CVSS: 5.4EPSS: 0%CPEs: 3EXPL: 1CVE-2024-23174
https://notcve.org/view.php?id=CVE-2024-23174
An issue was discovered in the PageTriage extension in MediaWiki before 1.35.14, 1.36.x through 1.39.x before 1.39.6, and 1.40.x before 1.40.2. XSS can occur via the rev-deleted-user, pagetriage-tags-quickfilter-label, pagetriage-triage, pagetriage-filter-date-range-format-placeholder, pagetriage-filter-date-range-to, pagetriage-filter-date-range-from, pagetriage-filter-date-range-heading, pagetriage-filter-set-button, or pagetriage-filter-reset-button message. Se descubrió un problema en la extensión PageTriage en MediaWiki antes de 1.35.14, 1.36.x hasta 1.39.x antes de 1.39.6 y 1.40.x antes de 1.40.2. XSS puede ocurrir a través de rev-deleted-user, pagetriage-tags-quickfilter-label, pagetriage-triage, pagetriage-filter-date-range-format-placeholder, pagetriage-filter-date-range-to, pagetriage-filter-date-range-from, pagetriage-filter-date-range-heading, pagetriage-filter-set-button, o mensaje pagetriage-filter-reset-button. • https://gerrit.wikimedia.org/r/c/mediawiki/extensions/PageTriage/+/989177 https://phabricator.wikimedia.org/T347704 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 3EXPL: 1CVE-2023-51704
https://notcve.org/view.php?id=CVE-2023-51704
An issue was discovered in MediaWiki before 1.35.14, 1.36.x through 1.39.x before 1.39.6, and 1.40.x before 1.40.2. In includes/logging/RightsLogFormatter.php, group-*-member messages can result in XSS on Special:log/rights. Se descubrió un problema en MediaWiki antes de 1.35.14, 1.36.x hasta 1.39.x antes de 1.39.6 y 1.40.x antes de 1.40.2. En includes/logging/RightsLogFormatter.php, group-*-mensajes de miembros pueden generar XSS en Special:log/rights. • https://lists.debian.org/debian-lts-announce/2024/04/msg00018.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FU2FGUXXK6TMV6R52VRECLC6XCSQQISY https://phabricator.wikimedia.org/T347726 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 0%CPEs: 4EXPL: 1CVE-2023-45360
https://notcve.org/view.php?id=CVE-2023-45360
An issue was discovered in MediaWiki before 1.35.12, 1.36.x through 1.39.x before 1.39.5, and 1.40.x before 1.40.1. There is XSS in youhavenewmessagesmanyusers and youhavenewmessages i18n messages. This is related to MediaWiki:Youhavenewmessagesfromusers. Se descubrió un problema en MediaWiki antes de 1.35.12, 1.36.x hasta 1.39.x antes de 1.39.5 y 1.40.x antes de 1.40.1. Hay XSS en youhavenewmessagesmanyusers y youhavenewmessages i18n mensajes. • https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FU2FGUXXK6TMV6R52VRECLC6XCSQQISY https://phabricator.wikimedia.org/T340221 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.3EPSS: 0%CPEs: 4EXPL: 1CVE-2023-45362
https://notcve.org/view.php?id=CVE-2023-45362
An issue was discovered in DifferenceEngine.php in MediaWiki before 1.35.12, 1.36.x through 1.39.x before 1.39.5, and 1.40.x before 1.40.1. diff-multi-sameuser (aka "X intermediate revisions by the same user not shown") ignores username suppression. This is an information leak. Se descubrió un problema en DifferenceEngine.php en MediaWiki antes de 1.35.12, 1.36.x hasta 1.39.x antes de 1.39.5 y 1.40.x antes de 1.40.1. diff-multi-sameuser (también conocido como "X revisiones intermedias del mismo usuario no mostradas") ignora la supresión del nombre de usuario. Esta es una filtración de información. • https://lists.debian.org/debian-lts-announce/2023/11/msg00027.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FU2FGUXXK6TMV6R52VRECLC6XCSQQISY https://phabricator.wikimedia.org/T341529 •
CVSS: 7.5EPSS: 0%CPEs: 5EXPL: 1CVE-2023-45363
https://notcve.org/view.php?id=CVE-2023-45363
An issue was discovered in ApiPageSet.php in MediaWiki before 1.35.12, 1.36.x through 1.39.x before 1.39.5, and 1.40.x before 1.40.1. It allows attackers to cause a denial of service (unbounded loop and RequestTimeoutException) when querying pages redirected to other variants with redirects and converttitles set. Se descubrió un problema en ApiPageSet.php en MediaWiki antes de 1.35.12, 1.36.x hasta 1.39.x antes de 1.39.5 y 1.40.x antes de 1.40.1. Permite a los atacantes provocar una denegación de servicio (bucle ilimitado y RequestTimeoutException) cuando consultan páginas redirigidas a otras variantes con redirecciones y converttitles configurados. • https://lists.debian.org/debian-lts-announce/2023/11/msg00027.html https://phabricator.wikimedia.org/T333050 https://www.debian.org/security/2023/dsa-5520 • CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop') •