CVSS: 5.5EPSS: 0%CPEs: 6EXPL: 1CVE-2022-47927
https://notcve.org/view.php?id=CVE-2022-47927
An issue was discovered in MediaWiki before 1.35.9, 1.36.x through 1.38.x before 1.38.5, and 1.39.x before 1.39.1. When installing with a pre-existing data directory that has weak permissions, the SQLite files are created with file mode 0644, i.e., world readable to local users. These files include credentials data. Se descubrió un problema en MediaWiki antes de 1.35.9, 1.36.x hasta 1.38.x antes de 1.38.5 y 1.39.x antes de 1.39.1. Al instalar con un directorio de datos preexistente que tiene permisos débiles, los archivos SQLite se crean con el modo de archivo 0644, es decir, legible mundialmente para los usuarios locales. • https://lists.debian.org/debian-lts-announce/2023/07/msg00011.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AP65YEN762IBNQPOYGUVLTQIDLM5XD2A https://lists.wikimedia.org/hyperkitty/list/mediawiki-announce%40lists.wikimedia.org/thread/UEMW64LVEH3BEXCJV43CVS6XPYURKWU3 https://phabricator.wikimedia.org/T322637 https://security.gentoo.org/glsa/202305-24 • CWE-732: Incorrect Permission Assignment for Critical Resource •
CVSS: 4.3EPSS: 0%CPEs: 2EXPL: 0CVE-2023-22945
https://notcve.org/view.php?id=CVE-2023-22945
In the GrowthExperiments extension for MediaWiki through 1.39, the growthmanagementorlist API allows blocked users (blocked in ApiManageMentorList) to enroll as mentors or edit any of their mentorship-related properties. En la extensión GrowthExperiments para MediaWiki hasta la versión 1.39, la API growthmanagementorlist permite a los usuarios bloqueados (bloqueados en ApiManageMentorList) inscribirse como mentores o editar cualquiera de sus propiedades relacionadas con la tutoría. • https://gerrit.wikimedia.org/r/q/Id1b83fcd58eccb8b2dfea44a3ab2f72314860d88 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AP65YEN762IBNQPOYGUVLTQIDLM5XD2A https://phabricator.wikimedia.org/T321733 • CWE-863: Incorrect Authorization •
CVSS: 6.1EPSS: 0%CPEs: 6EXPL: 1CVE-2023-22911
https://notcve.org/view.php?id=CVE-2023-22911
An issue was discovered in MediaWiki before 1.35.9, 1.36.x through 1.38.x before 1.38.5, and 1.39.x before 1.39.1. E-Widgets does widget replacement in HTML attributes, which can lead to XSS, because widget authors often do not expect that their widget is executed in an HTML attribute context. • https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AP65YEN762IBNQPOYGUVLTQIDLM5XD2A https://phabricator.wikimedia.org/T149488 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.3EPSS: 0%CPEs: 6EXPL: 0CVE-2023-22909
https://notcve.org/view.php?id=CVE-2023-22909
An issue was discovered in MediaWiki before 1.35.9, 1.36.x through 1.38.x before 1.38.5, and 1.39.x before 1.39.1. SpecialMobileHistory allows remote attackers to cause a denial of service because database queries are slow. • https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AP65YEN762IBNQPOYGUVLTQIDLM5XD2A https://phabricator.wikimedia.org/T320987 •
CVSS: 5.3EPSS: 0%CPEs: 3EXPL: 0CVE-2022-41765
https://notcve.org/view.php?id=CVE-2022-41765
An issue was discovered in MediaWiki before 1.35.8, 1.36.x and 1.37.x before 1.37.5, and 1.38.x before 1.38.3. HTMLUserTextField exposes the existence of hidden users. Se descubrió un problema en MediaWiki antes de 1.35.8, 1.36.x y 1.37.x antes de 1.37.5 y 1.38.x antes de 1.38.3. HTMLUserTextField expone la existencia de usuarios ocultos. • https://phabricator.wikimedia.org/T309894 https://security.gentoo.org/glsa/202305-24 • CWE-203: Observable Discrepancy •