VYPR

Bitnami package

mediawiki

pkg:bitnami/mediawiki

Vulnerabilities (172)

  • CVE-2022-47927Jan 12, 2023
    affected < 1.35.9fixed 1.35.9

    An issue was discovered in MediaWiki before 1.35.9, 1.36.x through 1.38.x before 1.38.5, and 1.39.x before 1.39.1. When installing with a pre-existing data directory that has weak permissions, the SQLite files are created with file mode 0644, i.e., world readable to local users.

  • CVE-2023-22945Jan 11, 2023
    affected < 1.39.1fixed 1.39.1

    In the GrowthExperiments extension for MediaWiki through 1.39, the growthmanagementorlist API allows blocked users (blocked in ApiManageMentorList) to enroll as mentors or edit any of their mentorship-related properties.

  • CVE-2023-22911Jan 10, 2023
    affected < 1.35.9fixed 1.35.9

    An issue was discovered in MediaWiki before 1.35.9, 1.36.x through 1.38.x before 1.38.5, and 1.39.x before 1.39.1. E-Widgets does widget replacement in HTML attributes, which can lead to XSS, because widget authors often do not expect that their widget is executed in an HTML attr

  • CVE-2023-22909Jan 10, 2023
    affected < 1.35.9fixed 1.35.9

    An issue was discovered in MediaWiki before 1.35.9, 1.36.x through 1.38.x before 1.38.5, and 1.39.x before 1.39.1. SpecialMobileHistory allows remote attackers to cause a denial of service because database queries are slow.

  • CVE-2022-41767Dec 26, 2022
    affected < 1.35.8fixed 1.35.8

    An issue was discovered in MediaWiki before 1.35.8, 1.36.x and 1.37.x before 1.37.5, and 1.38.x before 1.38.3. When changes made by an IP address are reassigned to a user (using reassignEdits.php), the changes will still be attributed to the IP address on Special:Contributions wh

  • CVE-2022-41765Dec 26, 2022
    affected < 1.35.8fixed 1.35.8

    An issue was discovered in MediaWiki before 1.35.8, 1.36.x and 1.37.x before 1.37.5, and 1.38.x before 1.38.3. HTMLUserTextField exposes the existence of hidden users.

  • CVE-2021-44856Dec 26, 2022
    affected < 1.35.5fixed 1.35.5

    An issue was discovered in MediaWiki before 1.35.5, 1.36.x before 1.36.3, and 1.37.x before 1.37.1. A title blocked by AbuseFilter can be created via Special:ChangeContentModel due to the mishandling of the EditFilterMergedContent hook return value.

  • CVE-2021-44855Dec 26, 2022
    affected < 1.35.5fixed 1.35.5

    An issue was discovered in MediaWiki before 1.35.5, 1.36.x before 1.36.3, and 1.37.x before 1.37.1. There is Blind Stored XSS via a URL to the Upload Image feature.

  • CVE-2021-44854Dec 26, 2022
    affected < 1.35.5fixed 1.35.5

    An issue was discovered in MediaWiki before 1.35.5, 1.36.x before 1.36.3, and 1.37.x before 1.37.1. The REST API publicly caches results from private wikis.

  • CVE-2022-28204Sep 19, 2022
    affected >= 1.37.0, < 1.37.2fixed 1.37.2

    A denial-of-service issue was discovered in MediaWiki 1.37.x before 1.37.2. Rendering of w/index.php?title=Special%3AWhatLinksHere&target=Property%3AP31&namespace=1&invert=1 can take more than thirty seconds. There is a DDoS risk.

  • CVE-2022-28203Sep 19, 2022
    affected < 1.35.6fixed 1.35.6

    A denial-of-service issue was discovered in MediaWiki before 1.35.6, 1.36.x before 1.36.4, and 1.37.x before 1.37.2. When many files exist, requesting Special:NewFiles with actor as a condition can result in a very long running query.

  • CVE-2022-28201Sep 19, 2022
    affected < 1.35.6fixed 1.35.6

    An issue was discovered in MediaWiki before 1.35.6, 1.36.x before 1.36.4, and 1.37.x before 1.37.2. Users with the editinterface permission can trigger infinite recursion, because a bare local interwiki is mishandled for the mainpage message.

  • CVE-2022-39194Sep 2, 2022
    affected < 1.38.3fixed 1.38.3

    An issue was discovered in the MediaWiki through 1.38.2. The community configuration pages for the GrowthExperiments extension could cause a site to become unavailable due to insufficient validation when certain actions (including page moves) were performed.

  • CVE-2022-34912Jul 2, 2022
    affected < 1.37.3fixed 1.37.3

    An issue was discovered in MediaWiki before 1.37.3 and 1.38.x before 1.38.1. The contributions-title, used on Special:Contributions, is used as page title without escaping. Hence, in a non-default configuration where a username contains HTML entities, it won't be escaped.

  • CVE-2022-34911Jul 2, 2022
    affected < 1.35.7fixed 1.35.7

    An issue was discovered in MediaWiki before 1.35.7, 1.36.x and 1.37.x before 1.37.3, and 1.38.x before 1.38.1. XSS can occur in configurations that allow a JavaScript payload in a username. After account creation, when it sets the page title to "Welcome" followed by the username,

  • CVE-2022-34750Jun 28, 2022
    affected < 1.38.2fixed 1.38.2

    An issue was discovered in MediaWiki through 1.38.1. The lemma length of a Wikibase lexeme is currently capped at a thousand characters. Unfortunately, this length is not validated, allowing much larger lexemes to be created, which introduces various denial-of-service attack vect

  • CVE-2022-28323Apr 30, 2022
    affected < 1.37.3fixed 1.37.3

    An issue was discovered in MediaWiki through 1.37.2. The SecurePoll extension allows a leak because sorting by timestamp is supported,

  • CVE-2022-29903Apr 29, 2022
    affected < 1.37.3fixed 1.37.3

    The Private Domains extension for MediaWiki through 1.37.2 (before 1ad65d4c1c199b375ea80988d99ab51ae068f766) allows CSRF for editing pages that store the extension's configuration. The attacker must trigger a POST request to Special:PrivateDomains.

  • CVE-2022-29904Apr 29, 2022
    affected < 1.37.3fixed 1.37.3

    The SemanticDrilldown extension for MediaWiki through 1.37.2 (before e688bdba6434591b5dff689a45e4d53459954773) allows SQL injection with certain '-' and '_' constraints.

  • CVE-2022-29905Apr 29, 2022
    affected < 1.37.3fixed 1.37.3

    The FanBoxes extension for MediaWiki through 1.37.2 (before 027ffb0b9d6fe0d823810cf03f5b562a212162d4) allows Special:UserBoxes CSRF.

Page 4 of 9