Search for packages
| purl | pkg:deb/ubuntu/mediawiki@1:1.31.2-1 |
| Next non-vulnerable version | 1:1.31.7-1 |
| Latest non-vulnerable version | 1:1.31.7-1 |
| Risk | 3.1 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-8ex1-6xse-aaab
Aliases: CVE-2019-19709 GHSA-pjv5-vv93-p648 |
MediaWiki through 1.33.1 allows attackers to bypass the Title_blacklist protection mechanism by starting with an arbitrary title, establishing a non-resolvable redirect for the associated page, and using redirect=1 in the action API when editing that page. |
Affected by 1 other vulnerability. |
|
VCID-k3vw-m137-aaan
Aliases: CVE-2020-10960 GHSA-pfm2-mqwj-ggm5 |
In MediaWiki before 1.34.1, users can add various Cascading Style Sheets (CSS) classes (which can affect what content is shown or hidden in the user interface) to arbitrary DOM nodes via HTML content within a MediaWiki page. This occurs because jquery.makeCollapsible allows applying an event handler to any Cascading Style Sheets (CSS) selector. There is no known way to exploit this for cross-site scripting (XSS). |
Affected by 0 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| VCID-2txe-5685-aaar | MediaWiki through 1.32.1 has Incorrect Access Control (issue 1 of 3). A spammer can use Special:ChangeEmail to send out spam with no rate limiting or ability to block them. Fixed in 1.32.2, 1.31.2, 1.30.2 and 1.27.6. |
CVE-2019-12467
GHSA-6vfg-8ppv-h5hg |
| VCID-4q2b-jwqb-aaas | Wikimedia MediaWiki through 1.32.1 has Incorrect Access Control. Suppressed log in RevisionDelete page is exposed. Fixed in 1.32.2, 1.31.2, 1.30.2 and 1.27.6. |
CVE-2019-12470
GHSA-733q-m38x-q7cc |
| VCID-aap7-715h-aaab | An Incorrect Access Control vulnerability was found in Wikimedia MediaWiki 1.18.0 through 1.32.1. It is possible to bypass the limits on IP range blocks ($wgBlockCIDRLimit) by using the API. Fixed in 1.32.2, 1.31.2, 1.30.2 and 1.27.6. |
CVE-2019-12472
GHSA-7mqg-5fgh-xh4r |
| VCID-bhgn-gct9-aaae | Wikimedia MediaWiki through 1.32.1 allows CSRF. |
CVE-2019-12466
GHSA-27fw-r78j-h898 |
| VCID-f9ks-vah3-aaaa | Wikimedia MediaWiki 1.23.0 through 1.32.1 has an information leak. Privileged API responses that include whether a recent change has been patrolled may be cached publicly. Fixed in 1.32.2, 1.31.2, 1.30.2 and 1.27.6. |
CVE-2019-12474
GHSA-2qrr-c2gh-pr35 |
| VCID-fwhc-xtwd-aaag | MediaWiki through 1.32.1 has Incorrect Access Control. Suppressed username or log in Special:EditTags are exposed. Fixed in 1.32.2, 1.31.2, 1.30.2 and 1.27.6. |
CVE-2019-12469
GHSA-x3fr-w7r5-x7rg |
| VCID-qynw-xq2t-aaap | An Incorrect Access Control vulnerability was found in Wikimedia MediaWiki 1.27.0 through 1.32.1. Directly POSTing to Special:ChangeEmail would allow for bypassing re-authentication, allowing for potential account takeover. |
CVE-2019-12468
GHSA-wrhx-3pxr-6vgg |
| VCID-tm36-42qs-aaah | Wikimedia MediaWiki 1.30.0 through 1.32.1 has XSS. Loading user JavaScript from a non-existent account allows anyone to create the account, and perform XSS on users loading that script. Fixed in 1.32.2, 1.31.2, 1.30.2 and 1.27.6. |
CVE-2019-12471
GHSA-2rm7-xxx8-35jh |
| VCID-zqf1-jg5k-aaap | Wikimedia MediaWiki 1.27.0 through 1.32.1 might allow DoS. Passing invalid titles to the API could cause a DoS by querying the entire watchlist table. Fixed in 1.32.2, 1.31.2, 1.30.2 and 1.27.6. |
CVE-2019-12473
GHSA-33xw-x3pr-rvqj |
| Date | Actor | Action | Vulnerability | Source | VulnerableCode Version |
|---|