CVE-2025-32698

CVE-2025-32698 describes a sensitive information disclosure vulnerability in MediaWiki's LogPager.php component. The restriction enforcer functions that control access to suppressed (hidden) log entries do not correctly enforce these suppression restrictions. This means that users who should not be able to see such entries may still access them, violating the intended access controls [1].

The vulnerability affects the way LogPager handles the suppression status of log entries when applying filters and pagination. An attacker can exploit this by accessing the log interface through standard MediaWiki pages or API endpoints that use LogPager. No special network position or authentication bypass is required, but the attacker must be a logged-in user with at least read access to the wiki; the bug lies in the server-side enforcement of which entries to show based on user permissions [1].

The impact is the exposure of suppressed log entries to unauthorized actors. Suppressed logs typically include sensitive information such as user blocks, deletions, or other administrative actions that are meant to be hidden from most users. An attacker who gains knowledge of these entries could use the information for further reconnaissance or social engineering, though the attack requires an existing account on the wiki [1].

Affected versions are MediaWiki before 1.39.12, 1.42.6, and 1.43.1. The issue was fixed by correcting the restriction enforcer logic in LogPager. Administrators are strongly advised to update their installations to the latest patched versions. No workaround has been provided, but the vulnerability is rated Low severity with a Medium risk in the Phabricator task [1].