CVSS: 7.5EPSS: %CPEs: 1EXPL: 0CVE-2025-32700 – AbuseFilter log interfaces expose global private and hidden filters when central DB is not available
https://notcve.org/view.php?id=CVE-2025-32700
10 Apr 2025 — Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Wikimedia Foundation AbuseFilter. This vulnerability is associated with program files includes/Api/QueryAbuseLog.Php, includes/Pager/AbuseLogPager.Php, includes/Special/SpecialAbuseLog.Php, includes/View/AbuseFilterViewExamine.Php. This issue affects AbuseFilter: from >= 1.43.0 before 1.43.1. • https://phabricator.wikimedia.org/T389235 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 9.1EPSS: %CPEs: 6EXPL: 0CVE-2025-32699 – Potential javascript injection attack enabled by Unicode normalization in Action API
https://notcve.org/view.php?id=CVE-2025-32699
10 Apr 2025 — Vulnerability in Wikimedia Foundation MediaWiki, Wikimedia Foundation Parsoid.This issue affects MediaWiki: before 1.39.12, 1.42.6, 1.43.1; Parsoid: before 0.16.5, 0.19.2, 0.20.2. • https://phabricator.wikimedia.org/T387130 • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: %CPEs: 3EXPL: 0CVE-2025-32698 – LogPager.php: Restriction enforcer functions do not correctly enforce suppression restrictions
https://notcve.org/view.php?id=CVE-2025-32698
10 Apr 2025 — Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/logging/LogPager.Php. This issue affects MediaWiki: before 1.39.12, 1.42.6, 1.43.1. • https://phabricator.wikimedia.org/T385958 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 8.1EPSS: %CPEs: 2EXPL: 0CVE-2025-32697 – Cascading protection is not preventing file reversions
https://notcve.org/view.php?id=CVE-2025-32697
10 Apr 2025 — Improper Preservation of Permissions vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/editpage/IntroMessageBuilder.Php, includes/Permissions/PermissionManager.Php, includes/Permissions/RestrictionStore.Php. This issue affects MediaWiki: before 1.42.6, 1.43.1. • https://phabricator.wikimedia.org/T140010 • CWE-281: Improper Preservation of Permissions •
CVSS: 9.1EPSS: %CPEs: 3EXPL: 0CVE-2025-32696 – "reupload-own" restriction can be bypassed by reverting file
https://notcve.org/view.php?id=CVE-2025-32696
10 Apr 2025 — Improper Preservation of Permissions vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/actions/RevertAction.Php, includes/api/ApiFileRevert.Php. This issue affects MediaWiki: before 1.39.12, 1.42.6, 1.43.1. • https://phabricator.wikimedia.org/T304474 • CWE-281: Improper Preservation of Permissions •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-40596
https://notcve.org/view.php?id=CVE-2024-40596
06 Jul 2024 — An issue was discovered in the CheckUser extension for MediaWiki through 1.42.1. The Special:Investigate feature can expose suppressed information for log events. (TimelineService does not support properly suppressing.) Se descubrió un problema en la extensión CheckUser para MediaWiki hasta 1.42.1. La función Special:Investigate puede exponer información suprimida para eventos de registro. • https://phabricator.wikimedia.org/T326866 • CWE-532: Insertion of Sensitive Information into Log File •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-40598
https://notcve.org/view.php?id=CVE-2024-40598
06 Jul 2024 — An issue was discovered in the CheckUser extension for MediaWiki through 1.42.1. The API can expose suppressed information for log events. (The log_deleted attribute is not applied to entries.) Se descubrió un problema en la extensión CheckUser para MediaWiki hasta 1.42.1. La API puede exponer información suprimida para eventos de registro. • https://phabricator.wikimedia.org/T326867 • CWE-532: Insertion of Sensitive Information into Log File •
CVSS: 4.8EPSS: 0%CPEs: 1EXPL: 1CVE-2024-40599
https://notcve.org/view.php?id=CVE-2024-40599
06 Jul 2024 — An issue was discovered in the GuMaxDD skin for MediaWiki through 1.42.1. There is stored XSS via MediaWiki:Sidebar top-level menu entries. Se descubrió un problema en el aspecto GuMaxDD para MediaWiki hasta 1.42.1. Hay XSS almacenado a través de MediaWiki: entradas del menú de nivel superior de la barra lateral. • https://phabricator.wikimedia.org/T361448 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2024-40600
https://notcve.org/view.php?id=CVE-2024-40600
06 Jul 2024 — An issue was discovered in the Metrolook skin for MediaWiki through 1.42.1. There is stored XSS via MediaWiki:Sidebar top-level menu entries. Se descubrió un problema en el aspecto Metrolook para MediaWiki hasta la versión 1.42.1. Hay XSS almacenado a través de MediaWiki: entradas del menú de nivel superior de la barra lateral. • https://phabricator.wikimedia.org/T361449 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-40601
https://notcve.org/view.php?id=CVE-2024-40601
06 Jul 2024 — An issue was discovered in the MediaWikiChat extension for MediaWiki through 1.42.1. CSRF can occur in API modules. Se descubrió un problema en la extensión MediaWikiChat para MediaWiki hasta 1.42.1. Puede ocurrir CSRF en módulos API. • https://phabricator.wikimedia.org/T362588 • CWE-352: Cross-Site Request Forgery (CSRF) •