CVSS: 6.4EPSS: 1%CPEs: 3EXPL: 1CVE-2023-36675 – Debian Security Advisory 5447-1
https://notcve.org/view.php?id=CVE-2023-36675
26 Jun 2023 — An issue was discovered in MediaWiki before 1.35.11, 1.36.x through 1.38.x before 1.38.7, and 1.39.x before 1.39.4. BlockLogFormatter.php in BlockLogFormatter allows XSS in the partial blocks feature. Se descubrió un problema en MediaWiki antes de 1.35.11, 1.36.x hasta 1.38.x antes de 1.38.7 y 1.39.x antes de 1.39.4. BlockLogFormatter.php en BlockLogFormatter permite XSS en la función de bloques parciales. Multiple security issues were discovered in MediaWiki, a website engine for collaborative work, which ... • https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2UIVGYECQGTUC2LLPVCZBPDLCTOHL2F6 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.3EPSS: 0%CPEs: 3EXPL: 1CVE-2022-41766 – Gentoo Linux Security Advisory 202305-24
https://notcve.org/view.php?id=CVE-2022-41766
22 May 2023 — An issue was discovered in MediaWiki before 1.35.8, 1.36.x and 1.37.x before 1.37.5, and 1.38.x before 1.38.3. Upon an action=rollback operation, the alreadyrolled message can leak a user name (when the user has been revision deleted/suppressed). Multiple vulnerabilities have been found in MediaWiki, the worst of which could result in denial of service. Versions greater than or equal to 1.25.2 are affected. • https://phabricator.wikimedia.org/T307278 • CWE-732: Incorrect Permission Assignment for Critical Resource •
CVSS: 4.3EPSS: 0%CPEs: 2EXPL: 1CVE-2021-30153
https://notcve.org/view.php?id=CVE-2021-30153
15 Apr 2023 — An issue was discovered in the VisualEditor extension in MediaWiki before 1.31.13, and 1.32.x through 1.35.x before 1.35.2. . When using VisualEditor to edit a MediaWiki user page belonging to an existing, but hidden, user, VisualEditor will disclose that the user exists. (It shouldn't because they are hidden.) This is related to ApiVisualEditor. • https://lists.wikimedia.org/hyperkitty/list/wikitech-l%40lists.wikimedia.org/message/XYBF5RSTJRMVCP7QBYK7643W75A3KCIY • CWE-668: Exposure of Resource to Wrong Sphere •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2023-29137
https://notcve.org/view.php?id=CVE-2023-29137
31 Mar 2023 — An issue was discovered in the GrowthExperiments extension for MediaWiki through 1.39.3. The UserImpactHandler for GrowthExperiments inadvertently returns the timezone preference for arbitrary users, which can be used to de-anonymize users. • https://phabricator.wikimedia.org/T328643 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 6.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-29139
https://notcve.org/view.php?id=CVE-2023-29139
31 Mar 2023 — An issue was discovered in the CheckUser extension for MediaWiki through 1.39.3. When a user with checkuserlog permissions makes many CheckUserLog API requests in some configurations, denial of service can occur (RequestTimeoutException or upstream request timeout). • https://phabricator.wikimedia.org/T326293 • CWE-400: Uncontrolled Resource Consumption •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2023-29140
https://notcve.org/view.php?id=CVE-2023-29140
31 Mar 2023 — An issue was discovered in the GrowthExperiments extension for MediaWiki through 1.39.3. Attackers might be able to see edits for which the username has been hidden, because there is no check for rev_deleted. • https://phabricator.wikimedia.org/T327613 • CWE-284: Improper Access Control •
CVSS: 10.0EPSS: 0%CPEs: 4EXPL: 0CVE-2023-29141 – Debian Security Advisory 5447-1
https://notcve.org/view.php?id=CVE-2023-29141
31 Mar 2023 — An issue was discovered in MediaWiki before 1.35.10, 1.36.x through 1.38.x before 1.38.6, and 1.39.x before 1.39.3. An auto-block can occur for an untrusted X-Forwarded-For header. Multiple security issues were discovered in MediaWiki, a website engine for collaborative work, which could result in cross-site scripting, a bypass of vandalism protections or information disclosure. • https://gerrit.wikimedia.org/r/plugins/gitiles/mediawiki/core/+/REL1_39/RELEASE-NOTES-1.39 • CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') •
CVSS: 5.5EPSS: 0%CPEs: 5EXPL: 1CVE-2023-22910
https://notcve.org/view.php?id=CVE-2023-22910
20 Jan 2023 — An issue was discovered in MediaWiki before 1.35.9, 1.36.x through 1.38.x before 1.38.5, and 1.39.x before 1.39.1. There is XSS in Wikibase date formatting via wikibase-time-precision-* fields. This allows JavaScript execution by staff/admin users who do not intentionally have the editsitejs capability. • https://phabricator.wikimedia.org/T323592 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.3EPSS: 0%CPEs: 5EXPL: 1CVE-2023-22912
https://notcve.org/view.php?id=CVE-2023-22912
20 Jan 2023 — An issue was discovered in MediaWiki before 1.35.9, 1.36.x through 1.38.x before 1.38.5, and 1.39.x before 1.39.1. CheckUser TokenManager insecurely uses AES-CTR encryption with a repeated (aka re-used) nonce, allowing an adversary to decrypt. • https://phabricator.wikimedia.org/T315123 • CWE-330: Use of Insufficiently Random Values •
CVSS: 5.3EPSS: 0%CPEs: 4EXPL: 1CVE-2022-39193
https://notcve.org/view.php?id=CVE-2022-39193
20 Jan 2023 — An issue was discovered in the CheckUser extension for MediaWiki through 1.39.x. Various components of this extension can expose information on the performer of edits and logged actions. This information should not allow public viewing: it is supposed to be viewable only by users with suppression rights. • https://phabricator.wikimedia.org/T311337 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •