CVE-2023-45362 is a vulnerability identified in the DifferenceEngine.php component of MediaWiki, a widely used open-source wiki platform. The issue arises in the diff-multi-sameuser functionality, which is responsible for displaying differences between multiple revisions made by the same user. Specifically, when username suppression is enabled—a privacy feature intended to hide usernames in revision histories—the vulnerability causes intermediate revisions by the same user to be omitted from the displayed diffs. This behavior leads to an information leak because it reveals editing activity that was supposed to be concealed. The affected MediaWiki versions include all releases before 1.35.12, all 1.36.x through 1.39.x versions before 1.39.5, and all 1.40.x versions before 1.40.1. The flaw does not require authentication or user interaction to exploit, making it accessible to any user with read access to the wiki. While no exploits have been reported in the wild, the vulnerability undermines the confidentiality guarantees of username suppression, potentially exposing sensitive editorial metadata. This can be particularly problematic in environments where anonymity or privacy of editors is critical, such as in governmental or corporate wikis. The vulnerability does not directly impact system integrity or availability but compromises privacy and confidentiality of user actions. The absence of a CVSS score necessitates an assessment based on the impact on confidentiality, ease of exploitation, and scope of affected systems. Given the widespread use of MediaWiki in Europe, especially in public sector and educational institutions, this vulnerability poses a moderate risk.

The primary impact of CVE-2023-45362 is the unintended disclosure of editing activity that users intended to keep private via username suppression. For European organizations, this can lead to breaches of confidentiality, especially in sensitive environments such as government agencies, research institutions, and companies using MediaWiki for internal documentation. Exposure of editing histories can reveal user identities, editing patterns, or sensitive operational details, potentially facilitating targeted social engineering or insider threat activities. Although the vulnerability does not allow direct system compromise or data manipulation, the leakage of metadata can undermine trust in the platform and violate privacy regulations such as GDPR. The risk is heightened in organizations that rely on MediaWiki for collaborative work involving confidential or classified information. Since exploitation does not require authentication, any external or internal user with read access can leverage this flaw, increasing the attack surface. The absence of known exploits suggests limited current threat activity, but the vulnerability remains a latent risk until patched.

To mitigate CVE-2023-45362, organizations should promptly upgrade MediaWiki to the fixed versions: 1.35.12 or later, 1.39.5 or later, and 1.40.1 or later depending on their current version branch. Administrators should verify that username suppression settings are correctly configured and test diff displays to ensure intermediate revisions are properly hidden as intended. It is advisable to audit wiki user access controls to restrict read permissions to trusted users only, minimizing exposure. Monitoring wiki logs for unusual access patterns or attempts to enumerate revision histories can help detect exploitation attempts. Additionally, organizations should educate users about the limitations of username suppression and consider alternative privacy controls if necessary. For highly sensitive deployments, consider isolating MediaWiki instances or restricting external access until patches are applied. Maintaining an up-to-date inventory of MediaWiki installations and applying security updates promptly is critical to reducing exposure.