Information disclosure in Special:Redirect/logid
Description
Mediawiki 1.31 before 1.31.1, 1.30.1, 1.29.3 and 1.27.5 contains an information disclosure flaw in the Special:Redirect/logid
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
MediaWiki before 1.31.1, 1.30.1, 1.29.3, and 1.27.5 allows information disclosure via Special:Redirect/logid when log events are partially hidden.
Vulnerability
MediaWiki versions 1.31.x before 1.31.1, 1.30.x before 1.30.1, 1.29.x before 1.29.3, and 1.27.x before 1.27.5 contain an information disclosure flaw in the Special:Redirect/logid handler. When a log event is partially hidden (e.g., username or IP address suppressed), the redirect may point to a different log entry that still reveals the hidden details [1][2].
Exploitation
An attacker can craft a URL such as Special:Redirect/logid/ that references a log event that has been partially hidden. The redirect may then display a log entry that includes the suppressed information, allowing the attacker to view it directly. No special authentication or privileges are required beyond the ability to access the wiki [2].
Impact
Successful exploitation leads to unauthorized disclosure of hidden log event details, such as suppressed usernames or IP addresses. This is a confidentiality breach that does not grant code execution or privilege escalation [2].
Mitigation
Fixed versions are MediaWiki 1.27.5, 1.29.3, 1.30.1, and 1.31.1, released in September 2018 [3]. Users are strongly advised to upgrade to these or later versions. Note that MediaWiki 1.29 reached end-of-life in July 2018, so upgrading to 1.31.x is recommended [3]. The fix is also included in the Red Hat advisory for OpenShift Container Platform 3.10 [4]. No workarounds have been documented.
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
mediawiki/corePackagist | >= 1.27.0, < 1.27.5 | 1.27.5 |
mediawiki/corePackagist | >= 1.29.0, < 1.29.3 | 1.29.3 |
mediawiki/corePackagist | >= 1.30.0, < 1.30.1 | 1.30.1 |
mediawiki/corePackagist | >= 1.31.0, < 1.31.1 | 1.31.1 |
Affected products
2Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
9- access.redhat.com/errata/RHSA-2019:3238ghsavendor-advisoryx_refsource_REDHATWEB
- access.redhat.com/errata/RHSA-2019:3813ghsavendor-advisoryx_refsource_REDHATWEB
- github.com/advisories/GHSA-hr8v-f4g2-p66fghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2018-0504ghsaADVISORY
- www.debian.org/security/2018/dsa-4301ghsavendor-advisoryx_refsource_DEBIANWEB
- www.securitytracker.com/id/1041695ghsavdb-entryx_refsource_SECTRACKWEB
- github.com/FriendsOfPHP/security-advisories/blob/master/mediawiki/core/CVE-2018-0504.yamlghsaWEB
- lists.wikimedia.org/pipermail/wikitech-l/2018-September/090849.htmlghsamailing-listx_refsource_MLISTWEB
- phabricator.wikimedia.org/T187638ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.