VulnerableCode Package Details - pkg:composer/mediawiki/core@1.31.9

Search for packages

Vulnerability	Summary	Fixed by
This package is not known to be affected by vulnerabilities.

Vulnerability

Summary

Fixed by

This package is not known to be affected by vulnerabilities.

Vulnerability	Summary	Aliases
VCID-71jb-2wz1-hfcg	MediaWiki Cross-site Scripting (XSS) vulnerability In MediaWiki before 1.31.9 and 1.32.x through 1.34.x before 1.34.3, XSS related to jQuery can occur. The attacker creates a message with [javascript:payload xss] and turns it into a jQuery object with mw.message().parse(). The expected result is that the jQuery object does not contain an <a> tag (or it does not have a href attribute, or it's empty, etc.). The actual result is that the object contains an <a href ="javascript... that executes when clicked.	CVE-2020-25814 GHSA-4vr7-m8p8-434h
VCID-9pv8-qu44-pfdq	OATHAuth extension in MediaWiki is not implementing rate limit An issue was discovered in the OATHAuth extension in MediaWiki before 1.31.9 and 1.32.x through 1.34.x before 1.34.3. For Wikis using OATHAuth on a farm/cluster (such as via CentralAuth), rate limiting of OATH tokens is only done on a single site level. Thus, multiple requests can be made across many wikis/sites concurrently.	CVE-2020-25827 GHSA-rqvj-fc2x-99q6
VCID-pn1r-swzg-bbgy	MediaWiki Cross-site Scripting (XSS) vulnerability An issue was discovered in MediaWiki before 1.31.9 and 1.32.x through 1.34.x before 1.34.3. The non-jqueryMsg version of mw.message().parse() doesn't escape HTML. This affects both message contents (which are generally safe) and the parameters (which can be based on user input). (When jqueryMsg is loaded, it correctly accepts only whitelisted tags in message contents, and escapes all parameters. Situations with an unloaded jqueryMsg are rare in practice, but can for example occur for Special:SpecialPages on a wiki with no extensions installed.)	CVE-2020-25828 GHSA-h8qx-mj6v-2934
VCID-u529-67z7-fqab	MediaWiki Special:UserRights exposes the existence of hidden users In MediaWiki before 1.31.9 and 1.32.x through 1.34.x before 1.34.3, Special:UserRights exposes the existence of hidden users.	CVE-2020-25813 GHSA-c4rj-wrmq-52rj

Vulnerability

Summary

Aliases

VCID-71jb-2wz1-hfcg

MediaWiki Cross-site Scripting (XSS) vulnerability In MediaWiki before 1.31.9 and 1.32.x through 1.34.x before 1.34.3, XSS related to jQuery can occur. The attacker creates a message with [javascript:payload xss] and turns it into a jQuery object with mw.message().parse(). The expected result is that the jQuery object does not contain an <a> tag (or it does not have a href attribute, or it's empty, etc.). The actual result is that the object contains an <a href ="javascript... that executes when clicked.

CVE-2020-25814
GHSA-4vr7-m8p8-434h

VCID-9pv8-qu44-pfdq

OATHAuth extension in MediaWiki is not implementing rate limit An issue was discovered in the OATHAuth extension in MediaWiki before 1.31.9 and 1.32.x through 1.34.x before 1.34.3. For Wikis using OATHAuth on a farm/cluster (such as via CentralAuth), rate limiting of OATH tokens is only done on a single site level. Thus, multiple requests can be made across many wikis/sites concurrently.

CVE-2020-25827
GHSA-rqvj-fc2x-99q6

VCID-pn1r-swzg-bbgy

MediaWiki Cross-site Scripting (XSS) vulnerability An issue was discovered in MediaWiki before 1.31.9 and 1.32.x through 1.34.x before 1.34.3. The non-jqueryMsg version of mw.message().parse() doesn't escape HTML. This affects both message contents (which are generally safe) and the parameters (which can be based on user input). (When jqueryMsg is loaded, it correctly accepts only whitelisted tags in message contents, and escapes all parameters. Situations with an unloaded jqueryMsg are rare in practice, but can for example occur for Special:SpecialPages on a wiki with no extensions installed.)

CVE-2020-25828
GHSA-h8qx-mj6v-2934

VCID-u529-67z7-fqab

MediaWiki Special:UserRights exposes the existence of hidden users In MediaWiki before 1.31.9 and 1.32.x through 1.34.x before 1.34.3, Special:UserRights exposes the existence of hidden users.

CVE-2020-25813
GHSA-c4rj-wrmq-52rj

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2025-07-01T14:32:36.880792+00:00	GHSA Importer	Fixing	VCID-9pv8-qu44-pfdq	https://github.com/advisories/GHSA-rqvj-fc2x-99q6	36.1.3
2025-07-01T14:32:36.841161+00:00	GHSA Importer	Fixing	VCID-u529-67z7-fqab	https://github.com/advisories/GHSA-c4rj-wrmq-52rj	36.1.3
2025-07-01T14:32:36.746333+00:00	GHSA Importer	Fixing	VCID-71jb-2wz1-hfcg	https://github.com/advisories/GHSA-4vr7-m8p8-434h	36.1.3
2025-07-01T14:32:36.702715+00:00	GHSA Importer	Fixing	VCID-pn1r-swzg-bbgy	https://github.com/advisories/GHSA-h8qx-mj6v-2934	36.1.3
2025-07-01T12:30:50.219728+00:00	GithubOSV Importer	Fixing	VCID-9pv8-qu44-pfdq	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-rqvj-fc2x-99q6/GHSA-rqvj-fc2x-99q6.json	36.1.3
2025-07-01T12:29:29.850546+00:00	GithubOSV Importer	Fixing	VCID-71jb-2wz1-hfcg	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-4vr7-m8p8-434h/GHSA-4vr7-m8p8-434h.json	36.1.3
2025-07-01T12:29:07.255751+00:00	GithubOSV Importer	Fixing	VCID-pn1r-swzg-bbgy	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-h8qx-mj6v-2934/GHSA-h8qx-mj6v-2934.json	36.1.3
2025-07-01T12:27:33.721465+00:00	GithubOSV Importer	Fixing	VCID-u529-67z7-fqab	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-c4rj-wrmq-52rj/GHSA-c4rj-wrmq-52rj.json	36.1.3