde831fd"},{"fixed":"c4075dfdbcb51df3c922aef582cf5b4091759595"}]}],"versions":["1.39.0","1.39.1","1.39.2","1.39.3"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-36674.json"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"}]}