Search for packages
| purl | pkg:composer/mediawiki/core@1.32.0 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-2txe-5685-aaar
Aliases: CVE-2019-12467 GHSA-6vfg-8ppv-h5hg |
MediaWiki through 1.32.1 has Incorrect Access Control (issue 1 of 3). A spammer can use Special:ChangeEmail to send out spam with no rate limiting or ability to block them. Fixed in 1.32.2, 1.31.2, 1.30.2 and 1.27.6. |
Affected by 13 other vulnerabilities. |
|
VCID-3yrw-9sdc-aaac
Aliases: CVE-2020-10959 GHSA-mqhw-wq8p-vf5r |
resources/src/mediawiki.page.ready/ready.js in MediaWiki before 1.35 allows remote attackers to force a logout and external redirection via HTML content in a MediaWiki page. |
Affected by 10 other vulnerabilities. |
|
VCID-4q2b-jwqb-aaas
Aliases: CVE-2019-12470 GHSA-733q-m38x-q7cc |
Wikimedia MediaWiki through 1.32.1 has Incorrect Access Control. Suppressed log in RevisionDelete page is exposed. Fixed in 1.32.2, 1.31.2, 1.30.2 and 1.27.6. |
Affected by 13 other vulnerabilities. |
|
VCID-59gg-vg2h-aaae
Aliases: CVE-2023-29141 GHSA-5vj8-g3qg-4qh6 |
An issue was discovered in MediaWiki before 1.35.10, 1.36.x through 1.38.x before 1.38.6, and 1.39.x before 1.39.3. An auto-block can occur for an untrusted X-Forwarded-For header. |
Affected by 2 other vulnerabilities. Affected by 2 other vulnerabilities. Affected by 2 other vulnerabilities. |
|
VCID-7jf3-227f-aaas
Aliases: CVE-2020-25815 GHSA-2f58-vf6g-6p8x |
An issue was discovered in MediaWiki 1.32.x through 1.34.x before 1.34.4. LogEventList::getFiltersDesc is insecurely using message text to build options names for an HTML multi-select field. The relevant code should use escaped() instead of text(). |
Affected by 4 other vulnerabilities. Affected by 4 other vulnerabilities. |
|
VCID-8ex1-6xse-aaab
Aliases: CVE-2019-19709 GHSA-pjv5-vv93-p648 |
MediaWiki through 1.33.1 allows attackers to bypass the Title_blacklist protection mechanism by starting with an arbitrary title, establishing a non-resolvable redirect for the associated page, and using redirect=1 in the action API when editing that page. |
Affected by 11 other vulnerabilities. Affected by 12 other vulnerabilities. Affected by 12 other vulnerabilities. |
|
VCID-aap7-715h-aaab
Aliases: CVE-2019-12472 GHSA-7mqg-5fgh-xh4r |
An Incorrect Access Control vulnerability was found in Wikimedia MediaWiki 1.18.0 through 1.32.1. It is possible to bypass the limits on IP range blocks ($wgBlockCIDRLimit) by using the API. Fixed in 1.32.2, 1.31.2, 1.30.2 and 1.27.6. |
Affected by 13 other vulnerabilities. |
|
VCID-ah5y-k5sb-aaap
Aliases: CVE-2021-41800 GHSA-c8wv-qwwc-6j73 |
MediaWiki before 1.36.2 allows a denial of service (resource consumption because of lengthy query processing time). Visiting Special:Contributions can sometimes result in a long running SQL query because PoolCounter protection is mishandled. |
Affected by 2 other vulnerabilities. |
|
VCID-aus1-t1px-aaar
Aliases: CVE-2023-45363 GHSA-w5fx-cx7f-6vr9 |
An issue was discovered in ApiPageSet.php in MediaWiki before 1.35.12, 1.36.x through 1.39.x before 1.39.5, and 1.40.x before 1.40.1. It allows attackers to cause a denial of service (unbounded loop and RequestTimeoutException) when querying pages redirected to other variants with redirects and converttitles set. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-bhgn-gct9-aaae
Aliases: CVE-2019-12466 GHSA-27fw-r78j-h898 |
Wikimedia MediaWiki through 1.32.1 allows CSRF. |
Affected by 13 other vulnerabilities. |
|
VCID-bp3f-tajm-aaaf
Aliases: CVE-2020-25814 GHSA-4vr7-m8p8-434h |
In MediaWiki before 1.31.10 and 1.32.x through 1.34.x before 1.34.4, XSS related to jQuery can occur. The attacker creates a message with [javascript:payload xss] and turns it into a jQuery object with mw.message().parse(). The expected result is that the jQuery object does not contain an <a> tag (or it does not have a href attribute, or it's empty, etc.). The actual result is that the object contains an <a href ="javascript... that executes when clicked. |
Affected by 4 other vulnerabilities. Affected by 4 other vulnerabilities. |
|
VCID-f9ks-vah3-aaaa
Aliases: CVE-2019-12474 GHSA-2qrr-c2gh-pr35 |
Wikimedia MediaWiki 1.23.0 through 1.32.1 has an information leak. Privileged API responses that include whether a recent change has been patrolled may be cached publicly. Fixed in 1.32.2, 1.31.2, 1.30.2 and 1.27.6. |
Affected by 13 other vulnerabilities. |
|
VCID-fe1a-1s8p-aaaf
Aliases: CVE-2019-16738 GHSA-7hwr-f745-5rwq |
In MediaWiki through 1.33.0, Special:Redirect allows information disclosure of suppressed usernames via a User ID Lookup. |
Affected by 12 other vulnerabilities. Affected by 13 other vulnerabilities. |
|
VCID-fwhc-xtwd-aaag
Aliases: CVE-2019-12469 GHSA-x3fr-w7r5-x7rg |
MediaWiki through 1.32.1 has Incorrect Access Control. Suppressed username or log in Special:EditTags are exposed. Fixed in 1.32.2, 1.31.2, 1.30.2 and 1.27.6. |
Affected by 13 other vulnerabilities. |
|
VCID-hgcw-v93v-aaad
Aliases: CVE-2020-25828 GHSA-h8qx-mj6v-2934 |
An issue was discovered in MediaWiki before 1.31.10 and 1.32.x through 1.34.x before 1.34.4. The non-jqueryMsg version of mw.message().parse() doesn't escape HTML. This affects both message contents (which are generally safe) and the parameters (which can be based on user input). (When jqueryMsg is loaded, it correctly accepts only whitelisted tags in message contents, and escapes all parameters. Situations with an unloaded jqueryMsg are rare in practice, but can for example occur for Special:SpecialPages on a wiki with no extensions installed.) |
Affected by 4 other vulnerabilities. Affected by 4 other vulnerabilities. |
|
VCID-jwgf-c1pr-aaan
Aliases: CVE-2020-15005 GHSA-xpv7-93cm-4mxv |
In MediaWiki before 1.31.8, 1.32.x and 1.33.x before 1.33.4, and 1.34.x before 1.34.2, private wikis behind a caching server using the img_auth.php image authorization security feature may have had their files cached publicly, so any unauthorized user could view them. This occurs because Cache-Control and Vary headers were mishandled. |
Affected by 10 other vulnerabilities. Affected by 10 other vulnerabilities. |
|
VCID-n724-h9bq-aaak
Aliases: CVE-2020-25813 GHSA-c4rj-wrmq-52rj |
In MediaWiki before 1.31.10 and 1.32.x through 1.34.x before 1.34.4, Special:UserRights exposes the existence of hidden users. |
Affected by 4 other vulnerabilities. |
|
VCID-qynw-xq2t-aaap
Aliases: CVE-2019-12468 GHSA-wrhx-3pxr-6vgg |
An Incorrect Access Control vulnerability was found in Wikimedia MediaWiki 1.27.0 through 1.32.1. Directly POSTing to Special:ChangeEmail would allow for bypassing re-authentication, allowing for potential account takeover. |
Affected by 13 other vulnerabilities. |
|
VCID-vvnj-ee7s-aaaq
Aliases: CVE-2023-37302 GHSA-fmrf-p77g-vv5c |
An issue was discovered in SiteLinksView.php in Wikibase in MediaWiki through 1.39.3. There is XSS via a crafted badge title attribute. This is also related to lack of escaping in wbTemplate (from resources/wikibase/templates.js) for quotes (which can be in a title attribute). |
Affected by 1 other vulnerability. |
|
VCID-xb7m-ngk2-aaae
Aliases: CVE-2020-25827 GHSA-rqvj-fc2x-99q6 |
An issue was discovered in the OATHAuth extension in MediaWiki before 1.31.10 and 1.32.x through 1.34.x before 1.34.4. For Wikis using OATHAuth on a farm/cluster (such as via CentralAuth), rate limiting of OATH tokens is only done on a single site level. Thus, multiple requests can be made across many wikis/sites concurrently. |
Affected by 4 other vulnerabilities. |
|
VCID-zqf1-jg5k-aaap
Aliases: CVE-2019-12473 GHSA-33xw-x3pr-rvqj |
Wikimedia MediaWiki 1.27.0 through 1.32.1 might allow DoS. Passing invalid titles to the API could cause a DoS by querying the entire watchlist table. Fixed in 1.32.2, 1.31.2, 1.30.2 and 1.27.6. |
Affected by 13 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||