CVE-2025-32698: LogPager.php: Restriction enforcer functions do not correctly enforce suppression restrictions

2.1 CVSS

Description

Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/logging/LogPager.Php.

This issue affects MediaWiki: before 1.39.12, 1.42.6, 1.43.1.

Classification

CVE ID: CVE-2025-32698

CVSS Base Severity: LOW

CVSS Base Score: 2.1

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/RE:M/U:Green

Problem Types

CWE-200 Exposure of Sensitive Information to an Unauthorized Actor

Affected Products

Vendor: Wikimedia Foundation

Product: MediaWiki

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.08% (probability of being exploited)

EPSS Percentile: 25.42% (scored less or equal to compared to others)

EPSS Date: 2025-04-18 (when was this score calculated)

Stakeholder-Specific Vulnerability Categorization (SSVC)

SSVC Exploitation: none

SSVC Technical Impact: partial

SSVC Automatable: false

References

https://nvd.nist.gov/vuln/detail/CVE-2025-32698
https://phabricator.wikimedia.org/T385958

Timeline

2025-04-10 19:40:15 UTC
CVE

LogPager.php: Restriction enforcer functions do not correctly enforce suppression restrictions