
CVE-2024-40605
https://notcve.org/view.php?id=CVE-2024-40605
06 Jul 2024 — An issue was discovered in the Foreground skin for MediaWiki through 1.42.1. There is stored XSS via MediaWiki:Sidebar top-level menu entries. Se descubrió un problema en el aspecto Foreground de MediaWiki hasta la versión 1.42.1. Hay XSS almacenado a través de MediaWiki: entradas del menú de nivel superior de la barra lateral. • https://phabricator.wikimedia.org/T361452 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVE-2024-40600
https://notcve.org/view.php?id=CVE-2024-40600
06 Jul 2024 — An issue was discovered in the Metrolook skin for MediaWiki through 1.42.1. There is stored XSS via MediaWiki:Sidebar top-level menu entries. Se descubrió un problema en el aspecto Metrolook para MediaWiki hasta la versión 1.42.1. Hay XSS almacenado a través de MediaWiki: entradas del menú de nivel superior de la barra lateral. • https://phabricator.wikimedia.org/T361449 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVE-2024-40596
https://notcve.org/view.php?id=CVE-2024-40596
06 Jul 2024 — An issue was discovered in the CheckUser extension for MediaWiki through 1.42.1. The Special:Investigate feature can expose suppressed information for log events. (TimelineService does not support properly suppressing.) Se descubrió un problema en la extensión CheckUser para MediaWiki hasta 1.42.1. La función Special:Investigate puede exponer información suprimida para eventos de registro. • https://phabricator.wikimedia.org/T326866 • CWE-532: Insertion of Sensitive Information into Log File •

CVE-2024-40598
https://notcve.org/view.php?id=CVE-2024-40598
06 Jul 2024 — An issue was discovered in the CheckUser extension for MediaWiki through 1.42.1. The API can expose suppressed information for log events. (The log_deleted attribute is not applied to entries.) Se descubrió un problema en la extensión CheckUser para MediaWiki hasta 1.42.1. La API puede exponer información suprimida para eventos de registro. • https://phabricator.wikimedia.org/T326867 • CWE-532: Insertion of Sensitive Information into Log File •

CVE-2024-23172
https://notcve.org/view.php?id=CVE-2024-23172
12 Jan 2024 — An issue was discovered in the CheckUser extension in MediaWiki before 1.35.14, 1.36.x through 1.39.x before 1.39.6, and 1.40.x before 1.40.2. XSS can occur via message definitions. e.g., in SpecialCheckUserLog. Se descubrió un problema en la extensión CheckUser en MediaWiki antes de 1.35.14, 1.36.x hasta 1.39.x antes de 1.39.6 y 1.40.x antes de 1.40.2. XSS puede ocurrir a través de definiciones de mensajes. por ejemplo, en SpecialCheckUserLog. • https://gerrit.wikimedia.org/r/c/mediawiki/extensions/CheckUser/+/989179 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVE-2024-23177
https://notcve.org/view.php?id=CVE-2024-23177
12 Jan 2024 — An issue was discovered in the WatchAnalytics extension in MediaWiki before 1.40.2. XSS can occur via the Special:PageStatistics page parameter. Se descubrió un problema en la extensión WatchAnalytics en MediaWiki antes de la versión 1.40.2. XSS puede ocurrir a través del parámetro de página Special:PageStatistics. • https://lists.wikimedia.org/hyperkitty/list/mediawiki-announce%40lists.wikimedia.org/message/TDBUBCCOQJUT4SCHJNPHKQNPBUUETY52 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVE-2024-23174
https://notcve.org/view.php?id=CVE-2024-23174
12 Jan 2024 — An issue was discovered in the PageTriage extension in MediaWiki before 1.35.14, 1.36.x through 1.39.x before 1.39.6, and 1.40.x before 1.40.2. XSS can occur via the rev-deleted-user, pagetriage-tags-quickfilter-label, pagetriage-triage, pagetriage-filter-date-range-format-placeholder, pagetriage-filter-date-range-to, pagetriage-filter-date-range-from, pagetriage-filter-date-range-heading, pagetriage-filter-set-button, or pagetriage-filter-reset-button message. Se descubrió un problema en la extensión PageT... • https://gerrit.wikimedia.org/r/c/mediawiki/extensions/PageTriage/+/989177 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVE-2024-23179
https://notcve.org/view.php?id=CVE-2024-23179
12 Jan 2024 — An issue was discovered in the GlobalBlocking extension in MediaWiki before 1.40.2. For a Special:GlobalBlock?uselang=x-xss URI, i18n-based XSS can occur via the parentheses message. This affects subtitle links in buildSubtitleLinks. Se descubrió un problema en la extensión GlobalBlocking en MediaWiki antes de la versión 1.40.2. • https://lists.wikimedia.org/hyperkitty/list/mediawiki-announce%40lists.wikimedia.org/message/TDBUBCCOQJUT4SCHJNPHKQNPBUUETY52 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVE-2024-23171
https://notcve.org/view.php?id=CVE-2024-23171
12 Jan 2024 — An issue was discovered in the CampaignEvents extension in MediaWiki before 1.35.14, 1.36.x through 1.39.x before 1.39.6, and 1.40.x before 1.40.2. The Special:EventDetails page allows XSS via the x-xss language setting for internationalization (i18n). Se descubrió un problema en la extensión CampaignEvents en MediaWiki antes de 1.35.14, 1.36.x hasta 1.39.x antes de 1.39.6 y 1.40.x antes de 1.40.2. La página Special:EventDetails permite XSS a través de la configuración de idioma x-xss para la internacionali... • https://gerrit.wikimedia.org/r/q/I70d71c409193e904684dfb706d424b0a815fa6f6 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVE-2024-23173
https://notcve.org/view.php?id=CVE-2024-23173
12 Jan 2024 — An issue was discovered in the Cargo extension in MediaWiki before 1.35.14, 1.36.x through 1.39.x before 1.39.6, and 1.40.x before 1.40.2. The Special:Drilldown page allows XSS via artist, album, and position parameters because of applied filter values in drilldown/CargoAppliedFilter.php. Se descubrió un problema en la extensión Cargo en MediaWiki antes de 1.35.14, 1.36.x hasta 1.39.x antes de 1.39.6 y 1.40.x antes de 1.40.2. La página Special:Drilldown permite XSS a través de los parámetros artist, album y... • https://gerrit.wikimedia.org/r/c/mediawiki/extensions/Cargo/+/965214 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •