CVSS: 4.3EPSS: 0%CPEs: 4EXPL: 1CVE-2021-30156
https://notcve.org/view.php?id=CVE-2021-30156
09 Apr 2021 — An issue was discovered in MediaWiki before 1.31.12 and 1.32.x through 1.35.x before 1.35.2. Special:Contributions can leak that a "hidden" user exists. Se detectó un problema en MediaWiki versiones anteriores a 1.31.12 y 1.32.xa 1.35.x versiones anteriores a 1.35.2. Special:Contributions pueden filtrar que un usuario "hidden" exista • https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/26UJGHF7LJDOCQN6A3Z4PM7PYRKENJHE • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 4.3EPSS: 0%CPEs: 6EXPL: 1CVE-2021-30155 – Gentoo Linux Security Advisory 202107-40
https://notcve.org/view.php?id=CVE-2021-30155
09 Apr 2021 — An issue was discovered in MediaWiki before 1.31.12 and 1.32.x through 1.35.x before 1.35.2. ContentModelChange does not check if a user has correct permissions to create and set the content model of a nonexistent page. Se detectó un problema en MediaWiki versiones anteriores a 1.31.12 y versiones 1.32.x hasta 1.35.x versiones anteriores a 1.35.2. La función ContentModelChange no comprueba si un usuario presenta permisos correctos para crear y ajustar el modelo de contenido de una página inexistente Mu... • https://lists.debian.org/debian-lts-announce/2021/05/msg00003.html • CWE-862: Missing Authorization •
CVSS: 4.3EPSS: 0%CPEs: 6EXPL: 1CVE-2021-30152 – Gentoo Linux Security Advisory 202107-40
https://notcve.org/view.php?id=CVE-2021-30152
09 Apr 2021 — An issue was discovered in MediaWiki before 1.31.13 and 1.32.x through 1.35.x before 1.35.2. When using the MediaWiki API to "protect" a page, a user is currently able to protect to a higher level than they currently have permissions for. Se detectó un problema en MediaWiki versiones anteriores a 1.31.13 y versiones 1.32.x hasta 1.35.x versiones anteriores a 1.35.2. Cuando es usada la API de MediaWiki para "proteger" una página, un usuario actualmente puede proteger a un nivel más alto del que actualme... • https://lists.debian.org/debian-lts-announce/2021/05/msg00003.html • CWE-269: Improper Privilege Management •
CVSS: 6.1EPSS: 0%CPEs: 5EXPL: 1CVE-2021-30154 – Gentoo Linux Security Advisory 202107-40
https://notcve.org/view.php?id=CVE-2021-30154
06 Apr 2021 — An issue was discovered in MediaWiki before 1.31.12 and 1.32.x through 1.35.x before 1.35.2. On Special:NewFiles, all the mediastatistics-header-* messages are output in HTML unescaped, leading to XSS. Se detectó un problema en MediaWiki versiones anteriores a 1.31.12 y versiones 1.32.x hasta 1.35.x anteriores a 1.35.2. En Special: NewFiles, todos los mensajes mediastatistics-header-* son generados en HTML sin escape, conllevando a una vulnerabilidad de tipo XSS Multiple security issues were found in M... • https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/26UJGHF7LJDOCQN6A3Z4PM7PYRKENJHE • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 5EXPL: 1CVE-2021-30157 – Gentoo Linux Security Advisory 202107-40
https://notcve.org/view.php?id=CVE-2021-30157
06 Apr 2021 — An issue was discovered in MediaWiki before 1.31.12 and 1.32.x through 1.35.x before 1.35.2. On ChangesList special pages such as Special:RecentChanges and Special:Watchlist, some of the rcfilters-filter-* label messages are output in HTML unescaped, leading to XSS. Se detectó un problema en MediaWiki versiones anteriores a 1.31.12 y versiones 1.32.x hasta 1.35.x versiones anteriores a 1.35.2. En las páginas especiales de ChangesList, como Special:RecentChanges y Special:Watchlist, algunos de los mensa... • https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/26UJGHF7LJDOCQN6A3Z4PM7PYRKENJHE • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.3EPSS: 0%CPEs: 6EXPL: 1CVE-2021-30158 – Gentoo Linux Security Advisory 202107-40
https://notcve.org/view.php?id=CVE-2021-30158
06 Apr 2021 — An issue was discovered in MediaWiki before 1.31.12 and 1.32.x through 1.35.x before 1.35.2. Blocked users are unable to use Special:ResetTokens. This has security relevance because a blocked user might have accidentally shared a token, or might know that a token has been compromised, and yet is not able to block any potential future use of the token by an unauthorized party. Se detectó un problema en MediaWiki versiones anteriores a 1.31.12 y versiones 1.32.x hasta 1.35.x anteriores a 1.35.2. Los usua... • https://lists.debian.org/debian-lts-announce/2021/05/msg00003.html • CWE-287: Improper Authentication •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2020-29004
https://notcve.org/view.php?id=CVE-2020-29004
29 Jan 2021 — The API in the Push extension for MediaWiki through 1.35 did not require an edit token in ApiPushBase.php and therefore facilitated a CSRF attack. La API en la extensión Push para MediaWiki versiones hasta 1.35, no requería un token de edición en el archivo ApiPushBase.php y, por lo tanto, facilitó un ataque de tipo CSRF • https://gerrit.wikimedia.org/r/c/mediawiki/extensions/Push/+/625988 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2020-29005
https://notcve.org/view.php?id=CVE-2020-29005
29 Jan 2021 — The API in the Push extension for MediaWiki through 1.35 used cleartext for ApiPush credentials, allowing for potential information disclosure. La API en la extensión Push para MediaWiki versiones hasta 1.35, usa texto sin cifrar para las credenciales de ApiPush, permitiendo una potencial divulgación de información • https://gerrit.wikimedia.org/r/c/mediawiki/extensions/Push/+/625988 • CWE-319: Cleartext Transmission of Sensitive Information CWE-522: Insufficiently Protected Credentials •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2020-35622
https://notcve.org/view.php?id=CVE-2020-35622
21 Dec 2020 — An issue was discovered in the GlobalUsage extension for MediaWiki through 1.35.1. SpecialGlobalUsage.php calls WikiMap::makeForeignLink unsafely. The $page variable within the formatItem function was not being properly escaped, allowing for XSS under certain conditions. Se detectó un problema en la extensión GlobalUsage para MediaWiki versiones hasta 1.35.1. El archivo SpecialGlobalUsage.php llama a la función WikiMap::makeForeignLink de forma no segura. • https://gerrit.wikimedia.org/r/c/mediawiki/extensions/GlobalUsage/+/646744 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 1CVE-2020-35623
https://notcve.org/view.php?id=CVE-2020-35623
21 Dec 2020 — An issue was discovered in the CasAuth extension for MediaWiki through 1.35.1. Due to improper username validation, it allowed user impersonation with trivial manipulations of certain characters within a given username. An ordinary user may be able to login as a "bureaucrat user" who has a similar username, as demonstrated by usernames that differ only in (1) bidirectional override symbols or (2) blank space. Se detectó un problema en la extensión CasAuth para MediaWiki versiones hasta 1.35.1. Debido a... • https://github.com/CWRUChielLab/CASAuth/pull/11 • CWE-20: Improper Input Validation CWE-706: Use of Incorrectly-Resolved Name or Reference •