CVE-2023-22945
https://notcve.org/view.php?id=CVE-2023-22945
In the GrowthExperiments extension for MediaWiki through 1.39, the growthmanagementorlist API allows blocked users (blocked in ApiManageMentorList) to enroll as mentors or edit any of their mentorship-related properties. En la extensión GrowthExperiments para MediaWiki hasta la versión 1.39, la API growthmanagementorlist permite a los usuarios bloqueados (bloqueados en ApiManageMentorList) inscribirse como mentores o editar cualquiera de sus propiedades relacionadas con la tutoría. • https://gerrit.wikimedia.org/r/q/Id1b83fcd58eccb8b2dfea44a3ab2f72314860d88 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AP65YEN762IBNQPOYGUVLTQIDLM5XD2A https://phabricator.wikimedia.org/T321733 • CWE-863: Incorrect Authorization •
CVE-2023-22911
https://notcve.org/view.php?id=CVE-2023-22911
An issue was discovered in MediaWiki before 1.35.9, 1.36.x through 1.38.x before 1.38.5, and 1.39.x before 1.39.1. E-Widgets does widget replacement in HTML attributes, which can lead to XSS, because widget authors often do not expect that their widget is executed in an HTML attribute context. • https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AP65YEN762IBNQPOYGUVLTQIDLM5XD2A https://phabricator.wikimedia.org/T149488 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2023-22909
https://notcve.org/view.php?id=CVE-2023-22909
An issue was discovered in MediaWiki before 1.35.9, 1.36.x through 1.38.x before 1.38.5, and 1.39.x before 1.39.1. SpecialMobileHistory allows remote attackers to cause a denial of service because database queries are slow. • https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AP65YEN762IBNQPOYGUVLTQIDLM5XD2A https://phabricator.wikimedia.org/T320987 •
CVE-2022-41765
https://notcve.org/view.php?id=CVE-2022-41765
An issue was discovered in MediaWiki before 1.35.8, 1.36.x and 1.37.x before 1.37.5, and 1.38.x before 1.38.3. HTMLUserTextField exposes the existence of hidden users. Se descubrió un problema en MediaWiki antes de 1.35.8, 1.36.x y 1.37.x antes de 1.37.5 y 1.38.x antes de 1.38.3. HTMLUserTextField expone la existencia de usuarios ocultos. • https://phabricator.wikimedia.org/T309894 https://security.gentoo.org/glsa/202305-24 • CWE-203: Observable Discrepancy •
CVE-2021-44856
https://notcve.org/view.php?id=CVE-2021-44856
An issue was discovered in MediaWiki before 1.35.5, 1.36.x before 1.36.3, and 1.37.x before 1.37.1. A title blocked by AbuseFilter can be created via Special:ChangeContentModel due to the mishandling of the EditFilterMergedContent hook return value. Se descubrió un problema en MediaWiki antes de 1.35.5, 1.36.x antes de 1.36.3 y 1.37.x antes de 1.37.1. Se puede crear un título bloqueado por AbuseFilter a través de Special:ChangeContentModel debido al mal manejo del valor de retorno del gancho EditFilterMergedContent. • https://phabricator.wikimedia.org/T271037 https://security.gentoo.org/glsa/202305-24 • CWE-754: Improper Check for Unusual or Exceptional Conditions •