VulnerableCode Package Details - pkg:composer/mediawiki/core@1.34.3

Search for packages

Vulnerability	Summary	Fixed by
This package is not known to be affected by vulnerabilities.

Vulnerability

Summary

Fixed by

This package is not known to be affected by vulnerabilities.

Vulnerability	Summary	Aliases
VCID-2tm2-vez4-9uaf	MediaWiki Cross-site Scripting (XSS) vulnerability An issue was discovered in MediaWiki 1.34.x before 1.34.3. On Special:Contributions, the NS filter uses unescaped messages as keys in the option key for an HTMLForm specifier. This is vulnerable to a mild XSS if one of those messages is changed to include raw HTML.	CVE-2020-25812 GHSA-rj9p-8jxj-2ch4
VCID-71jb-2wz1-hfcg	MediaWiki Cross-site Scripting (XSS) vulnerability In MediaWiki before 1.31.9 and 1.32.x through 1.34.x before 1.34.3, XSS related to jQuery can occur. The attacker creates a message with [javascript:payload xss] and turns it into a jQuery object with mw.message().parse(). The expected result is that the jQuery object does not contain an <a> tag (or it does not have a href attribute, or it's empty, etc.). The actual result is that the object contains an <a href ="javascript... that executes when clicked.	CVE-2020-25814 GHSA-4vr7-m8p8-434h
VCID-9pv8-qu44-pfdq	OATHAuth extension in MediaWiki is not implementing rate limit An issue was discovered in the OATHAuth extension in MediaWiki before 1.31.9 and 1.32.x through 1.34.x before 1.34.3. For Wikis using OATHAuth on a farm/cluster (such as via CentralAuth), rate limiting of OATH tokens is only done on a single site level. Thus, multiple requests can be made across many wikis/sites concurrently.	CVE-2020-25827 GHSA-rqvj-fc2x-99q6
VCID-e22f-juem-wfbp	MediaWiki Cross-site Scripting (XSS) vulnerability An issue was discovered in MediaWiki 1.32.x through 1.34.x before 1.34.4. LogEventList::getFiltersDesc is insecurely using message text to build options names for an HTML multi-select field. The relevant code should use escaped() instead of text().	CVE-2020-25815 GHSA-2f58-vf6g-6p8x
VCID-pn1r-swzg-bbgy	MediaWiki Cross-site Scripting (XSS) vulnerability An issue was discovered in MediaWiki before 1.31.9 and 1.32.x through 1.34.x before 1.34.3. The non-jqueryMsg version of mw.message().parse() doesn't escape HTML. This affects both message contents (which are generally safe) and the parameters (which can be based on user input). (When jqueryMsg is loaded, it correctly accepts only whitelisted tags in message contents, and escapes all parameters. Situations with an unloaded jqueryMsg are rare in practice, but can for example occur for Special:SpecialPages on a wiki with no extensions installed.)	CVE-2020-25828 GHSA-h8qx-mj6v-2934
VCID-u529-67z7-fqab	MediaWiki Special:UserRights exposes the existence of hidden users In MediaWiki before 1.31.9 and 1.32.x through 1.34.x before 1.34.3, Special:UserRights exposes the existence of hidden users.	CVE-2020-25813 GHSA-c4rj-wrmq-52rj

Vulnerability

Summary

Aliases

VCID-2tm2-vez4-9uaf

MediaWiki Cross-site Scripting (XSS) vulnerability An issue was discovered in MediaWiki 1.34.x before 1.34.3. On Special:Contributions, the NS filter uses unescaped messages as keys in the option key for an HTMLForm specifier. This is vulnerable to a mild XSS if one of those messages is changed to include raw HTML.

CVE-2020-25812
GHSA-rj9p-8jxj-2ch4

VCID-71jb-2wz1-hfcg

MediaWiki Cross-site Scripting (XSS) vulnerability In MediaWiki before 1.31.9 and 1.32.x through 1.34.x before 1.34.3, XSS related to jQuery can occur. The attacker creates a message with [javascript:payload xss] and turns it into a jQuery object with mw.message().parse(). The expected result is that the jQuery object does not contain an <a> tag (or it does not have a href attribute, or it's empty, etc.). The actual result is that the object contains an <a href ="javascript... that executes when clicked.

CVE-2020-25814
GHSA-4vr7-m8p8-434h

VCID-9pv8-qu44-pfdq

OATHAuth extension in MediaWiki is not implementing rate limit An issue was discovered in the OATHAuth extension in MediaWiki before 1.31.9 and 1.32.x through 1.34.x before 1.34.3. For Wikis using OATHAuth on a farm/cluster (such as via CentralAuth), rate limiting of OATH tokens is only done on a single site level. Thus, multiple requests can be made across many wikis/sites concurrently.

CVE-2020-25827
GHSA-rqvj-fc2x-99q6

VCID-e22f-juem-wfbp

MediaWiki Cross-site Scripting (XSS) vulnerability An issue was discovered in MediaWiki 1.32.x through 1.34.x before 1.34.4. LogEventList::getFiltersDesc is insecurely using message text to build options names for an HTML multi-select field. The relevant code should use escaped() instead of text().

CVE-2020-25815
GHSA-2f58-vf6g-6p8x

VCID-pn1r-swzg-bbgy

MediaWiki Cross-site Scripting (XSS) vulnerability An issue was discovered in MediaWiki before 1.31.9 and 1.32.x through 1.34.x before 1.34.3. The non-jqueryMsg version of mw.message().parse() doesn't escape HTML. This affects both message contents (which are generally safe) and the parameters (which can be based on user input). (When jqueryMsg is loaded, it correctly accepts only whitelisted tags in message contents, and escapes all parameters. Situations with an unloaded jqueryMsg are rare in practice, but can for example occur for Special:SpecialPages on a wiki with no extensions installed.)

CVE-2020-25828
GHSA-h8qx-mj6v-2934

VCID-u529-67z7-fqab

MediaWiki Special:UserRights exposes the existence of hidden users In MediaWiki before 1.31.9 and 1.32.x through 1.34.x before 1.34.3, Special:UserRights exposes the existence of hidden users.

CVE-2020-25813
GHSA-c4rj-wrmq-52rj

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2025-07-01T14:32:36.922973+00:00	GHSA Importer	Fixing	VCID-71jb-2wz1-hfcg	https://github.com/advisories/GHSA-4vr7-m8p8-434h	36.1.3
2025-07-01T14:32:36.901019+00:00	GHSA Importer	Fixing	VCID-e22f-juem-wfbp	https://github.com/advisories/GHSA-2f58-vf6g-6p8x	36.1.3
2025-07-01T14:32:36.861329+00:00	GHSA Importer	Fixing	VCID-pn1r-swzg-bbgy	https://github.com/advisories/GHSA-h8qx-mj6v-2934	36.1.3
2025-07-01T14:32:36.793943+00:00	GHSA Importer	Fixing	VCID-9pv8-qu44-pfdq	https://github.com/advisories/GHSA-rqvj-fc2x-99q6	36.1.3
2025-07-01T14:32:36.675418+00:00	GHSA Importer	Fixing	VCID-u529-67z7-fqab	https://github.com/advisories/GHSA-c4rj-wrmq-52rj	36.1.3
2025-07-01T12:30:50.249006+00:00	GithubOSV Importer	Fixing	VCID-9pv8-qu44-pfdq	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-rqvj-fc2x-99q6/GHSA-rqvj-fc2x-99q6.json	36.1.3
2025-07-01T12:30:24.740763+00:00	GithubOSV Importer	Fixing	VCID-e22f-juem-wfbp	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-2f58-vf6g-6p8x/GHSA-2f58-vf6g-6p8x.json	36.1.3
2025-07-01T12:29:55.583428+00:00	GithubOSV Importer	Fixing	VCID-2tm2-vez4-9uaf	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-rj9p-8jxj-2ch4/GHSA-rj9p-8jxj-2ch4.json	36.1.3
2025-07-01T12:29:29.880101+00:00	GithubOSV Importer	Fixing	VCID-71jb-2wz1-hfcg	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-4vr7-m8p8-434h/GHSA-4vr7-m8p8-434h.json	36.1.3
2025-07-01T12:29:07.286993+00:00	GithubOSV Importer	Fixing	VCID-pn1r-swzg-bbgy	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-h8qx-mj6v-2934/GHSA-h8qx-mj6v-2934.json	36.1.3
2025-07-01T12:27:33.752949+00:00	GithubOSV Importer	Fixing	VCID-u529-67z7-fqab	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-c4rj-wrmq-52rj/GHSA-c4rj-wrmq-52rj.json	36.1.3