Search for packages
| purl | pkg:deb/debian/mediawiki@1:1.35.13-1%2Bdeb11u2 |
| Next non-vulnerable version | 1:1.39.13-1~deb12u1 |
| Latest non-vulnerable version | 1:1.39.13-1~deb12u1 |
| Risk | 2.9 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-3w12-rj24-uqds
Aliases: CVE-2025-6595 |
Affected by 1 other vulnerability. Affected by 0 other vulnerabilities. |
|
|
VCID-6mzr-p5f8-3qd1
Aliases: CVE-2025-32698 |
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/logging/LogPager.Php. This issue affects MediaWiki: before 1.39.12, 1.42.6, 1.43.1. |
Affected by 1 other vulnerability. Affected by 0 other vulnerabilities. |
|
VCID-d7vh-6t1f-6fcz
Aliases: CVE-2025-6590 |
Affected by 1 other vulnerability. Affected by 0 other vulnerabilities. |
|
|
VCID-e75u-66tu-kqcj
Aliases: CVE-2025-3469 |
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/htmlform/fields/HTMLMultiSelectField.Php. This issue affects MediaWiki: before 1.39.12, 1.42.6, 1.43.1. |
Affected by 1 other vulnerability. Affected by 0 other vulnerabilities. |
|
VCID-ev4v-equp-q3c2
Aliases: CVE-2025-6594 |
Affected by 1 other vulnerability. Affected by 0 other vulnerabilities. |
|
|
VCID-f7sj-37hx-jufx
Aliases: CVE-2025-6591 |
Affected by 1 other vulnerability. Affected by 0 other vulnerabilities. |
|
|
VCID-kx4b-gpc1-aqa8
Aliases: CVE-2025-6593 |
Affected by 1 other vulnerability. Affected by 0 other vulnerabilities. |
|
|
VCID-nu2f-76a5-nucp
Aliases: CVE-2025-32072 |
Improper Encoding or Escaping of Output vulnerability in The Wikimedia Foundation Mediawiki Core - Feed Utils allows WebView Injection.This issue affects Mediawiki Core - Feed Utils: from 1.39 through 1.43. |
Affected by 1 other vulnerability. Affected by 0 other vulnerabilities. |
|
VCID-r952-dxkq-vbdy
Aliases: CVE-2025-6926 |
Improper Authentication vulnerability in Wikimedia Foundation Mediawiki - CentralAuth Extension allows : Bypass Authentication.This issue affects Mediawiki - CentralAuth Extension: from 1.39.X before 1.39.13, from 1.42.X before 1.42.7, from 1.43.X before 1.43.2. |
Affected by 1 other vulnerability. |
|
VCID-sk2r-zb1q-mygn
Aliases: CVE-2023-51704 |
mediawiki: group-.*-member messages are not properly escaped on Special:log/rights |
Affected by 1 other vulnerability. Affected by 0 other vulnerabilities. |
|
VCID-ue85-5gy8-2bdw
Aliases: CVE-2025-6597 |
Affected by 1 other vulnerability. Affected by 0 other vulnerabilities. |
|
|
VCID-yjgw-hrsr-q3bz
Aliases: CVE-2025-32699 |
Vulnerability in Wikimedia Foundation MediaWiki, Wikimedia Foundation Parsoid.This issue affects MediaWiki: before 1.39.12, 1.42.6, 1.43.1; Parsoid: before 0.16.5, 0.19.2, 0.20.2. |
Affected by 1 other vulnerability. Affected by 0 other vulnerabilities. |
|
VCID-zh3t-wu8f-73b5
Aliases: CVE-2025-32697 |
Improper Preservation of Permissions vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/editpage/IntroMessageBuilder.Php, includes/Permissions/PermissionManager.Php, includes/Permissions/RestrictionStore.Php. This issue affects MediaWiki: before 1.42.6, 1.43.1. |
Affected by 0 other vulnerabilities. |
|
VCID-zzg3-w43c-bybp
Aliases: CVE-2025-32696 |
Improper Preservation of Permissions vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/actions/RevertAction.Php, includes/api/ApiFileRevert.Php. This issue affects MediaWiki: before 1.39.12, 1.42.6, 1.43.1. |
Affected by 1 other vulnerability. Affected by 0 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| VCID-13vu-q5g8-43e3 | mediawiki: ApiQueryBacklinks can cause a full table scan and as a result DoS |
CVE-2021-41799
|
| VCID-15pn-z816-zbb6 | MediaWiki Denial of Service vulnerability An issue was discovered in ApiPageSet.php in MediaWiki before 1.35.12, 1.36.x through 1.39.x before 1.39.5, and 1.40.x before 1.40.1. It allows attackers to cause a denial of service (unbounded loop and RequestTimeoutException) when querying pages redirected to other variants with redirects and converttitles set. |
CVE-2023-45363
GHSA-w5fx-cx7f-6vr9 |
| VCID-1f2h-hvvd-g7dg | mediawiki: diff-multi-sameuser ("X intermediate revisions by the same user not shown") ignores username suppression |
CVE-2023-45362
|
| VCID-1kpb-6pyc-byb4 | MediaWiki Cross-site Scripting (XSS) vulnerability An issue was discovered in MediaWiki before 1.31.9 and 1.32.x through 1.34.x before 1.34.3. The non-jqueryMsg version of mw.message().parse() doesn't escape HTML. This affects both message contents (which are generally safe) and the parameters (which can be based on user input). (When jqueryMsg is loaded, it correctly accepts only whitelisted tags in message contents, and escapes all parameters. Situations with an unloaded jqueryMsg are rare in practice, but can for example occur for Special:SpecialPages on a wiki with no extensions installed.) |
CVE-2020-25828
GHSA-h8qx-mj6v-2934 |
| VCID-2nan-sz96-1fhq | X-Forwarded-For header allows brute-forcing autoblocked IP addresses An issue was discovered in MediaWiki before 1.35.10, 1.36.x through 1.38.x before 1.38.6, and 1.39.x before 1.39.3. An auto-block can occur for an untrusted X-Forwarded-For header. |
CVE-2023-29141
GHSA-5vj8-g3qg-4qh6 |
| VCID-3tnx-tb4s-zyfk | An issue was discovered in MediaWiki before 1.35.5, 1.36.x before 1.36.3, and 1.37.x before 1.37.1. A title blocked by AbuseFilter can be created via Special:ChangeContentModel due to the mishandling of the EditFilterMergedContent hook return value. |
CVE-2021-44856
|
| VCID-5buj-b91g-3fd8 | Regular Expression Denial of Service in papaparse Versions of `papaparse` prior to 5.2.0 are vulnerable to Regular Expression Denial of Service (ReDos). The `parse` function contains a malformed regular expression that takes exponentially longer to process non-numerical inputs. This allows attackers to stall systems and lead to Denial of Service. ## Recommendation Upgrade to version 5.2.0 or later. |
CVE-2020-36649
GHSA-qvjc-g5vr-mfgr GMS-2020-421 |
| VCID-64zq-vmwp-hfge | mediawiki: messages userrights-expiry-current and userrights-expiry-none can contain raw html |
CVE-2020-35475
|
| VCID-6aqu-4zcv-jfdx | Mediawiki v1.40.0 does not validate namespaces used in XML files. Therefore, if the instance administrator allows XML file uploads, a remote attacker with a low-privileged user account can use this exploit to become an administrator by sending a malicious link to the instance administrator. |
CVE-2023-3550
|
| VCID-7cfn-d6k8-43g5 | An issue was discovered in the VisualEditor extension in MediaWiki before 1.31.13, and 1.32.x through 1.35.x before 1.35.2. . When using VisualEditor to edit a MediaWiki user page belonging to an existing, but hidden, user, VisualEditor will disclose that the user exists. (It shouldn't because they are hidden.) This is related to ApiVisualEditor. |
CVE-2021-30153
|
| VCID-7x1v-fbsz-jfbr | MediaWiki allows a denial of service MediaWiki before 1.36.2 allows a denial of service (resource consumption because of lengthy query processing time). Visiting Special:Contributions can sometimes result in a long running SQL query because PoolCounter protection is mishandled. |
CVE-2021-41800
GHSA-c8wv-qwwc-6j73 |
| VCID-855f-2pne-gycx | mediawiki: blocked users are able to purge pages impacting Integrity |
CVE-2021-35197
|
| VCID-93d7-4h9f-8fga | An issue was discovered in MediaWiki before 1.35.8, 1.36.x and 1.37.x before 1.37.5, and 1.38.x before 1.38.3. HTMLUserTextField exposes the existence of hidden users. |
CVE-2022-41765
|
| VCID-9ejm-72ax-skgw | An issue was discovered in MediaWiki before 1.35.12, 1.36.x through 1.39.x before 1.39.5, and 1.40.x before 1.40.1. There is XSS in youhavenewmessagesmanyusers and youhavenewmessages i18n messages. This is related to MediaWiki:Youhavenewmessagesfromusers. |
CVE-2023-45360
|
| VCID-ags3-2tv9-mqh8 | multiple issues |
CVE-2021-41801
|
| VCID-b6d9-um1e-cbdv | An issue was discovered in MediaWiki before 1.35.11, 1.36.x through 1.38.x before 1.38.7, and 1.39.x before 1.39.4. BlockLogFormatter.php in BlockLogFormatter allows XSS in the partial blocks feature. |
CVE-2023-36675
|
| VCID-bewy-kfs2-6fc3 | mediawiki: information disclosure |
CVE-2021-44858
|
| VCID-bh1q-uc3v-afgf | An issue was discovered in MediaWiki before 1.35.11, 1.36.x through 1.38.x before 1.38.7, 1.39.x before 1.39.4, and 1.40.x before 1.40.1. It is possible to bypass the Bad image list (aka badFile) by using the thumb parameter (aka Manualthumb) of the File syntax. |
CVE-2023-36674
|
| VCID-ch4p-fdd8-kkcf | An issue was discovered in MediaWiki before 1.35.5, 1.36.x before 1.36.3, and 1.37.x before 1.37.1. The REST API publicly caches results from private wikis. |
CVE-2021-44854
|
| VCID-eabm-r6ua-nbcv | CURLOPT_HTTPAUTH option not cleared on change of origin ### Impact `Authorization` headers on requests are sensitive information. When using our Curl handler, it is possible to use the `CURLOPT_HTTPAUTH` option to specify an `Authorization` header. On making a request which responds with a redirect to a URI with a different origin, if we choose to follow it, we should remove the `CURLOPT_HTTPAUTH` and `CURLOPT_USERPWD` options before continuing, stopping curl from appending the `Authorization` header to the new request. Previously, we would only consider a change in host. Now, we consider any change in host, port or scheme to be a change in origin. ### Patches Affected Guzzle 7 users should upgrade to Guzzle 7.4.5 as soon as possible. Affected users using any earlier series of Guzzle should upgrade to Guzzle 6.5.8 or 7.4.5. Note that a partial fix was implemented in Guzzle 7.4.2, where a change in host would trigger removal of the curl-added Authorization header, however this earlier fix did not cover change in scheme or change in port. ### Workarounds If you do not require or expect redirects to be followed, one should simply disable redirects all together. Alternatively, one can specify to use the Guzzle stream handler backend, rather than curl. ### References * [RFC9110 Section 15.4](https://www.rfc-editor.org/rfc/rfc9110.html#name-redirection-3xx) * [CVE-2022-27776](https://curl.se/docs/CVE-2022-27776.html) ### For more information If you have any questions or comments about this advisory, please get in touch with us in `#guzzle` on the [PHP HTTP Slack](https://php-http.slack.com/). Do not report additional security advisories in that public channel, however - please follow our [vulnerability reporting process](https://github.com/guzzle/guzzle/security/policy). |
CVE-2022-31090
GHSA-25mq-v84q-4j7r GMS-2022-2528 |
| VCID-epav-z3qb-rbej | mediawiki: information disclosure and manipulation possible under specific conditions |
CVE-2021-44857
|
| VCID-gkzq-thjf-z7fa | An infinite loop in SMLLexer in Pygments versions 1.5 to 2.7.3 may lead to denial of service when performing syntax highlighting of a Standard ML (SML) source file, as demonstrated by input that only contains the "exception" keyword. |
CVE-2021-20270
GHSA-9w8r-397f-prfh PYSEC-2021-140 |
| VCID-h853-1syx-g7he | Wikimedia Parsoid vulnerable to Cross-site Scripting (XSS) An issue was discovered in Wikimedia Parsoid before 0.11.1 and 0.12.x before 0.12.2. An attacker can send crafted wikitext that Utils/WTUtils.php will transform by using a <meta> tag, bypassing sanitization steps, and potentially allowing for XSS. |
CVE-2021-30458
GHSA-5pqx-77vf-85rw |
| VCID-hghy-83ke-23eu | Cross-domain cookie leakage in Guzzle ### Impact Previous version of Guzzle contain a vulnerability with the cookie middleware. The vulnerability is that it is not checked if the cookie domain equals the domain of the server which sets the cookie via the `Set-Cookie` header, allowing a malicious server to set cookies for unrelated domains. For example an attacker at `www.example.com` might set a session cookie for `api.example.net`, logging the Guzzle client into their account and retrieving private API requests from the security log of their account. Note that our cookie middleware is disabled by default, so most library consumers will not be affected by this issue. Only those who manually add the cookie middleware to the handler stack or construct the client with `['cookies' => true]` are affected. Moreover, those who do not use the same Guzzle client to call multiple domains and have disabled redirect forwarding are not affected by this vulnerability. ### Patches Affected Guzzle 7 users should upgrade to Guzzle 7.4.3 as soon as possible. Affected users using any earlier series of Guzzle should upgrade to Guzzle 6.5.6 or 7.4.3. ### Workarounds If you do not need support for cookies, turn off the cookie middleware. It is already off by default, but if you have turned it on and no longer need it, turn it off. ### References * [RFC6265 Section 5.3](https://datatracker.ietf.org/doc/html/rfc6265#section-5.3) * [RFC9110 Section 15.4](https://www.rfc-editor.org/rfc/rfc9110.html#name-redirection-3xx) ### For more information If you have any questions or comments about this advisory, please get in touch with us in `#guzzle` on the [PHP HTTP Slack](https://php-http.slack.com/). Do not report additional security advisories in that public channel, however - please follow our [vulnerability reporting process](https://github.com/guzzle/guzzle/security/policy). |
CVE-2022-29248
GHSA-cwmx-hcrq-mhc3 |
| VCID-hp2f-gn21-gkce | A denial-of-service issue was discovered in MediaWiki before 1.35.6, 1.36.x before 1.36.4, and 1.37.x before 1.37.2. When many files exist, requesting Special:NewFiles with actor as a condition can result in a very long running query. |
CVE-2022-28203
|
| VCID-hxv2-v9z1-3qh8 | Change in port should be considered a change in origin ### Impact `Authorization` and `Cookie` headers on requests are sensitive information. On making a request which responds with a redirect to a URI with a different port, if we choose to follow it, we should remove the `Authorization` and `Cookie` headers from the request, before containing. Previously, we would only consider a change in host or scheme downgrade. Now, we consider any change in host, port or scheme to be a change in origin. ### Patches Affected Guzzle 7 users should upgrade to Guzzle 7.4.5 as soon as possible. Affected users using any earlier series of Guzzle should upgrade to Guzzle 6.5.8 or 7.4.5. ### Workarounds An alternative approach would be to use your own redirect middleware, rather than ours, if you are unable to upgrade. If you do not require or expect redirects to be followed, one should simply disable redirects all together. ### References * [RFC9110 Section 15.4](https://www.rfc-editor.org/rfc/rfc9110.html#name-redirection-3xx) * [CVE-2022-27776](https://curl.se/docs/CVE-2022-27776.html) ### For more information If you have any questions or comments about this advisory, please get in touch with us in `#guzzle` on the [PHP HTTP Slack](https://php-http.slack.com/). Do not report additional security advisories in that public channel, however please follow our [vulnerability reporting process](https://github.com/guzzle/guzzle/security/policy). |
CVE-2022-31091
GHSA-q559-8m2m-g699 GMS-2022-2529 |
| VCID-j741-kstk-pqgn | MediaWiki Cross-site Scripting (XSS) vulnerability An issue was discovered in MediaWiki 1.32.x through 1.34.x before 1.34.4. LogEventList::getFiltersDesc is insecurely using message text to build options names for an HTML multi-select field. The relevant code should use escaped() instead of text(). |
CVE-2020-25815
GHSA-2f58-vf6g-6p8x |
| VCID-j919-vgae-yqew | mediawiki: action=protect lets users with 'protect' permission protect to higher protection level |
CVE-2021-30152
|
| VCID-krs8-9ssu-rye5 | mediawiki: potential XSS via MediaWiki:blanknamespace outputting Block Logs |
CVE-2020-35478
|
| VCID-m44t-5z4c-juej | mediawiki: Cross-site scripting (XSS) in Special:Search |
CVE-2021-41798
|
| VCID-mz2m-vq2z-aygk | mediawiki: divergent behavior for contributions and user pages of hidden users and missing users |
CVE-2020-35480
|
| VCID-nvmk-rsyq-43fn | mediawiki: XSS due to unescaped messages used in HTML on ChangesList pages |
CVE-2021-30157
|
| VCID-p8gc-bk7w-1khy | MediaWiki Cross-site Scripting (XSS) vulnerability In MediaWiki before 1.31.9 and 1.32.x through 1.34.x before 1.34.3, XSS related to jQuery can occur. The attacker creates a message with [javascript:payload xss] and turns it into a jQuery object with mw.message().parse(). The expected result is that the jQuery object does not contain an <a> tag (or it does not have a href attribute, or it's empty, etc.). The actual result is that the object contains an <a href ="javascript... that executes when clicked. |
CVE-2020-25814
GHSA-4vr7-m8p8-434h |
| VCID-p93c-damj-kbec | In pygments 1.1+, fixed in 2.7.4, the lexers used to parse programming languages rely heavily on regular expressions. Some of the regular expressions have exponential or cubic worst-case complexity and are vulnerable to ReDoS. By crafting malicious input, an attacker can cause a denial of service. |
CVE-2021-27291
GHSA-pq64-v7f5-gqh8 PYSEC-2021-141 |
| VCID-pe96-2tca-bqgu | mediawiki: potential XSS via the month messages such as MediaWiki:january through MediaWiki:december outputting Block Logs |
CVE-2020-35479
|
| VCID-pgv1-bdcx-2ug6 | An issue was discovered in MediaWiki before 1.35.8, 1.36.x and 1.37.x before 1.37.5, and 1.38.x before 1.38.3. When changes made by an IP address are reassigned to a user (using reassignEdits.php), the changes will still be attributed to the IP address on Special:Contributions when doing a range lookup. |
CVE-2022-41767
|
| VCID-pj3h-4tp6-ykhk | MediaWiki Cross-site Scripting (XSS) vulnerability An issue was discovered in MediaWiki 1.34.x before 1.34.3. On Special:Contributions, the NS filter uses unescaped messages as keys in the option key for an HTMLForm specifier. This is vulnerable to a mild XSS if one of those messages is changed to include raw HTML. |
CVE-2020-25812
GHSA-rj9p-8jxj-2ch4 |
| VCID-qp7a-rnx9-muey | An issue was discovered in includes/specials/SpecialMovePage.php in MediaWiki before 1.39.7, 1.40.x before 1.40.3, and 1.41.x before 1.41.1. If a user with the necessary rights to move the page opens Special:MovePage for a page with tens of thousands of subpages, then the page will exceed the maximum request time, leading to a denial of service. |
CVE-2024-34506
|
| VCID-rd8y-cyj3-sqau | mediawiki: information disclosure |
CVE-2021-45038
|
| VCID-s3j4-6zrg-nbc4 | Failure to strip the Cookie header on change in host or HTTP downgrade ### Impact `Cookie` headers on requests are sensitive information. On making a request using the `https` scheme to a server which responds with a redirect to a URI with the `http` scheme, or on making a request to a server which responds with a redirect to a a URI to a different host, we should not forward the `Cookie` header on. Prior to this fix, only cookies that were managed by our cookie middleware would be safely removed, and any `Cookie` header manually added to the initial request would not be stripped. We now always strip it, and allow the cookie middleware to re-add any cookies that it deems should be there. ### Patches Affected Guzzle 7 users should upgrade to Guzzle 7.4.4 as soon as possible. Affected users using any earlier series of Guzzle should upgrade to Guzzle 6.5.7 or 7.4.4. ### Workarounds An alternative approach would be to use your own redirect middleware, rather than ours, if you are unable to upgrade. If you do not require or expect redirects to be followed, one should simply disable redirects all together. ### References * [RFC9110 Section 15.4](https://www.rfc-editor.org/rfc/rfc9110.html#name-redirection-3xx) ### For more information If you have any questions or comments about this advisory, please get in touch with us in `#guzzle` on the [PHP HTTP Slack](https://php-http.slack.com/). Do not report additional security advisories in that public channel, however - please follow our [vulnerability reporting process](https://github.com/guzzle/guzzle/security/policy). |
CVE-2022-31042
GHSA-f2wf-25xc-69c9 |
| VCID-sfnb-39u7-cbap | MediaWiki Special:UserRights exposes the existence of hidden users In MediaWiki before 1.31.9 and 1.32.x through 1.34.x before 1.34.3, Special:UserRights exposes the existence of hidden users. |
CVE-2020-25813
GHSA-c4rj-wrmq-52rj |
| VCID-sh4s-g6hc-vbhf | mediawiki: users can bypass intended restrictions on deleting pages in certain "fast double move" situations |
CVE-2021-30159
|
| VCID-tbk5-k2e8-8kay | mediawiki: unable to change visibility of log entries when MediaWiki:Mainpage uses Special:MyLanguage |
CVE-2020-35477
|
| VCID-tgh8-se9x-53cv | mediawiki: Cross-site Scripting |
CVE-2022-34911
|
| VCID-tqsa-cpsf-gyee | Fix failure to strip Authorization header on HTTP downgrade ### Impact `Authorization` headers on requests are sensitive information. On making a request using the `https` scheme to a server which responds with a redirect to a URI with the `http` scheme, we should not forward the `Authorization` header on. This is much the same as to how we don't forward on the header if the host changes. Prior to this fix, `https` to `http` downgrades did not result in the `Authorization` header being removed, only changes to the host. ### Patches Affected Guzzle 7 users should upgrade to Guzzle 7.4.4 as soon as possible. Affected users using any earlier series of Guzzle should upgrade to Guzzle 6.5.7 or 7.4.4. ### Workarounds An alternative approach would be to use your own redirect middleware, rather than ours, if you are unable to upgrade. If you do not require or expect redirects to be followed, one should simply disable redirects all together. ### References * [RFC9110 Section 15.4](https://www.rfc-editor.org/rfc/rfc9110.html#name-redirection-3xx) ### For more information If you have any questions or comments about this advisory, please get in touch with us in `#guzzle` on the [PHP HTTP Slack](https://php-http.slack.com/). Do not report additional security advisories in that public channel, however - please follow our [vulnerability reporting process](https://github.com/guzzle/guzzle/security/policy). |
CVE-2022-31043
GHSA-w248-ffj2-4v5q |
| VCID-tt4v-8w1b-8bfy | mediawiki: xss due to incorrect escaping |
CVE-2022-28202
|
| VCID-txrx-5js8-eybm | mediawiki: ContentModelChange does not check if a user has correct permissions to create and set the content model of a nonexistent page |
CVE-2021-30155
|
| VCID-u3rd-a1y3-eygq | mediawiki: Username not escaped in the contributions-title message |
CVE-2022-34912
|
| VCID-ux7m-sv8j-ybeq | OATHAuth extension in MediaWiki is not implementing rate limit An issue was discovered in the OATHAuth extension in MediaWiki before 1.31.9 and 1.32.x through 1.34.x before 1.34.3. For Wikis using OATHAuth on a farm/cluster (such as via CentralAuth), rate limiting of OATH tokens is only done on a single site level. Thus, multiple requests can be made across many wikis/sites concurrently. |
CVE-2020-25827
GHSA-rqvj-fc2x-99q6 |
| VCID-w8h5-th3q-yffz | mediawiki: XSS due to unescaped messages used in HTML on Special:NewFiles |
CVE-2021-30154
|
| VCID-whsr-x65a-qbfd | An issue was discovered in MediaWiki before 1.35.6, 1.36.x before 1.36.4, and 1.37.x before 1.37.2. Users with the editinterface permission can trigger infinite recursion, because a bare local interwiki is mishandled for the mainpage message. |
CVE-2022-28201
|
| VCID-x318-4ypf-cue6 | mediawiki: message recentchanges-legend-watchlistexpiry can contain raw html |
CVE-2020-35474
|
| VCID-xcxk-97jc-dyer | mediawiki: blocked users are unable to use Special:ResetTokens |
CVE-2021-30158
|
| VCID-z4gr-zsn8-cfcz | An issue was discovered in MediaWiki before 1.35.5, 1.36.x before 1.36.3, and 1.37.x before 1.37.1. There is Blind Stored XSS via a URL to the Upload Image feature. |
CVE-2021-44855
|
| VCID-zccp-k413-2yhy | An issue was discovered in MediaWiki before 1.35.9, 1.36.x through 1.38.x before 1.38.5, and 1.39.x before 1.39.1. When installing with a pre-existing data directory that has weak permissions, the SQLite files are created with file mode 0644, i.e., world readable to local users. These files include credentials data. |
CVE-2022-47927
|