VulnerableCode Package Details - pkg:composer/mediawiki/core@1.30.2

Search for packages

Vulnerability	Summary	Fixed by
VCID-4216-ztjb-hke8 Aliases: CVE-2020-15005 GHSA-xpv7-93cm-4mxv	img_auth.php may leak private extension images into the public cache In MediaWiki before 1.31.8, 1.32.x and 1.33.x before 1.33.4, and 1.34.x before 1.34.2, private wikis behind a caching server using the img_auth.php image authorization security feature may have had their files cached publicly, so any unauthorized user could view them. This occurs because Cache-Control and Vary headers were mishandled.	1.31.8 Affected by 8 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} 1.33.4 Affected by 9 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} 1.34.2 Affected by 9 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-6nc9-g17a-ykds Aliases: CVE-2021-41800 GHSA-c8wv-qwwc-6j73	multiple issues	1.36.2 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }}
VCID-ezum-tdjw-mbap Aliases: CVE-2023-29141 GHSA-5vj8-g3qg-4qh6	X-Forwarded-For header allows brute-forcing autoblocked IP addresses An issue was discovered in MediaWiki before 1.35.10, 1.36.x through 1.38.x before 1.38.6, and 1.39.x before 1.39.3. An auto-block can occur for an untrusted X-Forwarded-For header.	1.35.10 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} 1.38.6 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} 1.39.3 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }}
VCID-ph5q-kshb-bqb7 Aliases: CVE-2020-10959 GHSA-mqhw-wq8p-vf5r	MediaWiki Open Redirect vulnerability resources/src/mediawiki.page.ready/ready.js in MediaWiki before 1.34.0-rc.0 allows remote attackers to force a logout and external redirection via HTML content in a MediaWiki page.	1.34.0-rc.0 Affected by 9 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-rxjs-5p57-wbh1 Aliases: CVE-2023-45363 GHSA-w5fx-cx7f-6vr9	MediaWiki Denial of Service vulnerability An issue was discovered in ApiPageSet.php in MediaWiki before 1.35.12, 1.36.x through 1.39.x before 1.39.5, and 1.40.x before 1.40.1. It allows attackers to cause a denial of service (unbounded loop and RequestTimeoutException) when querying pages redirected to other variants with redirects and converttitles set.	1.35.12 Affected by 0 other vulnerabilities. 1.39.5 Affected by 0 other vulnerabilities. 1.40.1 Affected by 0 other vulnerabilities.

Vulnerability

Summary

Fixed by

VCID-4216-ztjb-hke8
Aliases:
CVE-2020-15005
GHSA-xpv7-93cm-4mxv

img_auth.php may leak private extension images into the public cache In MediaWiki before 1.31.8, 1.32.x and 1.33.x before 1.33.4, and 1.34.x before 1.34.2, private wikis behind a caching server using the img_auth.php image authorization security feature may have had their files cached publicly, so any unauthorized user could view them. This occurs because Cache-Control and Vary headers were mishandled.

1.31.8
Affected by 8 other vulnerabilities.

1.33.4
Affected by 9 other vulnerabilities.

1.34.2
Affected by 9 other vulnerabilities.

VCID-6nc9-g17a-ykds
Aliases:
CVE-2021-41800
GHSA-c8wv-qwwc-6j73

multiple issues

1.36.2
Affected by 1 other vulnerability.

VCID-ezum-tdjw-mbap
Aliases:
CVE-2023-29141
GHSA-5vj8-g3qg-4qh6

X-Forwarded-For header allows brute-forcing autoblocked IP addresses An issue was discovered in MediaWiki before 1.35.10, 1.36.x through 1.38.x before 1.38.6, and 1.39.x before 1.39.3. An auto-block can occur for an untrusted X-Forwarded-For header.

1.35.10
Affected by 1 other vulnerability.

1.38.6
Affected by 1 other vulnerability.

1.39.3
Affected by 1 other vulnerability.

VCID-ph5q-kshb-bqb7
Aliases:
CVE-2020-10959
GHSA-mqhw-wq8p-vf5r

MediaWiki Open Redirect vulnerability resources/src/mediawiki.page.ready/ready.js in MediaWiki before 1.34.0-rc.0 allows remote attackers to force a logout and external redirection via HTML content in a MediaWiki page.

1.34.0-rc.0
Affected by 9 other vulnerabilities.

VCID-rxjs-5p57-wbh1
Aliases:
CVE-2023-45363
GHSA-w5fx-cx7f-6vr9

MediaWiki Denial of Service vulnerability An issue was discovered in ApiPageSet.php in MediaWiki before 1.35.12, 1.36.x through 1.39.x before 1.39.5, and 1.40.x before 1.40.1. It allows attackers to cause a denial of service (unbounded loop and RequestTimeoutException) when querying pages redirected to other variants with redirects and converttitles set.

1.35.12
Affected by 0 other vulnerabilities.

1.39.5
Affected by 0 other vulnerabilities.

1.40.1
Affected by 0 other vulnerabilities.

Vulnerability	Summary	Aliases
VCID-5u5t-5h7j-vkd2	Wikimedia Potential DOS due to slow WatchedItemStore::countVisitingWatchersMultiple Wikimedia MediaWiki 1.27.0 through 1.32.1 might allow DoS. Passing invalid titles to the API could cause a DoS by querying the entire watchlist table. Fixed in 1.32.2, 1.31.2, 1.30.2 and 1.27.6.	CVE-2019-12473 GHSA-33xw-x3pr-rvqj
VCID-a7y8-1zeh-5uaq	MediaWiki Incorrect Access Control vulnerability MediaWiki through 1.32.1 has Incorrect Access Control. Suppressed username or log in Special:EditTags are exposed. Fixed in 1.32.2, 1.31.2, 1.30.2 and 1.27.6.	CVE-2019-12469 GHSA-x3fr-w7r5-x7rg
VCID-brw1-z6vq-hbdc	MediaWiki Incorrect Access Control vulnerability An Incorrect Access Control vulnerability was found in Wikimedia MediaWiki 1.18.0 through 1.32.1. It is possible to bypass the limits on IP range blocks ($wgBlockCIDRLimit) by using the API. Fixed in 1.32.2, 1.31.2, 1.30.2 and 1.27.6.	CVE-2019-12472 GHSA-7mqg-5fgh-xh4r
VCID-jpww-qv6m-m3eg	MediaWiki Incorrect Access Control vulnerability MediaWiki through 1.32.1 has Incorrect Access Control (issue 1 of 3). A spammer can use Special:ChangeEmail to send out spam with no rate limiting or ability to block them. Fixed in 1.32.2, 1.31.2, 1.30.2 and 1.27.6.	CVE-2019-12467 GHSA-6vfg-8ppv-h5hg
VCID-ptnd-8zfz-9kh8	Wikimedia MediaWiki Incorrect Access Control vulnerability An Incorrect Access Control vulnerability was found in Wikimedia MediaWiki 1.27.0 through 1.32.1. Directly POSTing to Special:ChangeEmail would allow for bypassing re-authentication, allowing for potential account takeover.	CVE-2019-12468 GHSA-wrhx-3pxr-6vgg
VCID-qfs2-4jbr-dba6	MediaWiki Cross-site Scripting (XSS) Wikimedia MediaWiki 1.30.0 through 1.32.1 has XSS. Loading user JavaScript from a non-existent account allows anyone to create the account, and perform XSS on users loading that script. Fixed in 1.32.2, 1.31.2, 1.30.2 and 1.27.6.	CVE-2019-12471 GHSA-2rm7-xxx8-35jh
VCID-r4hn-68he-4qec	Wikimedia information leak vulnerability Wikimedia MediaWiki 1.23.0 through 1.32.1 has an information leak. Privileged API responses that include whether a recent change has been patrolled may be cached publicly. Fixed in 1.32.2, 1.31.2, 1.30.2 and 1.27.6.	CVE-2019-12474 GHSA-2qrr-c2gh-pr35
VCID-ydvc-ykey-xugt	Wikimedia MediaWik exposed suppressed log in RevisionDelete page Wikimedia MediaWiki through 1.32.1 has Incorrect Access Control. Suppressed log in RevisionDelete page is exposed. Fixed in 1.32.2, 1.31.2, 1.30.2 and 1.27.6.	CVE-2019-12470 GHSA-733q-m38x-q7cc
VCID-yvs2-3ks2-pfh4	Wikimedia MediaWiki allows CSRF Wikimedia MediaWiki through 1.32.1 allows CSRF in logout feature.	CVE-2019-12466 GHSA-27fw-r78j-h898

Vulnerability

Summary

Aliases

VCID-5u5t-5h7j-vkd2

Wikimedia Potential DOS due to slow WatchedItemStore::countVisitingWatchersMultiple Wikimedia MediaWiki 1.27.0 through 1.32.1 might allow DoS. Passing invalid titles to the API could cause a DoS by querying the entire watchlist table. Fixed in 1.32.2, 1.31.2, 1.30.2 and 1.27.6.

CVE-2019-12473
GHSA-33xw-x3pr-rvqj

VCID-a7y8-1zeh-5uaq

MediaWiki Incorrect Access Control vulnerability MediaWiki through 1.32.1 has Incorrect Access Control. Suppressed username or log in Special:EditTags are exposed. Fixed in 1.32.2, 1.31.2, 1.30.2 and 1.27.6.

CVE-2019-12469
GHSA-x3fr-w7r5-x7rg

VCID-brw1-z6vq-hbdc

MediaWiki Incorrect Access Control vulnerability An Incorrect Access Control vulnerability was found in Wikimedia MediaWiki 1.18.0 through 1.32.1. It is possible to bypass the limits on IP range blocks ($wgBlockCIDRLimit) by using the API. Fixed in 1.32.2, 1.31.2, 1.30.2 and 1.27.6.

CVE-2019-12472
GHSA-7mqg-5fgh-xh4r

VCID-jpww-qv6m-m3eg

MediaWiki Incorrect Access Control vulnerability MediaWiki through 1.32.1 has Incorrect Access Control (issue 1 of 3). A spammer can use Special:ChangeEmail to send out spam with no rate limiting or ability to block them. Fixed in 1.32.2, 1.31.2, 1.30.2 and 1.27.6.

CVE-2019-12467
GHSA-6vfg-8ppv-h5hg

VCID-ptnd-8zfz-9kh8

Wikimedia MediaWiki Incorrect Access Control vulnerability An Incorrect Access Control vulnerability was found in Wikimedia MediaWiki 1.27.0 through 1.32.1. Directly POSTing to Special:ChangeEmail would allow for bypassing re-authentication, allowing for potential account takeover.

CVE-2019-12468
GHSA-wrhx-3pxr-6vgg

VCID-qfs2-4jbr-dba6

MediaWiki Cross-site Scripting (XSS) Wikimedia MediaWiki 1.30.0 through 1.32.1 has XSS. Loading user JavaScript from a non-existent account allows anyone to create the account, and perform XSS on users loading that script. Fixed in 1.32.2, 1.31.2, 1.30.2 and 1.27.6.

CVE-2019-12471
GHSA-2rm7-xxx8-35jh

VCID-r4hn-68he-4qec

Wikimedia information leak vulnerability Wikimedia MediaWiki 1.23.0 through 1.32.1 has an information leak. Privileged API responses that include whether a recent change has been patrolled may be cached publicly. Fixed in 1.32.2, 1.31.2, 1.30.2 and 1.27.6.

CVE-2019-12474
GHSA-2qrr-c2gh-pr35

VCID-ydvc-ykey-xugt

Wikimedia MediaWik exposed suppressed log in RevisionDelete page Wikimedia MediaWiki through 1.32.1 has Incorrect Access Control. Suppressed log in RevisionDelete page is exposed. Fixed in 1.32.2, 1.31.2, 1.30.2 and 1.27.6.

CVE-2019-12470
GHSA-733q-m38x-q7cc

VCID-yvs2-3ks2-pfh4

Wikimedia MediaWiki allows CSRF Wikimedia MediaWiki through 1.32.1 allows CSRF in logout feature.

CVE-2019-12466
GHSA-27fw-r78j-h898

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2025-07-05T18:42:36.731479+00:00	GHSA Importer	Fixing	VCID-r4hn-68he-4qec	https://github.com/advisories/GHSA-2qrr-c2gh-pr35	37.0.0
2025-07-05T18:42:36.646198+00:00	GHSA Importer	Fixing	VCID-yvs2-3ks2-pfh4	https://github.com/advisories/GHSA-27fw-r78j-h898	37.0.0
2025-07-05T18:42:36.592533+00:00	GHSA Importer	Fixing	VCID-a7y8-1zeh-5uaq	https://github.com/advisories/GHSA-x3fr-w7r5-x7rg	37.0.0
2025-07-05T18:42:36.473858+00:00	GHSA Importer	Fixing	VCID-qfs2-4jbr-dba6	https://github.com/advisories/GHSA-2rm7-xxx8-35jh	37.0.0
2025-07-05T18:42:36.338373+00:00	GHSA Importer	Fixing	VCID-brw1-z6vq-hbdc	https://github.com/advisories/GHSA-7mqg-5fgh-xh4r	37.0.0
2025-07-05T18:42:36.305070+00:00	GHSA Importer	Fixing	VCID-5u5t-5h7j-vkd2	https://github.com/advisories/GHSA-33xw-x3pr-rvqj	37.0.0
2025-07-05T18:42:36.288002+00:00	GHSA Importer	Fixing	VCID-ydvc-ykey-xugt	https://github.com/advisories/GHSA-733q-m38x-q7cc	37.0.0
2025-07-05T18:42:36.253274+00:00	GHSA Importer	Fixing	VCID-ptnd-8zfz-9kh8	https://github.com/advisories/GHSA-wrhx-3pxr-6vgg	37.0.0
2025-07-05T18:42:36.230570+00:00	GHSA Importer	Fixing	VCID-jpww-qv6m-m3eg	https://github.com/advisories/GHSA-6vfg-8ppv-h5hg	37.0.0
2025-07-03T18:51:15.302363+00:00	GitLab Importer	Affected by	VCID-rxjs-5p57-wbh1	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/mediawiki/core/CVE-2023-45363.yml	37.0.0
2025-07-03T18:41:43.137827+00:00	GitLab Importer	Affected by	VCID-ezum-tdjw-mbap	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/mediawiki/core/CVE-2023-29141.yml	37.0.0
2025-07-03T18:24:02.952584+00:00	GitLab Importer	Fixing	VCID-brw1-z6vq-hbdc	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/mediawiki/core/CVE-2019-12472.yml	37.0.0
2025-07-03T18:23:36.318650+00:00	GitLab Importer	Affected by	VCID-ph5q-kshb-bqb7	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/mediawiki/core/CVE-2020-10959.yml	37.0.0
2025-07-03T18:23:21.705948+00:00	GitLab Importer	Fixing	VCID-qfs2-4jbr-dba6	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/mediawiki/core/CVE-2019-12471.yml	37.0.0
2025-07-03T18:23:20.702978+00:00	GitLab Importer	Fixing	VCID-r4hn-68he-4qec	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/mediawiki/core/CVE-2019-12474.yml	37.0.0
2025-07-03T18:23:09.490970+00:00	GitLab Importer	Fixing	VCID-5u5t-5h7j-vkd2	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/mediawiki/core/CVE-2019-12473.yml	37.0.0
2025-07-03T18:23:07.968230+00:00	GitLab Importer	Fixing	VCID-ptnd-8zfz-9kh8	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/mediawiki/core/CVE-2019-12468.yml	37.0.0
2025-07-03T18:22:44.497430+00:00	GitLab Importer	Affected by	VCID-4216-ztjb-hke8	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/mediawiki/core/CVE-2020-15005.yml	37.0.0
2025-07-03T18:22:26.583875+00:00	GitLab Importer	Fixing	VCID-yvs2-3ks2-pfh4	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/mediawiki/core/CVE-2019-12466.yml	37.0.0
2025-07-03T18:21:33.636416+00:00	GitLab Importer	Fixing	VCID-a7y8-1zeh-5uaq	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/mediawiki/core/CVE-2019-12469.yml	37.0.0
2025-07-03T18:21:26.274197+00:00	GitLab Importer	Fixing	VCID-ydvc-ykey-xugt	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/mediawiki/core/CVE-2019-12470.yml	37.0.0
2025-07-03T18:21:11.384114+00:00	GitLab Importer	Fixing	VCID-jpww-qv6m-m3eg	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/mediawiki/core/CVE-2019-12467.yml	37.0.0
2025-07-03T18:20:45.139583+00:00	GitLab Importer	Affected by	VCID-6nc9-g17a-ykds	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/mediawiki/core/CVE-2021-41800.yml	37.0.0
2025-07-01T12:29:39.814419+00:00	GithubOSV Importer	Fixing	VCID-qfs2-4jbr-dba6	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-2rm7-xxx8-35jh/GHSA-2rm7-xxx8-35jh.json	36.1.3
2025-07-01T12:29:35.569699+00:00	GithubOSV Importer	Fixing	VCID-a7y8-1zeh-5uaq	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-x3fr-w7r5-x7rg/GHSA-x3fr-w7r5-x7rg.json	36.1.3
2025-07-01T12:29:15.422410+00:00	GithubOSV Importer	Fixing	VCID-ptnd-8zfz-9kh8	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-wrhx-3pxr-6vgg/GHSA-wrhx-3pxr-6vgg.json	36.1.3
2025-07-01T12:28:26.218158+00:00	GithubOSV Importer	Fixing	VCID-jpww-qv6m-m3eg	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-6vfg-8ppv-h5hg/GHSA-6vfg-8ppv-h5hg.json	36.1.3
2025-07-01T12:27:35.328242+00:00	GithubOSV Importer	Fixing	VCID-brw1-z6vq-hbdc	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-7mqg-5fgh-xh4r/GHSA-7mqg-5fgh-xh4r.json	36.1.3
2025-07-01T12:27:20.831613+00:00	GithubOSV Importer	Fixing	VCID-ydvc-ykey-xugt	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-733q-m38x-q7cc/GHSA-733q-m38x-q7cc.json	36.1.3
2025-07-01T12:27:12.121576+00:00	GithubOSV Importer	Fixing	VCID-5u5t-5h7j-vkd2	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-33xw-x3pr-rvqj/GHSA-33xw-x3pr-rvqj.json	36.1.3
2025-07-01T12:27:07.895776+00:00	GithubOSV Importer	Fixing	VCID-r4hn-68he-4qec	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-2qrr-c2gh-pr35/GHSA-2qrr-c2gh-pr35.json	36.1.3
2025-07-01T12:25:47.257091+00:00	GithubOSV Importer	Fixing	VCID-yvs2-3ks2-pfh4	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-27fw-r78j-h898/GHSA-27fw-r78j-h898.json	36.1.3