CVE-2023-45363: 
PHP vulnerability analysis and mitigation

An issue was discovered in ApiPageSet.php in MediaWiki before 1.35.12, 1.36.x through 1.39.x before 1.39.5, and 1.40.x before 1.40.1. The vulnerability, identified as CVE-2023-45363, was disclosed in October 2023 and affects multiple versions of the MediaWiki software (NVD, Debian Security).

The vulnerability is characterized by an unbounded loop condition that can trigger a RequestTimeoutException when querying pages redirected to other variants with specific parameters. The issue occurs when both 'redirects' and 'converttitles' parameters are set in the query. The vulnerability has been assigned a CVSS v3.1 base score of 7.5 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, indicating a high severity rating (NVD).

The primary impact of this vulnerability is the potential for denial of service attacks. When exploited, it can cause the system to enter an unbounded loop state, leading to a RequestTimeoutException, which can disrupt normal service operations (NVD).

The vulnerability has been fixed in MediaWiki versions 1.35.12, 1.39.5, and 1.40.1. For Debian systems, fixes have been released in version 1:1.35.13-1~deb11u1 for bullseye and 1:1.39.5-1~deb12u1 for bookworm. Users are recommended to upgrade their MediaWiki installations to the patched versions (Debian LTS, Debian Security).