Impact
The vulnerability allows an unauthorized actor to obtain the hit count of private filters through the AbuseFilter QueryAbuseFilters API, exposing sensitive usage information that is otherwise hidden in the user interface. This information leakage corresponds to CWE‑200, meaning confidential data is revealed without proper access controls, potentially aiding threat actors in understanding filter effectiveness or usage patterns.
Affected Systems
Systems running the Wikimedia Foundation AbuseFilter before version 1.46.0, or on the specific earlier releases 1.45.4, 1.44.6, and 1.43.9 are affected. These versions expose private filter statistics via the API endpoint.
Risk and Exploitability
The CVSS score of 5.3 indicates moderate severity; exploitation does not appear to require special credentials, as the API endpoint is accessible to unauthenticated users. EPSS data is unavailable, and the vulnerability is not listed in the CISA KEV catalog, suggesting the attack surface is limited but still present. The likely attack vector is an HTTP request to the QueryAbuseFilters API, which would return private filter hit counts to any caller.
OpenCVE Enrichment