关键漏洞信息 漏洞标题 Exposure of hidden/suppressed usernames 严重性 High CVSS v4 base metrics: 8.7 / 10 影响版本 Affected versions: < 3.6.3 修复版本 Patched versions: 3.6.4/a3dae0c 描述 Summary: Several parameters can leak usernames that have been hidden using revision deletion, suppression, or the hideuser block flag. Details: - Parameters like , , and output the page creator or last editor using the placeholder, revealing actual usernames even when hidden. - The placeholder with also reveals hidden usernames. - Parameters like , , , and can expose suppressed usernames when combined with . - Parameters like , , , , , and accept usernames as input, potentially revealing hidden identities. 证明概念 1. Create a page while logged in as a user. 2. Revision delete or suppress the username from the page history. 3. Use a DPL query with one of the affected parameters. 4. The output reveals the hidden username. 示例 影响 This issue causes the exposure of usernames that were intentionally hidden by administrators, undermining revision deletion, user suppression, and block-related privacy measures.