Search for packages
| purl | pkg:composer/mediawiki/core@1.32.0 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-1697-p35n-fber
Aliases: CVE-2019-12466 GHSA-27fw-r78j-h898 |
Wikimedia MediaWiki allows CSRF Wikimedia MediaWiki through 1.32.1 allows CSRF in logout feature. |
Affected by 12 other vulnerabilities. |
|
VCID-1866-gt2g-1qfv
Aliases: CVE-2019-12469 GHSA-x3fr-w7r5-x7rg |
MediaWiki Incorrect Access Control vulnerability MediaWiki through 1.32.1 has Incorrect Access Control. Suppressed username or log in Special:EditTags are exposed. Fixed in 1.32.2, 1.31.2, 1.30.2 and 1.27.6. |
Affected by 12 other vulnerabilities. |
|
VCID-424y-cjxg-c7az
Aliases: CVE-2020-25815 GHSA-2f58-vf6g-6p8x |
MediaWiki Cross-site Scripting (XSS) vulnerability An issue was discovered in MediaWiki 1.32.x through 1.34.x before 1.34.4. LogEventList::getFiltersDesc is insecurely using message text to build options names for an HTML multi-select field. The relevant code should use escaped() instead of text(). |
Affected by 3 other vulnerabilities. Affected by 3 other vulnerabilities. |
|
VCID-4keq-jcfa-13hc
Aliases: CVE-2019-19709 GHSA-pjv5-vv93-p648 |
Possible to circumvent title-blacklist MediaWiki through 1.33.1 allows attackers to bypass the Title_blacklist protection mechanism by starting with an arbitrary title, establishing a non-resolvable redirect for the associated page, and using redirect=1 in the action API when editing that page. |
Affected by 10 other vulnerabilities. Affected by 10 other vulnerabilities. Affected by 11 other vulnerabilities. |
|
VCID-7eba-7gsc-hbfg
Aliases: CVE-2023-29141 GHSA-5vj8-g3qg-4qh6 |
X-Forwarded-For header allows brute-forcing autoblocked IP addresses An issue was discovered in MediaWiki before 1.35.10, 1.36.x through 1.38.x before 1.38.6, and 1.39.x before 1.39.3. An auto-block can occur for an untrusted X-Forwarded-For header. |
Affected by 1 other vulnerability. Affected by 1 other vulnerability. Affected by 1 other vulnerability. |
|
VCID-9qyu-z71g-1qbq
Aliases: CVE-2020-10959 GHSA-mqhw-wq8p-vf5r |
MediaWiki Open Redirect vulnerability resources/src/mediawiki.page.ready/ready.js in MediaWiki before 1.34.0-rc.0 allows remote attackers to force a logout and external redirection via HTML content in a MediaWiki page. |
Affected by 9 other vulnerabilities. |
|
VCID-arzd-7xhw-qqb4
Aliases: CVE-2020-25827 GHSA-rqvj-fc2x-99q6 |
OATHAuth extension in MediaWiki is not implementing rate limit An issue was discovered in the OATHAuth extension in MediaWiki before 1.31.9 and 1.32.x through 1.34.x before 1.34.3. For Wikis using OATHAuth on a farm/cluster (such as via CentralAuth), rate limiting of OATH tokens is only done on a single site level. Thus, multiple requests can be made across many wikis/sites concurrently. |
Affected by 3 other vulnerabilities. |
|
VCID-azup-qzq7-sbh6
Aliases: CVE-2020-25814 GHSA-4vr7-m8p8-434h |
MediaWiki Cross-site Scripting (XSS) vulnerability In MediaWiki before 1.31.9 and 1.32.x through 1.34.x before 1.34.3, XSS related to jQuery can occur. The attacker creates a message with [javascript:payload xss] and turns it into a jQuery object with mw.message().parse(). The expected result is that the jQuery object does not contain an <a> tag (or it does not have a href attribute, or it's empty, etc.). The actual result is that the object contains an <a href ="javascript... that executes when clicked. |
Affected by 3 other vulnerabilities. Affected by 3 other vulnerabilities. |
|
VCID-bbef-akjp-a3gp
Aliases: CVE-2019-12473 GHSA-33xw-x3pr-rvqj |
Wikimedia Potential DOS due to slow WatchedItemStore::countVisitingWatchersMultiple Wikimedia MediaWiki 1.27.0 through 1.32.1 might allow DoS. Passing invalid titles to the API could cause a DoS by querying the entire watchlist table. Fixed in 1.32.2, 1.31.2, 1.30.2 and 1.27.6. |
Affected by 12 other vulnerabilities. |
|
VCID-gma6-b9cy-kqee
Aliases: CVE-2019-12467 GHSA-6vfg-8ppv-h5hg |
MediaWiki Incorrect Access Control vulnerability MediaWiki through 1.32.1 has Incorrect Access Control (issue 1 of 3). A spammer can use Special:ChangeEmail to send out spam with no rate limiting or ability to block them. Fixed in 1.32.2, 1.31.2, 1.30.2 and 1.27.6. |
Affected by 12 other vulnerabilities. |
|
VCID-jm7q-2w3j-buhh
Aliases: CVE-2023-45363 GHSA-w5fx-cx7f-6vr9 |
MediaWiki Denial of Service vulnerability An issue was discovered in ApiPageSet.php in MediaWiki before 1.35.12, 1.36.x through 1.39.x before 1.39.5, and 1.40.x before 1.40.1. It allows attackers to cause a denial of service (unbounded loop and RequestTimeoutException) when querying pages redirected to other variants with redirects and converttitles set. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-pm5t-23j4-6yh6
Aliases: CVE-2020-25828 GHSA-h8qx-mj6v-2934 |
MediaWiki Cross-site Scripting (XSS) vulnerability An issue was discovered in MediaWiki before 1.31.9 and 1.32.x through 1.34.x before 1.34.3. The non-jqueryMsg version of mw.message().parse() doesn't escape HTML. This affects both message contents (which are generally safe) and the parameters (which can be based on user input). (When jqueryMsg is loaded, it correctly accepts only whitelisted tags in message contents, and escapes all parameters. Situations with an unloaded jqueryMsg are rare in practice, but can for example occur for Special:SpecialPages on a wiki with no extensions installed.) |
Affected by 3 other vulnerabilities. Affected by 3 other vulnerabilities. |
|
VCID-qmx3-kcnd-zuhe
Aliases: CVE-2019-12468 GHSA-wrhx-3pxr-6vgg |
Wikimedia MediaWiki Incorrect Access Control vulnerability An Incorrect Access Control vulnerability was found in Wikimedia MediaWiki 1.27.0 through 1.32.1. Directly POSTing to Special:ChangeEmail would allow for bypassing re-authentication, allowing for potential account takeover. |
Affected by 12 other vulnerabilities. |
|
VCID-t6w8-cgct-gbgz
Aliases: CVE-2019-16738 GHSA-7hwr-f745-5rwq |
MediaWiki information disclosure In MediaWiki through 1.33.0, Special:Redirect allows information disclosure of suppressed usernames via a User ID Lookup. |
Affected by 11 other vulnerabilities. Affected by 11 other vulnerabilities. |
|
VCID-tq2e-c9ym-a3hj
Aliases: CVE-2019-12474 GHSA-2qrr-c2gh-pr35 |
Wikimedia information leak vulnerability Wikimedia MediaWiki 1.23.0 through 1.32.1 has an information leak. Privileged API responses that include whether a recent change has been patrolled may be cached publicly. Fixed in 1.32.2, 1.31.2, 1.30.2 and 1.27.6. |
Affected by 12 other vulnerabilities. |
|
VCID-u2xc-ztge-p3bv
Aliases: CVE-2019-12472 GHSA-7mqg-5fgh-xh4r |
MediaWiki Incorrect Access Control vulnerability An Incorrect Access Control vulnerability was found in Wikimedia MediaWiki 1.18.0 through 1.32.1. It is possible to bypass the limits on IP range blocks ($wgBlockCIDRLimit) by using the API. Fixed in 1.32.2, 1.31.2, 1.30.2 and 1.27.6. |
Affected by 12 other vulnerabilities. |
|
VCID-ujdn-y48t-pbch
Aliases: CVE-2020-25813 GHSA-c4rj-wrmq-52rj |
MediaWiki Special:UserRights exposes the existence of hidden users In MediaWiki before 1.31.9 and 1.32.x through 1.34.x before 1.34.3, Special:UserRights exposes the existence of hidden users. |
Affected by 3 other vulnerabilities. |
|
VCID-yr8d-347g-pugg
Aliases: CVE-2019-12470 GHSA-733q-m38x-q7cc |
Wikimedia MediaWik exposed suppressed log in RevisionDelete page Wikimedia MediaWiki through 1.32.1 has Incorrect Access Control. Suppressed log in RevisionDelete page is exposed. Fixed in 1.32.2, 1.31.2, 1.30.2 and 1.27.6. |
Affected by 12 other vulnerabilities. |
|
VCID-z9d9-aer5-gfa9
Aliases: CVE-2021-41800 GHSA-c8wv-qwwc-6j73 |
Multiple vulnerabilities have been found in MediaWiki, the worst of which could result in denial of service. |
Affected by 1 other vulnerability. |
|
VCID-zgdf-mxfn-gbea
Aliases: CVE-2020-15005 GHSA-xpv7-93cm-4mxv |
img_auth.php may leak private extension images into the public cache In MediaWiki before 1.31.8, 1.32.x and 1.33.x before 1.33.4, and 1.34.x before 1.34.2, private wikis behind a caching server using the img_auth.php image authorization security feature may have had their files cached publicly, so any unauthorized user could view them. This occurs because Cache-Control and Vary headers were mishandled. |
Affected by 9 other vulnerabilities. Affected by 9 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||