Bitnami package
mediawiki
pkg:bitnami/mediawiki
Vulnerabilities (172)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2021-36132 | — | < 1.36.1 | 1.36.1 | Jul 2, 2021 | An issue was discovered in the FileImporter extension in MediaWiki through 1.36. For certain relaxed configurations of the $wgFileImporterRequiredRight variable, it might not validate all appropriate user rights, thus allowing a user with insufficient rights to perform operations | ||
| CVE-2021-35197 | — | < 1.31.15 | 1.31.15 | Jul 2, 2021 | In MediaWiki before 1.31.15, 1.32.x through 1.35.x before 1.35.3, and 1.36.x before 1.36.1, bots have certain unintended API access. When a bot account has a "sitewide block" applied, it is able to still "purge" pages through the MediaWiki Action API (which a "sitewide block" sho | ||
| CVE-2021-31545 | — | < 1.35.3 | 1.35.3 | Apr 22, 2021 | An issue was discovered in the AbuseFilter extension for MediaWiki through 1.35.2. The page_recent_contributors leaked the existence of certain deleted MediaWiki usernames, related to rev_deleted. | ||
| CVE-2021-31546 | — | < 1.35.3 | 1.35.3 | Apr 22, 2021 | An issue was discovered in the AbuseFilter extension for MediaWiki through 1.35.2. It incorrectly logged sensitive suppression deletions, which should not have been visible to users with access to view AbuseFilter log data. | ||
| CVE-2021-31547 | — | < 1.35.3 | 1.35.3 | Apr 22, 2021 | An issue was discovered in the AbuseFilter extension for MediaWiki through 1.35.2. Its AbuseFilterCheckMatch API reveals suppressed edits and usernames to unprivileged users through the iteration of crafted AbuseFilter rules. | ||
| CVE-2021-31548 | — | < 1.35.3 | 1.35.3 | Apr 22, 2021 | An issue was discovered in the AbuseFilter extension for MediaWiki through 1.35.2. A MediaWiki user who is partially blocked or was unsuccessfully blocked could bypass AbuseFilter and have their edits completed. | ||
| CVE-2021-31549 | — | < 1.35.3 | 1.35.3 | Apr 22, 2021 | An issue was discovered in the AbuseFilter extension for MediaWiki through 1.35.2. The Special:AbuseFilter/examine form allowed for the disclosure of suppressed MediaWiki usernames to unprivileged users. | ||
| CVE-2021-31550 | — | < 1.35.3 | 1.35.3 | Apr 22, 2021 | An issue was discovered in the CommentBox extension for MediaWiki through 1.35.2. Via crafted configuration variables, a malicious actor could introduce XSS payloads into various layers. | ||
| CVE-2021-31551 | — | < 1.35.3 | 1.35.3 | Apr 22, 2021 | An issue was discovered in the PageForms extension for MediaWiki through 1.35.2. Crafted payloads for Token-related query parameters allowed for XSS on certain PageForms-managed MediaWiki pages. | ||
| CVE-2021-31552 | — | < 1.35.3 | 1.35.3 | Apr 22, 2021 | An issue was discovered in the AbuseFilter extension for MediaWiki through 1.35.2. It incorrectly executed certain rules related to blocking accounts after account creation. Such rules would allow for user accounts to be created while blocking only the IP address used to create a | ||
| CVE-2021-31553 | — | < 1.35.3 | 1.35.3 | Apr 22, 2021 | An issue was discovered in the CheckUser extension for MediaWiki through 1.35.2. MediaWiki usernames with trailing whitespace could be stored in the cu_log database table such that denial of service occurred for certain CheckUser extension pages and functionality. For example, th | ||
| CVE-2021-31554 | — | < 1.35.3 | 1.35.3 | Apr 22, 2021 | An issue was discovered in the AbuseFilter extension for MediaWiki through 1.35.2. It improperly handled account blocks for certain automatically created MediaWiki user accounts, thus allowing nefarious users to remain unblocked. | ||
| CVE-2021-31555 | — | < 1.35.3 | 1.35.3 | Apr 22, 2021 | An issue was discovered in the Oauth extension for MediaWiki through 1.35.2. It did not validate the oarc_version (aka oauth_registered_consumer.oarc_version) parameter's length. | ||
| CVE-2021-30159 | — | < 1.31.12 | 1.31.12 | Apr 9, 2021 | An issue was discovered in MediaWiki before 1.31.12 and 1.32.x through 1.35.x before 1.35.2. Users can bypass intended restrictions on deleting pages in certain "fast double move" situations. MovePage::isValidMoveTarget() uses FOR UPDATE, but it's only called if Title::getArticle | ||
| CVE-2021-30156 | — | < 1.31.12 | 1.31.12 | Apr 9, 2021 | An issue was discovered in MediaWiki before 1.31.12 and 1.32.x through 1.35.x before 1.35.2. Special:Contributions can leak that a "hidden" user exists. | ||
| CVE-2021-30155 | — | < 1.31.12 | 1.31.12 | Apr 9, 2021 | An issue was discovered in MediaWiki before 1.31.12 and 1.32.x through 1.35.x before 1.35.2. ContentModelChange does not check if a user has correct permissions to create and set the content model of a nonexistent page. | ||
| CVE-2021-30152 | — | < 1.31.13 | 1.31.13 | Apr 9, 2021 | An issue was discovered in MediaWiki before 1.31.13 and 1.32.x through 1.35.x before 1.35.2. When using the MediaWiki API to "protect" a page, a user is currently able to protect to a higher level than they currently have permissions for. | ||
| CVE-2021-30154 | — | < 1.31.12 | 1.31.12 | Apr 6, 2021 | An issue was discovered in MediaWiki before 1.31.12 and 1.32.x through 1.35.x before 1.35.2. On Special:NewFiles, all the mediastatistics-header-* messages are output in HTML unescaped, leading to XSS. | ||
| CVE-2021-30157 | — | < 1.31.12 | 1.31.12 | Apr 6, 2021 | An issue was discovered in MediaWiki before 1.31.12 and 1.32.x through 1.35.x before 1.35.2. On ChangesList special pages such as Special:RecentChanges and Special:Watchlist, some of the rcfilters-filter-* label messages are output in HTML unescaped, leading to XSS. | ||
| CVE-2021-30158 | — | < 1.31.12 | 1.31.12 | Apr 6, 2021 | An issue was discovered in MediaWiki before 1.31.12 and 1.32.x through 1.35.x before 1.35.2. Blocked users are unable to use Special:ResetTokens. This has security relevance because a blocked user might have accidentally shared a token, or might know that a token has been comprom |
- CVE-2021-36132Jul 2, 2021affected < 1.36.1fixed 1.36.1
An issue was discovered in the FileImporter extension in MediaWiki through 1.36. For certain relaxed configurations of the $wgFileImporterRequiredRight variable, it might not validate all appropriate user rights, thus allowing a user with insufficient rights to perform operations
- CVE-2021-35197Jul 2, 2021affected < 1.31.15fixed 1.31.15
In MediaWiki before 1.31.15, 1.32.x through 1.35.x before 1.35.3, and 1.36.x before 1.36.1, bots have certain unintended API access. When a bot account has a "sitewide block" applied, it is able to still "purge" pages through the MediaWiki Action API (which a "sitewide block" sho
- CVE-2021-31545Apr 22, 2021affected < 1.35.3fixed 1.35.3
An issue was discovered in the AbuseFilter extension for MediaWiki through 1.35.2. The page_recent_contributors leaked the existence of certain deleted MediaWiki usernames, related to rev_deleted.
- CVE-2021-31546Apr 22, 2021affected < 1.35.3fixed 1.35.3
An issue was discovered in the AbuseFilter extension for MediaWiki through 1.35.2. It incorrectly logged sensitive suppression deletions, which should not have been visible to users with access to view AbuseFilter log data.
- CVE-2021-31547Apr 22, 2021affected < 1.35.3fixed 1.35.3
An issue was discovered in the AbuseFilter extension for MediaWiki through 1.35.2. Its AbuseFilterCheckMatch API reveals suppressed edits and usernames to unprivileged users through the iteration of crafted AbuseFilter rules.
- CVE-2021-31548Apr 22, 2021affected < 1.35.3fixed 1.35.3
An issue was discovered in the AbuseFilter extension for MediaWiki through 1.35.2. A MediaWiki user who is partially blocked or was unsuccessfully blocked could bypass AbuseFilter and have their edits completed.
- CVE-2021-31549Apr 22, 2021affected < 1.35.3fixed 1.35.3
An issue was discovered in the AbuseFilter extension for MediaWiki through 1.35.2. The Special:AbuseFilter/examine form allowed for the disclosure of suppressed MediaWiki usernames to unprivileged users.
- CVE-2021-31550Apr 22, 2021affected < 1.35.3fixed 1.35.3
An issue was discovered in the CommentBox extension for MediaWiki through 1.35.2. Via crafted configuration variables, a malicious actor could introduce XSS payloads into various layers.
- CVE-2021-31551Apr 22, 2021affected < 1.35.3fixed 1.35.3
An issue was discovered in the PageForms extension for MediaWiki through 1.35.2. Crafted payloads for Token-related query parameters allowed for XSS on certain PageForms-managed MediaWiki pages.
- CVE-2021-31552Apr 22, 2021affected < 1.35.3fixed 1.35.3
An issue was discovered in the AbuseFilter extension for MediaWiki through 1.35.2. It incorrectly executed certain rules related to blocking accounts after account creation. Such rules would allow for user accounts to be created while blocking only the IP address used to create a
- CVE-2021-31553Apr 22, 2021affected < 1.35.3fixed 1.35.3
An issue was discovered in the CheckUser extension for MediaWiki through 1.35.2. MediaWiki usernames with trailing whitespace could be stored in the cu_log database table such that denial of service occurred for certain CheckUser extension pages and functionality. For example, th
- CVE-2021-31554Apr 22, 2021affected < 1.35.3fixed 1.35.3
An issue was discovered in the AbuseFilter extension for MediaWiki through 1.35.2. It improperly handled account blocks for certain automatically created MediaWiki user accounts, thus allowing nefarious users to remain unblocked.
- CVE-2021-31555Apr 22, 2021affected < 1.35.3fixed 1.35.3
An issue was discovered in the Oauth extension for MediaWiki through 1.35.2. It did not validate the oarc_version (aka oauth_registered_consumer.oarc_version) parameter's length.
- CVE-2021-30159Apr 9, 2021affected < 1.31.12fixed 1.31.12
An issue was discovered in MediaWiki before 1.31.12 and 1.32.x through 1.35.x before 1.35.2. Users can bypass intended restrictions on deleting pages in certain "fast double move" situations. MovePage::isValidMoveTarget() uses FOR UPDATE, but it's only called if Title::getArticle
- CVE-2021-30156Apr 9, 2021affected < 1.31.12fixed 1.31.12
An issue was discovered in MediaWiki before 1.31.12 and 1.32.x through 1.35.x before 1.35.2. Special:Contributions can leak that a "hidden" user exists.
- CVE-2021-30155Apr 9, 2021affected < 1.31.12fixed 1.31.12
An issue was discovered in MediaWiki before 1.31.12 and 1.32.x through 1.35.x before 1.35.2. ContentModelChange does not check if a user has correct permissions to create and set the content model of a nonexistent page.
- CVE-2021-30152Apr 9, 2021affected < 1.31.13fixed 1.31.13
An issue was discovered in MediaWiki before 1.31.13 and 1.32.x through 1.35.x before 1.35.2. When using the MediaWiki API to "protect" a page, a user is currently able to protect to a higher level than they currently have permissions for.
- CVE-2021-30154Apr 6, 2021affected < 1.31.12fixed 1.31.12
An issue was discovered in MediaWiki before 1.31.12 and 1.32.x through 1.35.x before 1.35.2. On Special:NewFiles, all the mediastatistics-header-* messages are output in HTML unescaped, leading to XSS.
- CVE-2021-30157Apr 6, 2021affected < 1.31.12fixed 1.31.12
An issue was discovered in MediaWiki before 1.31.12 and 1.32.x through 1.35.x before 1.35.2. On ChangesList special pages such as Special:RecentChanges and Special:Watchlist, some of the rcfilters-filter-* label messages are output in HTML unescaped, leading to XSS.
- CVE-2021-30158Apr 6, 2021affected < 1.31.12fixed 1.31.12
An issue was discovered in MediaWiki before 1.31.12 and 1.32.x through 1.35.x before 1.35.2. Blocked users are unable to use Special:ResetTokens. This has security relevance because a blocked user might have accidentally shared a token, or might know that a token has been comprom
Page 7 of 9