CVE-2019-12470
Description
Wikimedia MediaWiki through 1.32.1 has Incorrect Access Control. Suppressed log in RevisionDelete page is exposed. Fixed in 1.32.2, 1.31.2, 1.30.2 and 1.27.6.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
MediaWiki improperly exposes suppressed log entries on the RevisionDelete page, breaking access control for deleted log items.
Vulnerability
Overview CVE-2019-12470 is an access control vulnerability in Wikimedia MediaWiki through version 1.32.1. The core issue is that suppressed log entries, which should be hidden from all but a select group of privileged users, are inadvertently exposed on the RevisionDelete page [1][3]. The root cause lies in the LogEventsList::userCan() function failing to properly check suppression status before displaying log entries, allowing suppressed logs to be visible to users who can access the RevisionDelete interface [3].
Exploitation
Conditions An attacker requires authenticated access to the wiki with the ability to view and use the RevisionDelete page (typically rollback or delete rights). The attack does not rely on special network position beyond normal web access. By navigating to the RevisionDelete page or directly constructing requests that query the log list, the attacker can see suppressed log entries that should be hidden [2][3]. No authentication bypass is needed beyond standard permissions; the flaw is that the permission check for suppressed logs is incomplete.
Impact
Successful exploitation leads to information disclosure of suppressed log entries. This could reveal details about deleted revisions, blocked users, or other administrative actions meant to be concealed from most user classes. The impact is primarily confidentiality, potentially exposing sensitive operations or user information that an administrator had chosen to suppress [1][2].
Mitigation
The vulnerability was fixed in MediaWiki versions 1.32.2, 1.31.2, 1.30.2, and 1.27.6, released in June 2019 [2]. Users are strongly advised to upgrade to these patched versions or later. No workaround is documented; the fix involves correcting the permission checks in LogFormatter and LogEventsList [3]. The Debian security advisory DSA-4460-1 also included this fix for the stable distribution [4].
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
mediawiki/corePackagist | >= 1.27.0, < 1.27.6 | 1.27.6 |
mediawiki/corePackagist | >= 1.30.0, < 1.30.2 | 1.30.2 |
mediawiki/corePackagist | >= 1.31.0, < 1.31.2 | 1.31.2 |
mediawiki/corePackagist | >= 1.32.0, < 1.32.2 | 1.32.2 |
Affected products
2- Wikimedia/MediaWikidescription
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
7- github.com/advisories/GHSA-733q-m38x-q7ccghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2019-12470ghsaADVISORY
- www.debian.org/security/2019/dsa-4460ghsavendor-advisoryx_refsource_DEBIANWEB
- github.com/FriendsOfPHP/security-advisories/blob/master/mediawiki/core/CVE-2019-12470.yamlghsaWEB
- lists.wikimedia.org/pipermail/wikitech-l/2019-June/092152.htmlghsax_refsource_CONFIRMWEB
- phabricator.wikimedia.org/T222038ghsax_refsource_MISCWEB
- seclists.org/bugtraq/2019/Jun/12ghsamailing-listx_refsource_BUGTRAQWEB
News mentions
0No linked articles in our index yet.