Bitnami package
mediawiki
pkg:bitnami/mediawiki
Vulnerabilities (172)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2022-47927 | — | < 1.35.9 | 1.35.9 | Jan 12, 2023 | An issue was discovered in MediaWiki before 1.35.9, 1.36.x through 1.38.x before 1.38.5, and 1.39.x before 1.39.1. When installing with a pre-existing data directory that has weak permissions, the SQLite files are created with file mode 0644, i.e., world readable to local users. | ||
| CVE-2023-22945 | — | < 1.39.1 | 1.39.1 | Jan 11, 2023 | In the GrowthExperiments extension for MediaWiki through 1.39, the growthmanagementorlist API allows blocked users (blocked in ApiManageMentorList) to enroll as mentors or edit any of their mentorship-related properties. | ||
| CVE-2023-22911 | — | < 1.35.9 | 1.35.9 | Jan 10, 2023 | An issue was discovered in MediaWiki before 1.35.9, 1.36.x through 1.38.x before 1.38.5, and 1.39.x before 1.39.1. E-Widgets does widget replacement in HTML attributes, which can lead to XSS, because widget authors often do not expect that their widget is executed in an HTML attr | ||
| CVE-2023-22909 | — | < 1.35.9 | 1.35.9 | Jan 10, 2023 | An issue was discovered in MediaWiki before 1.35.9, 1.36.x through 1.38.x before 1.38.5, and 1.39.x before 1.39.1. SpecialMobileHistory allows remote attackers to cause a denial of service because database queries are slow. | ||
| CVE-2022-41767 | — | < 1.35.8 | 1.35.8 | Dec 26, 2022 | An issue was discovered in MediaWiki before 1.35.8, 1.36.x and 1.37.x before 1.37.5, and 1.38.x before 1.38.3. When changes made by an IP address are reassigned to a user (using reassignEdits.php), the changes will still be attributed to the IP address on Special:Contributions wh | ||
| CVE-2022-41765 | — | < 1.35.8 | 1.35.8 | Dec 26, 2022 | An issue was discovered in MediaWiki before 1.35.8, 1.36.x and 1.37.x before 1.37.5, and 1.38.x before 1.38.3. HTMLUserTextField exposes the existence of hidden users. | ||
| CVE-2021-44856 | — | < 1.35.5 | 1.35.5 | Dec 26, 2022 | An issue was discovered in MediaWiki before 1.35.5, 1.36.x before 1.36.3, and 1.37.x before 1.37.1. A title blocked by AbuseFilter can be created via Special:ChangeContentModel due to the mishandling of the EditFilterMergedContent hook return value. | ||
| CVE-2021-44855 | — | < 1.35.5 | 1.35.5 | Dec 26, 2022 | An issue was discovered in MediaWiki before 1.35.5, 1.36.x before 1.36.3, and 1.37.x before 1.37.1. There is Blind Stored XSS via a URL to the Upload Image feature. | ||
| CVE-2021-44854 | — | < 1.35.5 | 1.35.5 | Dec 26, 2022 | An issue was discovered in MediaWiki before 1.35.5, 1.36.x before 1.36.3, and 1.37.x before 1.37.1. The REST API publicly caches results from private wikis. | ||
| CVE-2022-28204 | — | >= 1.37.0, < 1.37.2 | 1.37.2 | Sep 19, 2022 | A denial-of-service issue was discovered in MediaWiki 1.37.x before 1.37.2. Rendering of w/index.php?title=Special%3AWhatLinksHere&target=Property%3AP31&namespace=1&invert=1 can take more than thirty seconds. There is a DDoS risk. | ||
| CVE-2022-28203 | — | < 1.35.6 | 1.35.6 | Sep 19, 2022 | A denial-of-service issue was discovered in MediaWiki before 1.35.6, 1.36.x before 1.36.4, and 1.37.x before 1.37.2. When many files exist, requesting Special:NewFiles with actor as a condition can result in a very long running query. | ||
| CVE-2022-28201 | — | < 1.35.6 | 1.35.6 | Sep 19, 2022 | An issue was discovered in MediaWiki before 1.35.6, 1.36.x before 1.36.4, and 1.37.x before 1.37.2. Users with the editinterface permission can trigger infinite recursion, because a bare local interwiki is mishandled for the mainpage message. | ||
| CVE-2022-39194 | — | < 1.38.3 | 1.38.3 | Sep 2, 2022 | An issue was discovered in the MediaWiki through 1.38.2. The community configuration pages for the GrowthExperiments extension could cause a site to become unavailable due to insufficient validation when certain actions (including page moves) were performed. | ||
| CVE-2022-34912 | — | < 1.37.3 | 1.37.3 | Jul 2, 2022 | An issue was discovered in MediaWiki before 1.37.3 and 1.38.x before 1.38.1. The contributions-title, used on Special:Contributions, is used as page title without escaping. Hence, in a non-default configuration where a username contains HTML entities, it won't be escaped. | ||
| CVE-2022-34911 | — | < 1.35.7 | 1.35.7 | Jul 2, 2022 | An issue was discovered in MediaWiki before 1.35.7, 1.36.x and 1.37.x before 1.37.3, and 1.38.x before 1.38.1. XSS can occur in configurations that allow a JavaScript payload in a username. After account creation, when it sets the page title to "Welcome" followed by the username, | ||
| CVE-2022-34750 | — | < 1.38.2 | 1.38.2 | Jun 28, 2022 | An issue was discovered in MediaWiki through 1.38.1. The lemma length of a Wikibase lexeme is currently capped at a thousand characters. Unfortunately, this length is not validated, allowing much larger lexemes to be created, which introduces various denial-of-service attack vect | ||
| CVE-2022-28323 | — | < 1.37.3 | 1.37.3 | Apr 30, 2022 | An issue was discovered in MediaWiki through 1.37.2. The SecurePoll extension allows a leak because sorting by timestamp is supported, | ||
| CVE-2022-29903 | — | < 1.37.3 | 1.37.3 | Apr 29, 2022 | The Private Domains extension for MediaWiki through 1.37.2 (before 1ad65d4c1c199b375ea80988d99ab51ae068f766) allows CSRF for editing pages that store the extension's configuration. The attacker must trigger a POST request to Special:PrivateDomains. | ||
| CVE-2022-29904 | — | < 1.37.3 | 1.37.3 | Apr 29, 2022 | The SemanticDrilldown extension for MediaWiki through 1.37.2 (before e688bdba6434591b5dff689a45e4d53459954773) allows SQL injection with certain '-' and '_' constraints. | ||
| CVE-2022-29905 | — | < 1.37.3 | 1.37.3 | Apr 29, 2022 | The FanBoxes extension for MediaWiki through 1.37.2 (before 027ffb0b9d6fe0d823810cf03f5b562a212162d4) allows Special:UserBoxes CSRF. |
- CVE-2022-47927Jan 12, 2023affected < 1.35.9fixed 1.35.9
An issue was discovered in MediaWiki before 1.35.9, 1.36.x through 1.38.x before 1.38.5, and 1.39.x before 1.39.1. When installing with a pre-existing data directory that has weak permissions, the SQLite files are created with file mode 0644, i.e., world readable to local users.
- CVE-2023-22945Jan 11, 2023affected < 1.39.1fixed 1.39.1
In the GrowthExperiments extension for MediaWiki through 1.39, the growthmanagementorlist API allows blocked users (blocked in ApiManageMentorList) to enroll as mentors or edit any of their mentorship-related properties.
- CVE-2023-22911Jan 10, 2023affected < 1.35.9fixed 1.35.9
An issue was discovered in MediaWiki before 1.35.9, 1.36.x through 1.38.x before 1.38.5, and 1.39.x before 1.39.1. E-Widgets does widget replacement in HTML attributes, which can lead to XSS, because widget authors often do not expect that their widget is executed in an HTML attr
- CVE-2023-22909Jan 10, 2023affected < 1.35.9fixed 1.35.9
An issue was discovered in MediaWiki before 1.35.9, 1.36.x through 1.38.x before 1.38.5, and 1.39.x before 1.39.1. SpecialMobileHistory allows remote attackers to cause a denial of service because database queries are slow.
- CVE-2022-41767Dec 26, 2022affected < 1.35.8fixed 1.35.8
An issue was discovered in MediaWiki before 1.35.8, 1.36.x and 1.37.x before 1.37.5, and 1.38.x before 1.38.3. When changes made by an IP address are reassigned to a user (using reassignEdits.php), the changes will still be attributed to the IP address on Special:Contributions wh
- CVE-2022-41765Dec 26, 2022affected < 1.35.8fixed 1.35.8
An issue was discovered in MediaWiki before 1.35.8, 1.36.x and 1.37.x before 1.37.5, and 1.38.x before 1.38.3. HTMLUserTextField exposes the existence of hidden users.
- CVE-2021-44856Dec 26, 2022affected < 1.35.5fixed 1.35.5
An issue was discovered in MediaWiki before 1.35.5, 1.36.x before 1.36.3, and 1.37.x before 1.37.1. A title blocked by AbuseFilter can be created via Special:ChangeContentModel due to the mishandling of the EditFilterMergedContent hook return value.
- CVE-2021-44855Dec 26, 2022affected < 1.35.5fixed 1.35.5
An issue was discovered in MediaWiki before 1.35.5, 1.36.x before 1.36.3, and 1.37.x before 1.37.1. There is Blind Stored XSS via a URL to the Upload Image feature.
- CVE-2021-44854Dec 26, 2022affected < 1.35.5fixed 1.35.5
An issue was discovered in MediaWiki before 1.35.5, 1.36.x before 1.36.3, and 1.37.x before 1.37.1. The REST API publicly caches results from private wikis.
- CVE-2022-28204Sep 19, 2022affected >= 1.37.0, < 1.37.2fixed 1.37.2
A denial-of-service issue was discovered in MediaWiki 1.37.x before 1.37.2. Rendering of w/index.php?title=Special%3AWhatLinksHere&target=Property%3AP31&namespace=1&invert=1 can take more than thirty seconds. There is a DDoS risk.
- CVE-2022-28203Sep 19, 2022affected < 1.35.6fixed 1.35.6
A denial-of-service issue was discovered in MediaWiki before 1.35.6, 1.36.x before 1.36.4, and 1.37.x before 1.37.2. When many files exist, requesting Special:NewFiles with actor as a condition can result in a very long running query.
- CVE-2022-28201Sep 19, 2022affected < 1.35.6fixed 1.35.6
An issue was discovered in MediaWiki before 1.35.6, 1.36.x before 1.36.4, and 1.37.x before 1.37.2. Users with the editinterface permission can trigger infinite recursion, because a bare local interwiki is mishandled for the mainpage message.
- CVE-2022-39194Sep 2, 2022affected < 1.38.3fixed 1.38.3
An issue was discovered in the MediaWiki through 1.38.2. The community configuration pages for the GrowthExperiments extension could cause a site to become unavailable due to insufficient validation when certain actions (including page moves) were performed.
- CVE-2022-34912Jul 2, 2022affected < 1.37.3fixed 1.37.3
An issue was discovered in MediaWiki before 1.37.3 and 1.38.x before 1.38.1. The contributions-title, used on Special:Contributions, is used as page title without escaping. Hence, in a non-default configuration where a username contains HTML entities, it won't be escaped.
- CVE-2022-34911Jul 2, 2022affected < 1.35.7fixed 1.35.7
An issue was discovered in MediaWiki before 1.35.7, 1.36.x and 1.37.x before 1.37.3, and 1.38.x before 1.38.1. XSS can occur in configurations that allow a JavaScript payload in a username. After account creation, when it sets the page title to "Welcome" followed by the username,
- CVE-2022-34750Jun 28, 2022affected < 1.38.2fixed 1.38.2
An issue was discovered in MediaWiki through 1.38.1. The lemma length of a Wikibase lexeme is currently capped at a thousand characters. Unfortunately, this length is not validated, allowing much larger lexemes to be created, which introduces various denial-of-service attack vect
- CVE-2022-28323Apr 30, 2022affected < 1.37.3fixed 1.37.3
An issue was discovered in MediaWiki through 1.37.2. The SecurePoll extension allows a leak because sorting by timestamp is supported,
- CVE-2022-29903Apr 29, 2022affected < 1.37.3fixed 1.37.3
The Private Domains extension for MediaWiki through 1.37.2 (before 1ad65d4c1c199b375ea80988d99ab51ae068f766) allows CSRF for editing pages that store the extension's configuration. The attacker must trigger a POST request to Special:PrivateDomains.
- CVE-2022-29904Apr 29, 2022affected < 1.37.3fixed 1.37.3
The SemanticDrilldown extension for MediaWiki through 1.37.2 (before e688bdba6434591b5dff689a45e4d53459954773) allows SQL injection with certain '-' and '_' constraints.
- CVE-2022-29905Apr 29, 2022affected < 1.37.3fixed 1.37.3
The FanBoxes extension for MediaWiki through 1.37.2 (before 027ffb0b9d6fe0d823810cf03f5b562a212162d4) allows Special:UserBoxes CSRF.
Page 4 of 9