Search for packages
| purl | pkg:composer/mediawiki/core@1.31.9 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-3yrw-9sdc-aaac
Aliases: CVE-2020-10959 GHSA-mqhw-wq8p-vf5r |
resources/src/mediawiki.page.ready/ready.js in MediaWiki before 1.35 allows remote attackers to force a logout and external redirection via HTML content in a MediaWiki page. |
Affected by 10 other vulnerabilities. |
|
VCID-59gg-vg2h-aaae
Aliases: CVE-2023-29141 GHSA-5vj8-g3qg-4qh6 |
An issue was discovered in MediaWiki before 1.35.10, 1.36.x through 1.38.x before 1.38.6, and 1.39.x before 1.39.3. An auto-block can occur for an untrusted X-Forwarded-For header. |
Affected by 2 other vulnerabilities. Affected by 2 other vulnerabilities. Affected by 2 other vulnerabilities. |
|
VCID-ah5y-k5sb-aaap
Aliases: CVE-2021-41800 GHSA-c8wv-qwwc-6j73 |
MediaWiki before 1.36.2 allows a denial of service (resource consumption because of lengthy query processing time). Visiting Special:Contributions can sometimes result in a long running SQL query because PoolCounter protection is mishandled. |
Affected by 2 other vulnerabilities. |
|
VCID-aus1-t1px-aaar
Aliases: CVE-2023-45363 GHSA-w5fx-cx7f-6vr9 |
An issue was discovered in ApiPageSet.php in MediaWiki before 1.35.12, 1.36.x through 1.39.x before 1.39.5, and 1.40.x before 1.40.1. It allows attackers to cause a denial of service (unbounded loop and RequestTimeoutException) when querying pages redirected to other variants with redirects and converttitles set. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-vvnj-ee7s-aaaq
Aliases: CVE-2023-37302 GHSA-fmrf-p77g-vv5c |
An issue was discovered in SiteLinksView.php in Wikibase in MediaWiki through 1.39.3. There is XSS via a crafted badge title attribute. This is also related to lack of escaping in wbTemplate (from resources/wikibase/templates.js) for quotes (which can be in a title attribute). |
Affected by 1 other vulnerability. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| VCID-bp3f-tajm-aaaf | In MediaWiki before 1.31.10 and 1.32.x through 1.34.x before 1.34.4, XSS related to jQuery can occur. The attacker creates a message with [javascript:payload xss] and turns it into a jQuery object with mw.message().parse(). The expected result is that the jQuery object does not contain an <a> tag (or it does not have a href attribute, or it's empty, etc.). The actual result is that the object contains an <a href ="javascript... that executes when clicked. |
CVE-2020-25814
GHSA-4vr7-m8p8-434h |
| VCID-hgcw-v93v-aaad | An issue was discovered in MediaWiki before 1.31.10 and 1.32.x through 1.34.x before 1.34.4. The non-jqueryMsg version of mw.message().parse() doesn't escape HTML. This affects both message contents (which are generally safe) and the parameters (which can be based on user input). (When jqueryMsg is loaded, it correctly accepts only whitelisted tags in message contents, and escapes all parameters. Situations with an unloaded jqueryMsg are rare in practice, but can for example occur for Special:SpecialPages on a wiki with no extensions installed.) |
CVE-2020-25828
GHSA-h8qx-mj6v-2934 |
| VCID-n724-h9bq-aaak | In MediaWiki before 1.31.10 and 1.32.x through 1.34.x before 1.34.4, Special:UserRights exposes the existence of hidden users. |
CVE-2020-25813
GHSA-c4rj-wrmq-52rj |
| VCID-xb7m-ngk2-aaae | An issue was discovered in the OATHAuth extension in MediaWiki before 1.31.10 and 1.32.x through 1.34.x before 1.34.4. For Wikis using OATHAuth on a farm/cluster (such as via CentralAuth), rate limiting of OATH tokens is only done on a single site level. Thus, multiple requests can be made across many wikis/sites concurrently. |
CVE-2020-25827
GHSA-rqvj-fc2x-99q6 |