CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2021-31555
https://notcve.org/view.php?id=CVE-2021-31555
An issue was discovered in the Oauth extension for MediaWiki through 1.35.2. It did not validate the oarc_version (aka oauth_registered_consumer.oarc_version) parameter's length. Se detectó un problema en la extensión Oauth para MediaWiki versiones hasta 1.35.2. No comprobó la longitud del parámetro oarc_version (también se conoce como oauth_registered_consumer.oarc_version) • https://gerrit.wikimedia.org/r/q/I222c053b4b14ac1ad0f5b3a51565b1b9cd4c139d https://phabricator.wikimedia.org/T277388 • CWE-20: Improper Input Validation •
CVSS: 4.3EPSS: 0%CPEs: 6EXPL: 1CVE-2021-30159
https://notcve.org/view.php?id=CVE-2021-30159
An issue was discovered in MediaWiki before 1.31.12 and 1.32.x through 1.35.x before 1.35.2. Users can bypass intended restrictions on deleting pages in certain "fast double move" situations. MovePage::isValidMoveTarget() uses FOR UPDATE, but it's only called if Title::getArticleID() returns non-zero with no special flags. Next, MovePage::moveToInternal() will delete the page if getArticleID(READ_LATEST) is non-zero. Therefore, if the page is missing in the replica DB, isValidMove() will return true, and then moveToInternal() will unconditionally delete the page if it can be found in the master. • https://lists.debian.org/debian-lts-announce/2021/05/msg00003.html https://lists.debian.org/debian-lts-announce/2021/05/msg00006.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/26UJGHF7LJDOCQN6A3Z4PM7PYRKENJHE https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2OMSV7B2TCFBOCICN3B4SMQP5HVRJQIT https://phabricator.wikimedia.org/T272386 https://security.gentoo.org/glsa/202107-40 https://www.debian.org/security/2021/dsa-4889 •
CVSS: 4.3EPSS: 0%CPEs: 4EXPL: 1CVE-2021-30156
https://notcve.org/view.php?id=CVE-2021-30156
An issue was discovered in MediaWiki before 1.31.12 and 1.32.x through 1.35.x before 1.35.2. Special:Contributions can leak that a "hidden" user exists. Se detectó un problema en MediaWiki versiones anteriores a 1.31.12 y 1.32.xa 1.35.x versiones anteriores a 1.35.2. Special:Contributions pueden filtrar que un usuario "hidden" exista • https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/26UJGHF7LJDOCQN6A3Z4PM7PYRKENJHE https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2OMSV7B2TCFBOCICN3B4SMQP5HVRJQIT https://phabricator.wikimedia.org/T276306 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 4.3EPSS: 0%CPEs: 6EXPL: 1CVE-2021-30155
https://notcve.org/view.php?id=CVE-2021-30155
An issue was discovered in MediaWiki before 1.31.12 and 1.32.x through 1.35.x before 1.35.2. ContentModelChange does not check if a user has correct permissions to create and set the content model of a nonexistent page. Se detectó un problema en MediaWiki versiones anteriores a 1.31.12 y versiones 1.32.x hasta 1.35.x versiones anteriores a 1.35.2. La función ContentModelChange no comprueba si un usuario presenta permisos correctos para crear y ajustar el modelo de contenido de una página inexistente • https://lists.debian.org/debian-lts-announce/2021/05/msg00003.html https://lists.debian.org/debian-lts-announce/2021/05/msg00006.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/26UJGHF7LJDOCQN6A3Z4PM7PYRKENJHE https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2OMSV7B2TCFBOCICN3B4SMQP5HVRJQIT https://phabricator.wikimedia.org/T270988 https://security.gentoo.org/glsa/202107-40 https://www.debian.org/security/2021/dsa-4889 • CWE-862: Missing Authorization •
CVSS: 4.3EPSS: 0%CPEs: 6EXPL: 1CVE-2021-30152
https://notcve.org/view.php?id=CVE-2021-30152
An issue was discovered in MediaWiki before 1.31.13 and 1.32.x through 1.35.x before 1.35.2. When using the MediaWiki API to "protect" a page, a user is currently able to protect to a higher level than they currently have permissions for. Se detectó un problema en MediaWiki versiones anteriores a 1.31.13 y versiones 1.32.x hasta 1.35.x versiones anteriores a 1.35.2. Cuando es usada la API de MediaWiki para "proteger" una página, un usuario actualmente puede proteger a un nivel más alto del que actualmente posee permisos • https://lists.debian.org/debian-lts-announce/2021/05/msg00003.html https://lists.debian.org/debian-lts-announce/2021/05/msg00006.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/26UJGHF7LJDOCQN6A3Z4PM7PYRKENJHE https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2OMSV7B2TCFBOCICN3B4SMQP5HVRJQIT https://phabricator.wikimedia.org/T270713 https://security.gentoo.org/glsa/202107-40 https://www.debian.org/security/2021/dsa-4889 • CWE-269: Improper Privilege Management •