Packagist (Composer) package

mediawiki/core

pkg:composer/mediawiki/core

Vulnerabilities (28)

CVE	Sev	CVSS	Affected versions	Fixed in	Published	Description
CVE-2023-45363		—	< 1.35.12	1.35.12	Oct 9, 2023	An issue was discovered in ApiPageSet.php in MediaWiki before 1.35.12, 1.36.x through 1.39.x before 1.39.5, and 1.40.x before 1.40.1. It allows attackers to cause a denial of service (unbounded loop and RequestTimeoutException) when querying pages redirected to other variants wit
CVE-2023-29141		—	>= 1.39.0, < 1.39.3	1.39.3	Mar 31, 2023	An issue was discovered in MediaWiki before 1.35.10, 1.36.x through 1.38.x before 1.38.6, and 1.39.x before 1.39.3. An auto-block can occur for an untrusted X-Forwarded-For header.
CVE-2021-41800		—	< 1.36.2	1.36.2	Oct 11, 2021	MediaWiki before 1.36.2 allows a denial of service (resource consumption because of lengthy query processing time). Visiting Special:Contributions can sometimes result in a long running SQL query because PoolCounter protection is mishandled.
CVE-2020-25813		—	>= 1.31.0, < 1.31.9	1.31.9	Sep 27, 2020	In MediaWiki before 1.31.10 and 1.32.x through 1.34.x before 1.34.4, Special:UserRights exposes the existence of hidden users.
CVE-2020-25827		—	>= 1.31.0, < 1.31.9	1.31.9	Sep 27, 2020	An issue was discovered in the OATHAuth extension in MediaWiki before 1.31.10 and 1.32.x through 1.34.x before 1.34.4. For Wikis using OATHAuth on a farm/cluster (such as via CentralAuth), rate limiting of OATH tokens is only done on a single site level. Thus, multiple requests c
CVE-2020-25828		—	>= 1.31.0, < 1.31.9	1.31.9	Sep 27, 2020	An issue was discovered in MediaWiki before 1.31.10 and 1.32.x through 1.34.x before 1.34.4. The non-jqueryMsg version of mw.message().parse() doesn't escape HTML. This affects both message contents (which are generally safe) and the parameters (which can be based on user input).
CVE-2020-25814		—	>= 1.31.0, < 1.31.9	1.31.9	Sep 27, 2020	In MediaWiki before 1.31.10 and 1.32.x through 1.34.x before 1.34.4, XSS related to jQuery can occur. The attacker creates a message with [javascript:payload xss] and turns it into a jQuery object with mw.message().parse(). The expected result is that the jQuery object does not c
CVE-2020-25815		—	>= 1.32.0, < 1.34.3	1.34.3	Sep 27, 2020	An issue was discovered in MediaWiki 1.32.x through 1.34.x before 1.34.4. LogEventList::getFiltersDesc is insecurely using message text to build options names for an HTML multi-select field. The relevant code should use escaped() instead of text().
CVE-2020-25812		—	>= 1.34.0, < 1.34.3	1.34.3	Sep 27, 2020	An issue was discovered in MediaWiki 1.34.x before 1.34.4. On Special:Contributions, the NS filter uses unescaped messages as keys in the option key for an HTMLForm specifier. This is vulnerable to a mild XSS if one of those messages is changed to include raw HTML.
CVE-2020-15005		—	< 1.31.8	1.31.8	Jun 24, 2020	In MediaWiki before 1.31.8, 1.32.x and 1.33.x before 1.33.4, and 1.34.x before 1.34.2, private wikis behind a caching server using the img_auth.php image authorization security feature may have had their files cached publicly, so any unauthorized user could view them. This occurs
CVE-2020-10959		—	< 1.34.0-rc.0	1.34.0-rc.0	Jun 2, 2020	resources/src/mediawiki.page.ready/ready.js in MediaWiki before 1.35 allows remote attackers to force a logout and external redirection via HTML content in a MediaWiki page.
CVE-2020-10960		—	>= 1.31.0, < 1.31.7	1.31.7	Apr 3, 2020	In MediaWiki before 1.34.1, users can add various Cascading Style Sheets (CSS) classes (which can affect what content is shown or hidden in the user interface) to arbitrary DOM nodes via HTML content within a MediaWiki page. This occurs because jquery.makeCollapsible allows apply
CVE-2019-19709		—	>= 1.31.0, < 1.31.6	1.31.6	Dec 11, 2019	MediaWiki through 1.33.1 allows attackers to bypass the Title_blacklist protection mechanism by starting with an arbitrary title, establishing a non-resolvable redirect for the associated page, and using redirect=1 in the action API when editing that page.
CVE-2019-16738	Med	5.3	>= 1.31.0, < 1.31.4	1.31.4	Sep 26, 2019	In MediaWiki through 1.33.0, Special:Redirect allows information disclosure of suppressed usernames via a User ID Lookup.
CVE-2019-12470		—	>= 1.27.0, < 1.27.6	1.27.6	Jul 10, 2019	Wikimedia MediaWiki through 1.32.1 has Incorrect Access Control. Suppressed log in RevisionDelete page is exposed. Fixed in 1.32.2, 1.31.2, 1.30.2 and 1.27.6.
CVE-2019-12469		—	>= 1.27.0, < 1.27.6	1.27.6	Jul 10, 2019	MediaWiki through 1.32.1 has Incorrect Access Control. Suppressed username or log in Special:EditTags are exposed. Fixed in 1.32.2, 1.31.2, 1.30.2 and 1.27.6.
CVE-2019-12474		—	>= 1.27.0, < 1.27.6	1.27.6	Jul 10, 2019	Wikimedia MediaWiki 1.23.0 through 1.32.1 has an information leak. Privileged API responses that include whether a recent change has been patrolled may be cached publicly. Fixed in 1.32.2, 1.31.2, 1.30.2 and 1.27.6.
CVE-2019-12472		—	>= 1.18.0, < 1.27.6	1.27.6	Jul 10, 2019	An Incorrect Access Control vulnerability was found in Wikimedia MediaWiki 1.18.0 through 1.32.1. It is possible to bypass the limits on IP range blocks ($wgBlockCIDRLimit) by using the API. Fixed in 1.32.2, 1.31.2, 1.30.2 and 1.27.6.
CVE-2019-12471		—	>= 1.27.0, < 1.27.6	1.27.6	Jul 10, 2019	Wikimedia MediaWiki 1.30.0 through 1.32.1 has XSS. Loading user JavaScript from a non-existent account allows anyone to create the account, and perform XSS on users loading that script. Fixed in 1.32.2, 1.31.2, 1.30.2 and 1.27.6.
CVE-2019-12473		—	>= 1.27.0, < 1.27.6	1.27.6	Jul 10, 2019	Wikimedia MediaWiki 1.27.0 through 1.32.1 might allow DoS. Passing invalid titles to the API could cause a DoS by querying the entire watchlist table. Fixed in 1.32.2, 1.31.2, 1.30.2 and 1.27.6.

CVE-2023-45363Oct 9, 2023
affected < 1.35.12fixed 1.35.12
An issue was discovered in ApiPageSet.php in MediaWiki before 1.35.12, 1.36.x through 1.39.x before 1.39.5, and 1.40.x before 1.40.1. It allows attackers to cause a denial of service (unbounded loop and RequestTimeoutException) when querying pages redirected to other variants wit
CVE-2023-29141Mar 31, 2023
affected >= 1.39.0, < 1.39.3fixed 1.39.3
An issue was discovered in MediaWiki before 1.35.10, 1.36.x through 1.38.x before 1.38.6, and 1.39.x before 1.39.3. An auto-block can occur for an untrusted X-Forwarded-For header.
CVE-2021-41800Oct 11, 2021
affected < 1.36.2fixed 1.36.2
MediaWiki before 1.36.2 allows a denial of service (resource consumption because of lengthy query processing time). Visiting Special:Contributions can sometimes result in a long running SQL query because PoolCounter protection is mishandled.
CVE-2020-25813Sep 27, 2020
affected >= 1.31.0, < 1.31.9fixed 1.31.9
In MediaWiki before 1.31.10 and 1.32.x through 1.34.x before 1.34.4, Special:UserRights exposes the existence of hidden users.
CVE-2020-25827Sep 27, 2020
affected >= 1.31.0, < 1.31.9fixed 1.31.9
An issue was discovered in the OATHAuth extension in MediaWiki before 1.31.10 and 1.32.x through 1.34.x before 1.34.4. For Wikis using OATHAuth on a farm/cluster (such as via CentralAuth), rate limiting of OATH tokens is only done on a single site level. Thus, multiple requests c
CVE-2020-25828Sep 27, 2020
affected >= 1.31.0, < 1.31.9fixed 1.31.9
An issue was discovered in MediaWiki before 1.31.10 and 1.32.x through 1.34.x before 1.34.4. The non-jqueryMsg version of mw.message().parse() doesn't escape HTML. This affects both message contents (which are generally safe) and the parameters (which can be based on user input).
CVE-2020-25814Sep 27, 2020
affected >= 1.31.0, < 1.31.9fixed 1.31.9
In MediaWiki before 1.31.10 and 1.32.x through 1.34.x before 1.34.4, XSS related to jQuery can occur. The attacker creates a message with [javascript:payload xss] and turns it into a jQuery object with mw.message().parse(). The expected result is that the jQuery object does not c
CVE-2020-25815Sep 27, 2020
affected >= 1.32.0, < 1.34.3fixed 1.34.3
An issue was discovered in MediaWiki 1.32.x through 1.34.x before 1.34.4. LogEventList::getFiltersDesc is insecurely using message text to build options names for an HTML multi-select field. The relevant code should use escaped() instead of text().
CVE-2020-25812Sep 27, 2020
affected >= 1.34.0, < 1.34.3fixed 1.34.3
An issue was discovered in MediaWiki 1.34.x before 1.34.4. On Special:Contributions, the NS filter uses unescaped messages as keys in the option key for an HTMLForm specifier. This is vulnerable to a mild XSS if one of those messages is changed to include raw HTML.
CVE-2020-15005Jun 24, 2020
affected < 1.31.8fixed 1.31.8
In MediaWiki before 1.31.8, 1.32.x and 1.33.x before 1.33.4, and 1.34.x before 1.34.2, private wikis behind a caching server using the img_auth.php image authorization security feature may have had their files cached publicly, so any unauthorized user could view them. This occurs
CVE-2020-10959Jun 2, 2020
affected < 1.34.0-rc.0fixed 1.34.0-rc.0
resources/src/mediawiki.page.ready/ready.js in MediaWiki before 1.35 allows remote attackers to force a logout and external redirection via HTML content in a MediaWiki page.
CVE-2020-10960Apr 3, 2020
affected >= 1.31.0, < 1.31.7fixed 1.31.7
In MediaWiki before 1.34.1, users can add various Cascading Style Sheets (CSS) classes (which can affect what content is shown or hidden in the user interface) to arbitrary DOM nodes via HTML content within a MediaWiki page. This occurs because jquery.makeCollapsible allows apply
CVE-2019-19709Dec 11, 2019
affected >= 1.31.0, < 1.31.6fixed 1.31.6
MediaWiki through 1.33.1 allows attackers to bypass the Title_blacklist protection mechanism by starting with an arbitrary title, establishing a non-resolvable redirect for the associated page, and using redirect=1 in the action API when editing that page.
CVE-2019-16738MedSep 26, 2019
affected >= 1.31.0, < 1.31.4fixed 1.31.4
In MediaWiki through 1.33.0, Special:Redirect allows information disclosure of suppressed usernames via a User ID Lookup.
CVE-2019-12470Jul 10, 2019
affected >= 1.27.0, < 1.27.6fixed 1.27.6
Wikimedia MediaWiki through 1.32.1 has Incorrect Access Control. Suppressed log in RevisionDelete page is exposed. Fixed in 1.32.2, 1.31.2, 1.30.2 and 1.27.6.
CVE-2019-12469Jul 10, 2019
affected >= 1.27.0, < 1.27.6fixed 1.27.6
MediaWiki through 1.32.1 has Incorrect Access Control. Suppressed username or log in Special:EditTags are exposed. Fixed in 1.32.2, 1.31.2, 1.30.2 and 1.27.6.
CVE-2019-12474Jul 10, 2019
affected >= 1.27.0, < 1.27.6fixed 1.27.6
Wikimedia MediaWiki 1.23.0 through 1.32.1 has an information leak. Privileged API responses that include whether a recent change has been patrolled may be cached publicly. Fixed in 1.32.2, 1.31.2, 1.30.2 and 1.27.6.
CVE-2019-12472Jul 10, 2019
affected >= 1.18.0, < 1.27.6fixed 1.27.6
An Incorrect Access Control vulnerability was found in Wikimedia MediaWiki 1.18.0 through 1.32.1. It is possible to bypass the limits on IP range blocks ($wgBlockCIDRLimit) by using the API. Fixed in 1.32.2, 1.31.2, 1.30.2 and 1.27.6.
CVE-2019-12471Jul 10, 2019
affected >= 1.27.0, < 1.27.6fixed 1.27.6
Wikimedia MediaWiki 1.30.0 through 1.32.1 has XSS. Loading user JavaScript from a non-existent account allows anyone to create the account, and perform XSS on users loading that script. Fixed in 1.32.2, 1.31.2, 1.30.2 and 1.27.6.
CVE-2019-12473Jul 10, 2019
affected >= 1.27.0, < 1.27.6fixed 1.27.6
Wikimedia MediaWiki 1.27.0 through 1.32.1 might allow DoS. Passing invalid titles to the API could cause a DoS by querying the entire watchlist table. Fixed in 1.32.2, 1.31.2, 1.30.2 and 1.27.6.

Page 1 of 2