Packagist (Composer) package
mediawiki/core
pkg:composer/mediawiki/core
Vulnerabilities (28)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2019-12466 | — | >= 1.27.0, < 1.27.6 | 1.27.6 | Jul 10, 2019 | Wikimedia MediaWiki through 1.32.1 allows CSRF. | ||
| CVE-2019-12468 | — | >= 1.27.0, < 1.27.6 | 1.27.6 | Jul 10, 2019 | An Incorrect Access Control vulnerability was found in Wikimedia MediaWiki 1.27.0 through 1.32.1. Directly POSTing to Special:ChangeEmail would allow for bypassing re-authentication, allowing for potential account takeover. | ||
| CVE-2019-12467 | — | < 1.27.6 | 1.27.6 | Jul 10, 2019 | MediaWiki through 1.32.1 has Incorrect Access Control (issue 1 of 3). A spammer can use Special:ChangeEmail to send out spam with no rate limiting or ability to block them. Fixed in 1.32.2, 1.31.2, 1.30.2 and 1.27.6. | ||
| CVE-2018-13258 | — | >= 1.31.0, < 1.31.1 | 1.31.1 | Oct 4, 2018 | Mediawiki 1.31 before 1.31.1 misses .htaccess files in the provided tarball used to protect some directories that shouldn't be web accessible. | ||
| CVE-2018-0505 | — | >= 1.27.0, < 1.27.5 | 1.27.5 | Oct 4, 2018 | Mediawiki 1.31 before 1.31.1, 1.30.1, 1.29.3 and 1.27.5 contains a flaw where BotPasswords can bypass CentralAuth's account lock | ||
| CVE-2018-0504 | — | >= 1.27.0, < 1.27.5 | 1.27.5 | Oct 4, 2018 | Mediawiki 1.31 before 1.31.1, 1.30.1, 1.29.3 and 1.27.5 contains an information disclosure flaw in the Special:Redirect/logid | ||
| CVE-2018-0503 | — | >= 1.27.0, < 1.27.5 | 1.27.5 | Oct 4, 2018 | Mediawiki 1.31 before 1.31.1, 1.30.1, 1.29.3 and 1.27.5 contains a flaw where contrary to the documentation, $wgRateLimits entry for 'user' overrides that for 'newbie'. | ||
| CVE-2014-2853 | — | < 1.21.9 | 1.21.9 | Apr 29, 2014 | Cross-site scripting (XSS) vulnerability in includes/actions/InfoAction.php in MediaWiki before 1.21.9 and 1.22.x before 1.22.6 allows remote attackers to inject arbitrary web script or HTML via the sort key in an info action. |
- CVE-2019-12466Jul 10, 2019affected >= 1.27.0, < 1.27.6fixed 1.27.6
Wikimedia MediaWiki through 1.32.1 allows CSRF.
- CVE-2019-12468Jul 10, 2019affected >= 1.27.0, < 1.27.6fixed 1.27.6
An Incorrect Access Control vulnerability was found in Wikimedia MediaWiki 1.27.0 through 1.32.1. Directly POSTing to Special:ChangeEmail would allow for bypassing re-authentication, allowing for potential account takeover.
- CVE-2019-12467Jul 10, 2019affected < 1.27.6fixed 1.27.6
MediaWiki through 1.32.1 has Incorrect Access Control (issue 1 of 3). A spammer can use Special:ChangeEmail to send out spam with no rate limiting or ability to block them. Fixed in 1.32.2, 1.31.2, 1.30.2 and 1.27.6.
- CVE-2018-13258Oct 4, 2018affected >= 1.31.0, < 1.31.1fixed 1.31.1
Mediawiki 1.31 before 1.31.1 misses .htaccess files in the provided tarball used to protect some directories that shouldn't be web accessible.
- CVE-2018-0505Oct 4, 2018affected >= 1.27.0, < 1.27.5fixed 1.27.5
Mediawiki 1.31 before 1.31.1, 1.30.1, 1.29.3 and 1.27.5 contains a flaw where BotPasswords can bypass CentralAuth's account lock
- CVE-2018-0504Oct 4, 2018affected >= 1.27.0, < 1.27.5fixed 1.27.5
Mediawiki 1.31 before 1.31.1, 1.30.1, 1.29.3 and 1.27.5 contains an information disclosure flaw in the Special:Redirect/logid
- CVE-2018-0503Oct 4, 2018affected >= 1.27.0, < 1.27.5fixed 1.27.5
Mediawiki 1.31 before 1.31.1, 1.30.1, 1.29.3 and 1.27.5 contains a flaw where contrary to the documentation, $wgRateLimits entry for 'user' overrides that for 'newbie'.
- CVE-2014-2853Apr 29, 2014affected < 1.21.9fixed 1.21.9
Cross-site scripting (XSS) vulnerability in includes/actions/InfoAction.php in MediaWiki before 1.21.9 and 1.22.x before 1.22.6 allows remote attackers to inject arbitrary web script or HTML via the sort key in an info action.
Page 2 of 2