CVE-2011-4360

Name	CVE-2011-4360
Description	MediaWiki before 1.17.1 allows remote attackers to obtain the page titles of all restricted pages via a series of requests involving the (1) curid or (2) oldid parameter.
Source	CVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
References	DSA-2366-1
NVD severity	medium (attack range: remote)
Debian Bugs	650434

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
mediawiki (PTS)	stretch (security), stretch	1:1.27.5-1~deb9u1	fixed
	buster, sid	1:1.31.1-4	fixed

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Urgency	Origin	Debian Bugs
mediawiki	source	(unstable)	1:1.15.5-4	medium		650434
mediawiki	source	lenny	1:1.12.0-2lenny9	medium	DSA-2366-1
mediawiki	source	squeeze	1:1.15.5-2squeeze2	medium	DSA-2366-1

[squeeze] - mediawiki <not-affected> (Vulnerable code not present)
http://lists.wikimedia.org/pipermail/mediawiki-announce/2011-November/000104.html