Search for packages
| purl | pkg:composer/mediawiki/core@1.20.3 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-2txe-5685-aaar
Aliases: CVE-2019-12467 GHSA-6vfg-8ppv-h5hg |
MediaWiki through 1.32.1 has Incorrect Access Control (issue 1 of 3). A spammer can use Special:ChangeEmail to send out spam with no rate limiting or ability to block them. Fixed in 1.32.2, 1.31.2, 1.30.2 and 1.27.6. |
Affected by 6 other vulnerabilities. Affected by 6 other vulnerabilities. Affected by 13 other vulnerabilities. Affected by 13 other vulnerabilities. |
|
VCID-3yrw-9sdc-aaac
Aliases: CVE-2020-10959 GHSA-mqhw-wq8p-vf5r |
resources/src/mediawiki.page.ready/ready.js in MediaWiki before 1.35 allows remote attackers to force a logout and external redirection via HTML content in a MediaWiki page. |
Affected by 10 other vulnerabilities. |
|
VCID-59gg-vg2h-aaae
Aliases: CVE-2023-29141 GHSA-5vj8-g3qg-4qh6 |
An issue was discovered in MediaWiki before 1.35.10, 1.36.x through 1.38.x before 1.38.6, and 1.39.x before 1.39.3. An auto-block can occur for an untrusted X-Forwarded-For header. |
Affected by 2 other vulnerabilities. Affected by 2 other vulnerabilities. Affected by 2 other vulnerabilities. |
|
VCID-aap7-715h-aaab
Aliases: CVE-2019-12472 GHSA-7mqg-5fgh-xh4r |
An Incorrect Access Control vulnerability was found in Wikimedia MediaWiki 1.18.0 through 1.32.1. It is possible to bypass the limits on IP range blocks ($wgBlockCIDRLimit) by using the API. Fixed in 1.32.2, 1.31.2, 1.30.2 and 1.27.6. |
Affected by 6 other vulnerabilities. Affected by 6 other vulnerabilities. Affected by 13 other vulnerabilities. Affected by 13 other vulnerabilities. |
|
VCID-ah5y-k5sb-aaap
Aliases: CVE-2021-41800 GHSA-c8wv-qwwc-6j73 |
MediaWiki before 1.36.2 allows a denial of service (resource consumption because of lengthy query processing time). Visiting Special:Contributions can sometimes result in a long running SQL query because PoolCounter protection is mishandled. |
Affected by 2 other vulnerabilities. |
|
VCID-aus1-t1px-aaar
Aliases: CVE-2023-45363 GHSA-w5fx-cx7f-6vr9 |
An issue was discovered in ApiPageSet.php in MediaWiki before 1.35.12, 1.36.x through 1.39.x before 1.39.5, and 1.40.x before 1.40.1. It allows attackers to cause a denial of service (unbounded loop and RequestTimeoutException) when querying pages redirected to other variants with redirects and converttitles set. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-c3a8-ytq6-aaan
Aliases: CVE-2014-2853 GHSA-6h86-9r5g-f2h5 |
Cross-site scripting (XSS) vulnerability in includes/actions/InfoAction.php in MediaWiki before 1.21.9 and 1.22.x before 1.22.6 allows remote attackers to inject arbitrary web script or HTML via the sort key in an info action. |
Affected by 8 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-jwgf-c1pr-aaan
Aliases: CVE-2020-15005 GHSA-xpv7-93cm-4mxv |
In MediaWiki before 1.31.8, 1.32.x and 1.33.x before 1.33.4, and 1.34.x before 1.34.2, private wikis behind a caching server using the img_auth.php image authorization security feature may have had their files cached publicly, so any unauthorized user could view them. This occurs because Cache-Control and Vary headers were mishandled. |
Affected by 9 other vulnerabilities. Affected by 10 other vulnerabilities. Affected by 10 other vulnerabilities. |
|
VCID-vvnj-ee7s-aaaq
Aliases: CVE-2023-37302 GHSA-fmrf-p77g-vv5c |
An issue was discovered in SiteLinksView.php in Wikibase in MediaWiki through 1.39.3. There is XSS via a crafted badge title attribute. This is also related to lack of escaping in wbTemplate (from resources/wikibase/templates.js) for quotes (which can be in a title attribute). |
Affected by 1 other vulnerability. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||