CVE-2018-0503 – $wgRateLimits entry for 'user' overrides 'newbie'
https://notcve.org/view.php?id=CVE-2018-0503
Mediawiki 1.31 before 1.31.1, 1.30.1, 1.29.3 and 1.27.5 contains a flaw where contrary to the documentation, $wgRateLimits entry for 'user' overrides that for 'newbie'. Mediawiki en versiones 1.31 anteriores a la 1.31.1, 1.30.1, 1.29.3 y 1.27.5 contiene un fallo en el que, contrario a lo que pone en su documentación, la entrada $wgRateLimits para "user" sobrescribe la de "newbie". • http://www.securitytracker.com/id/1041695 https://access.redhat.com/errata/RHSA-2019:3142 https://access.redhat.com/errata/RHSA-2019:3238 https://access.redhat.com/errata/RHSA-2019:3813 https://lists.wikimedia.org/pipermail/wikitech-l/2018-September/090849.html https://phabricator.wikimedia.org/T169545 https://www.debian.org/security/2018/dsa-4301 https://access.redhat.com/security/cve/CVE-2018-0503 https://bugzilla.redhat.com/show_bug.cgi?id=1634161 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-269: Improper Privilege Management •
CVE-2018-0505 – BotPasswords can bypass CentralAuth's account lock
https://notcve.org/view.php?id=CVE-2018-0505
Mediawiki 1.31 before 1.31.1, 1.30.1, 1.29.3 and 1.27.5 contains a flaw where BotPasswords can bypass CentralAuth's account lock Mediawiki en versiones 1.31 anteriores a la 1.31.1, 1.30.1, 1.29.3 y 1.27.5 contiene un fallo en el que BotPasswords puede omitir el bloqueo de cuenta de CentratlAuth. • http://www.securitytracker.com/id/1041695 https://access.redhat.com/errata/RHSA-2019:3142 https://access.redhat.com/errata/RHSA-2019:3238 https://access.redhat.com/errata/RHSA-2019:3813 https://lists.wikimedia.org/pipermail/wikitech-l/2018-September/090849.html https://phabricator.wikimedia.org/T194605 https://www.debian.org/security/2018/dsa-4301 https://access.redhat.com/security/cve/CVE-2018-0505 https://bugzilla.redhat.com/show_bug.cgi?id=1634166 • CWE-285: Improper Authorization CWE-287: Improper Authentication •
CVE-2017-0370 – Spam blacklist ineffective on encoded URLs inside file inclusion syntax's link parameter
https://notcve.org/view.php?id=CVE-2017-0370
Mediawiki before 1.28.1 / 1.27.2 / 1.23.16 contains a flaw were Spam blacklist is ineffective on encoded URLs inside file inclusion syntax's link parameter. Mediawiki, en versiones anteriores a la 1.28.1, 1.27.2 y la 1.23.16, contiene un error por el cual la lista negra de Spam no es efectiva en URL embebidas en el parámetro link de la sintaxis de inclusión de archivos. • https://lists.wikimedia.org/pipermail/mediawiki-announce/2017-April/000207.html https://phabricator.wikimedia.org/T48143 https://security-tracker.debian.org/tracker/CVE-2017-0370 • CWE-20: Improper Input Validation •
CVE-2017-0363 – Special:UserLogin?returnto=interwiki:foo will redirect to external sites
https://notcve.org/view.php?id=CVE-2017-0363
Mediawiki before 1.28.1 / 1.27.2 / 1.23.16 has a flaw where Special:UserLogin?returnto=interwiki:foo will redirect to external sites. Mediawiki, en versiones anteriores a la 1.28.1, 1.27.2 y la 1.23.16, contiene un error por el cual Special:UserLogin?returnto=interwiki:foo redirigirá a sitios externos. • https://lists.wikimedia.org/pipermail/mediawiki-announce/2017-April/000207.html https://phabricator.wikimedia.org/T109140 https://security-tracker.debian.org/tracker/CVE-2017-0363 • CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •
CVE-2017-0362 – "Mark all pages visited" on the watchlist does not require a CSRF token
https://notcve.org/view.php?id=CVE-2017-0362
Mediawiki before 1.28.1 / 1.27.2 / 1.23.16 contains a flaw where the "Mark all pages visited" on the watchlist does not require a CSRF token. Mediawiki, en versiones anteriores a la 1.28.1, 1.27.2 y la 1.23.16, contiene un error por el cual "Mark all pages visited" en la lista de control no requiere un token CSRF • https://lists.wikimedia.org/pipermail/mediawiki-announce/2017-April/000207.html https://phabricator.wikimedia.org/T150044 https://security-tracker.debian.org/tracker/CVE-2017-0362 • CWE-352: Cross-Site Request Forgery (CSRF) •