CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 1CVE-2024-23179
https://notcve.org/view.php?id=CVE-2024-23179
12 Jan 2024 — An issue was discovered in the GlobalBlocking extension in MediaWiki before 1.40.2. For a Special:GlobalBlock?uselang=x-xss URI, i18n-based XSS can occur via the parentheses message. This affects subtitle links in buildSubtitleLinks. Se descubrió un problema en la extensión GlobalBlocking en MediaWiki antes de la versión 1.40.2. • https://lists.wikimedia.org/hyperkitty/list/mediawiki-announce%40lists.wikimedia.org/message/TDBUBCCOQJUT4SCHJNPHKQNPBUUETY52 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.4EPSS: 0%CPEs: 3EXPL: 1CVE-2023-51704
https://notcve.org/view.php?id=CVE-2023-51704
22 Dec 2023 — An issue was discovered in MediaWiki before 1.35.14, 1.36.x through 1.39.x before 1.39.6, and 1.40.x before 1.40.2. In includes/logging/RightsLogFormatter.php, group-*-member messages can result in XSS on Special:log/rights. Se descubrió un problema en MediaWiki antes de 1.35.14, 1.36.x hasta 1.39.x antes de 1.39.6 y 1.40.x antes de 1.40.2. En includes/logging/RightsLogFormatter.php, group-*-mensajes de miembros pueden generar XSS en Special:log/rights. • https://lists.debian.org/debian-lts-announce/2024/04/msg00018.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2022-48614
https://notcve.org/view.php?id=CVE-2022-48614
10 Dec 2023 — Special:Ask in Semantic MediaWiki before 4.0.2 allows Reflected XSS. Especial:Preguntar en Semantic MediaWiki antes de 4.0.2 permite Reflected XSS. • https://github.com/SemanticMediaWiki/SemanticMediaWiki/issues/5262 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.5EPSS: 0%CPEs: 2EXPL: 0CVE-2023-45359 – Debian Security Advisory 5520-1
https://notcve.org/view.php?id=CVE-2023-45359
11 Oct 2023 — An issue was discovered in the Vector Skin component for MediaWiki before 1.39.5 and 1.40.x before 1.40.1. vector-toc-toggle-button-label is not escaped, but should be, because the line param can have markup. Multiple security issues were discovered in MediaWiki, a website engine for collaborative work, which could result in cross-site scripting, denial of service or information disclosure. • https://gerrit.wikimedia.org/r/plugins/gitiles/mediawiki/skins/Vector/+/c17b956e0750e051ac7c1098e3ff625f0db82b2c • CWE-116: Improper Encoding or Escaping of Output •
CVSS: 5.5EPSS: 0%CPEs: 4EXPL: 1CVE-2023-45360 – Debian Security Advisory 5520-1
https://notcve.org/view.php?id=CVE-2023-45360
11 Oct 2023 — An issue was discovered in MediaWiki before 1.35.12, 1.36.x through 1.39.x before 1.39.5, and 1.40.x before 1.40.1. There is XSS in youhavenewmessagesmanyusers and youhavenewmessages i18n messages. This is related to MediaWiki:Youhavenewmessagesfromusers. Se descubrió un problema en MediaWiki antes de 1.35.12, 1.36.x hasta 1.39.x antes de 1.39.5 y 1.40.x antes de 1.40.1. Hay XSS en youhavenewmessagesmanyusers y youhavenewmessages i18n mensajes. • https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FU2FGUXXK6TMV6R52VRECLC6XCSQQISY • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 2EXPL: 0CVE-2023-45361 – Debian Security Advisory 5520-1
https://notcve.org/view.php?id=CVE-2023-45361
11 Oct 2023 — An issue was discovered in VectorComponentUserLinks.php in the Vector Skin component in MediaWiki before 1.39.5 and 1.40.x before 1.40.1. vector-intro-page MalformedTitleException is uncaught if it is not a valid title, leading to incorrect web pages. Multiple security issues were discovered in MediaWiki, a website engine for collaborative work, which could result in cross-site scripting, denial of service or information disclosure. • https://gerrit.wikimedia.org/r/plugins/gitiles/mediawiki/skins/Vector/+/2a452b7e2562cba32b8a17bc91dc5abb531f0a1c •
CVSS: 4.3EPSS: 0%CPEs: 4EXPL: 1CVE-2023-45362 – Debian Security Advisory 5520-1
https://notcve.org/view.php?id=CVE-2023-45362
11 Oct 2023 — An issue was discovered in DifferenceEngine.php in MediaWiki before 1.35.12, 1.36.x through 1.39.x before 1.39.5, and 1.40.x before 1.40.1. diff-multi-sameuser (aka "X intermediate revisions by the same user not shown") ignores username suppression. This is an information leak. Se descubrió un problema en DifferenceEngine.php en MediaWiki antes de 1.35.12, 1.36.x hasta 1.39.x antes de 1.39.5 y 1.40.x antes de 1.40.1. diff-multi-sameuser (también conocido como "X revisiones intermedias del mismo usuario no m... • https://lists.debian.org/debian-lts-announce/2023/11/msg00027.html •
CVSS: 7.8EPSS: 0%CPEs: 5EXPL: 1CVE-2023-45363 – Debian Security Advisory 5520-1
https://notcve.org/view.php?id=CVE-2023-45363
09 Oct 2023 — An issue was discovered in ApiPageSet.php in MediaWiki before 1.35.12, 1.36.x through 1.39.x before 1.39.5, and 1.40.x before 1.40.1. It allows attackers to cause a denial of service (unbounded loop and RequestTimeoutException) when querying pages redirected to other variants with redirects and converttitles set. Se descubrió un problema en ApiPageSet.php en MediaWiki antes de 1.35.12, 1.36.x hasta 1.39.x antes de 1.39.5 y 1.40.x antes de 1.40.1. Permite a los atacantes provocar una denegación de servicio (... • https://lists.debian.org/debian-lts-announce/2023/11/msg00027.html • CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop') •
CVSS: 5.3EPSS: 0%CPEs: 4EXPL: 0CVE-2023-45364 – Debian Security Advisory 5520-1
https://notcve.org/view.php?id=CVE-2023-45364
09 Oct 2023 — An issue was discovered in includes/page/Article.php in MediaWiki 1.36.x through 1.39.x before 1.39.5 and 1.40.x before 1.40.1. Deleted revision existence is leaked due to incorrect permissions being checked. This reveals that a given revision ID belonged to the given page title, and its timestamp, both of which are not supposed to be public information. Se descubrió un problema en include/page/Article.php en MediaWiki 1.36.x hasta 1.39.x anteriores a 1.39.5 y 1.40.x anteriores a 1.40.1. La existencia de la... • https://phabricator.wikimedia.org/T264765 • CWE-732: Incorrect Permission Assignment for Critical Resource •
CVSS: 6.8EPSS: 0%CPEs: 3EXPL: 1CVE-2023-45367
https://notcve.org/view.php?id=CVE-2023-45367
09 Oct 2023 — An issue was discovered in the CheckUser extension for MediaWiki before 1.35.12, 1.36.x through 1.39.x before 1.39.5, and 1.40.x before 1.40.1. A user can use a rest.php/checkuser/v0/useragent-clienthints/revision/ URL to store an arbitrary number of rows in cu_useragent_clienthints, leading to a denial of service. Se descubrió un problema en la extensión CheckUser para MediaWiki antes de 1.35.12, 1.36.x hasta 1.39.x antes de 1.39.5 y 1.40.x antes de 1.40.1. Un usuario puede usar una URL rest.php/checkuser/... • https://phabricator.wikimedia.org/T344923 •