Bitnami package
mediawiki
pkg:bitnami/mediawiki
Vulnerabilities (172)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2021-41799 | — | < 1.36.2 | 1.36.2 | Oct 11, 2021 | MediaWiki before 1.36.2 allows a denial of service (resource consumption because of lengthy query processing time). ApiQueryBacklinks (action=query&list=backlinks) can cause a full table scan. | ||
| CVE-2021-41798 | — | < 1.36.2 | 1.36.2 | Oct 11, 2021 | MediaWiki before 1.36.2 allows XSS. Month related MediaWiki messages are not escaped before being used on the Special:Search results page. | ||
| CVE-2021-42045 | — | < 1.36.3 | 1.36.3 | Oct 6, 2021 | An issue was discovered in SecurePoll in the Growth extension in MediaWiki through 1.36.2. Simple polls allow users to create alerts by changing their User-Agent HTTP header and submitting a vote. | ||
| CVE-2021-42046 | — | < 1.36.3 | 1.36.3 | Oct 6, 2021 | An issue was discovered in the GlobalWatchlist extension in MediaWiki through 1.36.2. The rev-deleted-user and ntimes messages were not properly escaped and allowed for users to inject HTML and JavaScript. | ||
| CVE-2021-42047 | — | < 1.36.3 | 1.36.3 | Oct 6, 2021 | An issue was discovered in the Growth extension in MediaWiki through 1.36.2. On any Wiki with the Mentor Dashboard feature enabled, users can login with a mentor account and trigger an XSS payload (such as alert) via Growthexperiments-mentor-dashboard-mentee-overview-no-js-fallba | ||
| CVE-2021-42048 | — | < 1.36.3 | 1.36.3 | Oct 6, 2021 | An issue was discovered in the Growth extension in MediaWiki through 1.36.2. Any admin can add arbitrary JavaScript code to the Newcomer home page footer, which can be executed by viewers with zero edits. | ||
| CVE-2021-42049 | — | < 1.36.3 | 1.36.3 | Oct 6, 2021 | An issue was discovered in the Translate extension in MediaWiki through 1.36.2. Oversighters cannot undo revisions or oversight on pages where they suppressed information (such as PII). This allows oversighters to whitewash revisions. | ||
| CVE-2021-42040 | — | < 1.36.3 | 1.36.3 | Oct 6, 2021 | An issue was discovered in MediaWiki through 1.36.2. A parser function related to loop control allowed for an infinite loop (and php-fpm hang) within the Loops extension because egLoopsCountLimit is mishandled. This could lead to memory exhaustion. | ||
| CVE-2021-42041 | — | < 1.36.3 | 1.36.3 | Oct 6, 2021 | An issue was discovered in CentralAuth in MediaWiki through 1.36.2. The rightsnone MediaWiki message was not being properly sanitized and allowed for the injection and execution of HTML and JavaScript via the setchange log. | ||
| CVE-2021-42042 | — | < 1.36.3 | 1.36.3 | Oct 6, 2021 | An issue was discovered in SpecialEditGrowthConfig in the GrowthExperiments extension in MediaWiki through 1.36.2. The growthexperiments-edit-config-error-invalid-title MediaWiki message was not being properly sanitized and allowed for the injection and execution of HTML and Java | ||
| CVE-2021-42043 | — | < 1.36.3 | 1.36.3 | Oct 6, 2021 | An issue was discovered in Special:MediaSearch in the MediaSearch extension in MediaWiki through 1.36.2. The suggestion text (a parameter to mediasearch-did-you-mean) was not being properly sanitized and allowed for the injection and execution of HTML and JavaScript via the intit | ||
| CVE-2021-42044 | — | < 1.36.3 | 1.36.3 | Oct 6, 2021 | An issue was discovered in the Mentor dashboard in the GrowthExperiments extension in MediaWiki through 1.36.2. The Growthexperiments-mentor-dashboard-mentee-overview-add-filter-total-edits-headline, growthexperiments-mentor-dashboard-mentee-overview-add-filter-starred-headline, | ||
| CVE-2021-31556 | — | < 1.35.3 | 1.35.3 | Aug 12, 2021 | An issue was discovered in the Oauth extension for MediaWiki through 1.35.2. MWOAuthConsumerSubmitControl.php does not ensure that the length of an RSA key will fit in a MySQL blob. | ||
| CVE-2021-36125 | — | < 1.36.1 | 1.36.1 | Jul 2, 2021 | An issue was discovered in the CentralAuth extension in MediaWiki through 1.36. The Special:GlobalRenameRequest page is vulnerable to infinite loops and denial of service attacks when a user's current username is beyond an arbitrary maximum configuration value (MaxNameChars). | ||
| CVE-2021-36126 | — | < 1.36.1 | 1.36.1 | Jul 2, 2021 | An issue was discovered in the AbuseFilter extension in MediaWiki through 1.36. If the MediaWiki:Abusefilter-blocker message is invalid within the content language, the filter user falls back to the English version, but that English version could also be invalid on a wiki. This w | ||
| CVE-2021-36127 | — | < 1.36.1 | 1.36.1 | Jul 2, 2021 | An issue was discovered in the CentralAuth extension in MediaWiki through 1.36. The Special:GlobalUserRights page provided search results which, for a suppressed MediaWiki user, were different than for any other user, thus easily disclosing suppressed accounts (which are supposed | ||
| CVE-2021-36128 | — | < 1.36.1 | 1.36.1 | Jul 2, 2021 | An issue was discovered in the CentralAuth extension in MediaWiki through 1.36. Autoblocks for CentralAuth-issued suppression blocks are not properly implemented. | ||
| CVE-2021-36129 | — | < 1.36.1 | 1.36.1 | Jul 2, 2021 | An issue was discovered in the Translate extension in MediaWiki through 1.36. The Aggregategroups Action API module does not validate the parameter for aggregategroup when action=remove is set, thus allowing users with the translate-manage right to silently delete various groups' | ||
| CVE-2021-36130 | — | < 1.36.1 | 1.36.1 | Jul 2, 2021 | An XSS issue was discovered in the SocialProfile extension in MediaWiki through 1.36. Within several gift-related special pages, a privileged user with the awardmanage right could inject arbitrary HTML and JavaScript within various gift-related data fields. The attack could easil | ||
| CVE-2021-36131 | — | < 1.36.1 | 1.36.1 | Jul 2, 2021 | An XSS issue was discovered in the SportsTeams extension in MediaWiki through 1.36. Within several special pages, a privileged user could inject arbitrary HTML and JavaScript within various data fields. The attack could easily propagate across many pages for many users. |
- CVE-2021-41799Oct 11, 2021affected < 1.36.2fixed 1.36.2
MediaWiki before 1.36.2 allows a denial of service (resource consumption because of lengthy query processing time). ApiQueryBacklinks (action=query&list=backlinks) can cause a full table scan.
- CVE-2021-41798Oct 11, 2021affected < 1.36.2fixed 1.36.2
MediaWiki before 1.36.2 allows XSS. Month related MediaWiki messages are not escaped before being used on the Special:Search results page.
- CVE-2021-42045Oct 6, 2021affected < 1.36.3fixed 1.36.3
An issue was discovered in SecurePoll in the Growth extension in MediaWiki through 1.36.2. Simple polls allow users to create alerts by changing their User-Agent HTTP header and submitting a vote.
- CVE-2021-42046Oct 6, 2021affected < 1.36.3fixed 1.36.3
An issue was discovered in the GlobalWatchlist extension in MediaWiki through 1.36.2. The rev-deleted-user and ntimes messages were not properly escaped and allowed for users to inject HTML and JavaScript.
- CVE-2021-42047Oct 6, 2021affected < 1.36.3fixed 1.36.3
An issue was discovered in the Growth extension in MediaWiki through 1.36.2. On any Wiki with the Mentor Dashboard feature enabled, users can login with a mentor account and trigger an XSS payload (such as alert) via Growthexperiments-mentor-dashboard-mentee-overview-no-js-fallba
- CVE-2021-42048Oct 6, 2021affected < 1.36.3fixed 1.36.3
An issue was discovered in the Growth extension in MediaWiki through 1.36.2. Any admin can add arbitrary JavaScript code to the Newcomer home page footer, which can be executed by viewers with zero edits.
- CVE-2021-42049Oct 6, 2021affected < 1.36.3fixed 1.36.3
An issue was discovered in the Translate extension in MediaWiki through 1.36.2. Oversighters cannot undo revisions or oversight on pages where they suppressed information (such as PII). This allows oversighters to whitewash revisions.
- CVE-2021-42040Oct 6, 2021affected < 1.36.3fixed 1.36.3
An issue was discovered in MediaWiki through 1.36.2. A parser function related to loop control allowed for an infinite loop (and php-fpm hang) within the Loops extension because egLoopsCountLimit is mishandled. This could lead to memory exhaustion.
- CVE-2021-42041Oct 6, 2021affected < 1.36.3fixed 1.36.3
An issue was discovered in CentralAuth in MediaWiki through 1.36.2. The rightsnone MediaWiki message was not being properly sanitized and allowed for the injection and execution of HTML and JavaScript via the setchange log.
- CVE-2021-42042Oct 6, 2021affected < 1.36.3fixed 1.36.3
An issue was discovered in SpecialEditGrowthConfig in the GrowthExperiments extension in MediaWiki through 1.36.2. The growthexperiments-edit-config-error-invalid-title MediaWiki message was not being properly sanitized and allowed for the injection and execution of HTML and Java
- CVE-2021-42043Oct 6, 2021affected < 1.36.3fixed 1.36.3
An issue was discovered in Special:MediaSearch in the MediaSearch extension in MediaWiki through 1.36.2. The suggestion text (a parameter to mediasearch-did-you-mean) was not being properly sanitized and allowed for the injection and execution of HTML and JavaScript via the intit
- CVE-2021-42044Oct 6, 2021affected < 1.36.3fixed 1.36.3
An issue was discovered in the Mentor dashboard in the GrowthExperiments extension in MediaWiki through 1.36.2. The Growthexperiments-mentor-dashboard-mentee-overview-add-filter-total-edits-headline, growthexperiments-mentor-dashboard-mentee-overview-add-filter-starred-headline,
- CVE-2021-31556Aug 12, 2021affected < 1.35.3fixed 1.35.3
An issue was discovered in the Oauth extension for MediaWiki through 1.35.2. MWOAuthConsumerSubmitControl.php does not ensure that the length of an RSA key will fit in a MySQL blob.
- CVE-2021-36125Jul 2, 2021affected < 1.36.1fixed 1.36.1
An issue was discovered in the CentralAuth extension in MediaWiki through 1.36. The Special:GlobalRenameRequest page is vulnerable to infinite loops and denial of service attacks when a user's current username is beyond an arbitrary maximum configuration value (MaxNameChars).
- CVE-2021-36126Jul 2, 2021affected < 1.36.1fixed 1.36.1
An issue was discovered in the AbuseFilter extension in MediaWiki through 1.36. If the MediaWiki:Abusefilter-blocker message is invalid within the content language, the filter user falls back to the English version, but that English version could also be invalid on a wiki. This w
- CVE-2021-36127Jul 2, 2021affected < 1.36.1fixed 1.36.1
An issue was discovered in the CentralAuth extension in MediaWiki through 1.36. The Special:GlobalUserRights page provided search results which, for a suppressed MediaWiki user, were different than for any other user, thus easily disclosing suppressed accounts (which are supposed
- CVE-2021-36128Jul 2, 2021affected < 1.36.1fixed 1.36.1
An issue was discovered in the CentralAuth extension in MediaWiki through 1.36. Autoblocks for CentralAuth-issued suppression blocks are not properly implemented.
- CVE-2021-36129Jul 2, 2021affected < 1.36.1fixed 1.36.1
An issue was discovered in the Translate extension in MediaWiki through 1.36. The Aggregategroups Action API module does not validate the parameter for aggregategroup when action=remove is set, thus allowing users with the translate-manage right to silently delete various groups'
- CVE-2021-36130Jul 2, 2021affected < 1.36.1fixed 1.36.1
An XSS issue was discovered in the SocialProfile extension in MediaWiki through 1.36. Within several gift-related special pages, a privileged user with the awardmanage right could inject arbitrary HTML and JavaScript within various gift-related data fields. The attack could easil
- CVE-2021-36131Jul 2, 2021affected < 1.36.1fixed 1.36.1
An XSS issue was discovered in the SportsTeams extension in MediaWiki through 1.36. Within several special pages, a privileged user could inject arbitrary HTML and JavaScript within various data fields. The attack could easily propagate across many pages for many users.
Page 6 of 9