CVE-2023-45374
https://notcve.org/view.php?id=CVE-2023-45374
An issue was discovered in the SportsTeams extension for MediaWiki before 1.35.12, 1.36.x through 1.39.x before 1.39.5, and 1.40.x before 1.40.1. It does not check for the anti-CSRF edit token in Special:SportsTeamsManager and Special:UpdateFavoriteTeams. Se descubrió un problema en la extensión SportsTeams para MediaWiki antes de 1.35.12, 1.36.x hasta 1.39.x antes de 1.39.5 y 1.40.x antes de 1.40.1. No busca el token de edición anti-CSRF en Special:SportsTeamsManager y Special:UpdateFavoriteTeams. • https://gerrit.wikimedia.org/r/c/mediawiki/extensions/SportsTeams/+/952552 https://phabricator.wikimedia.org/T345040 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVE-2023-45369
https://notcve.org/view.php?id=CVE-2023-45369
An issue was discovered in the PageTriage extension for MediaWiki before 1.35.12, 1.36.x through 1.39.x before 1.39.5, and 1.40.x before 1.40.1. Usernames of hidden users are exposed. Se descubrió un problema en la extensión PageTriage para MediaWiki anterior a 1.35.12, 1.36.x a 1.39.x anterior a 1.39.5 y 1.40.x anterior a 1.40.1. Los nombres de usuario de usuarios ocultos están expuestos. • https://gerrit.wikimedia.org/r/c/mediawiki/extensions/PageTriage/+/960676 https://phabricator.wikimedia.org/T344359 • CWE-732: Incorrect Permission Assignment for Critical Resource •
CVE-2023-45363
https://notcve.org/view.php?id=CVE-2023-45363
An issue was discovered in ApiPageSet.php in MediaWiki before 1.35.12, 1.36.x through 1.39.x before 1.39.5, and 1.40.x before 1.40.1. It allows attackers to cause a denial of service (unbounded loop and RequestTimeoutException) when querying pages redirected to other variants with redirects and converttitles set. Se descubrió un problema en ApiPageSet.php en MediaWiki antes de 1.35.12, 1.36.x hasta 1.39.x antes de 1.39.5 y 1.40.x antes de 1.40.1. Permite a los atacantes provocar una denegación de servicio (bucle ilimitado y RequestTimeoutException) cuando consultan páginas redirigidas a otras variantes con redirecciones y converttitles configurados. • https://lists.debian.org/debian-lts-announce/2023/11/msg00027.html https://phabricator.wikimedia.org/T333050 https://www.debian.org/security/2023/dsa-5520 • CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop') •
CVE-2023-45364
https://notcve.org/view.php?id=CVE-2023-45364
An issue was discovered in includes/page/Article.php in MediaWiki 1.36.x through 1.39.x before 1.39.5 and 1.40.x before 1.40.1. Deleted revision existence is leaked due to incorrect permissions being checked. This reveals that a given revision ID belonged to the given page title, and its timestamp, both of which are not supposed to be public information. Se descubrió un problema en include/page/Article.php en MediaWiki 1.36.x hasta 1.39.x anteriores a 1.39.5 y 1.40.x anteriores a 1.40.1. La existencia de la revisión eliminada se filtra debido a que se verificaron permisos incorrectos. • https://phabricator.wikimedia.org/T264765 https://www.debian.org/security/2023/dsa-5520 • CWE-732: Incorrect Permission Assignment for Critical Resource •
CVE-2023-45370
https://notcve.org/view.php?id=CVE-2023-45370
An issue was discovered in the SportsTeams extension for MediaWiki before 1.35.12, 1.36.x through 1.39.x before 1.39.5, and 1.40.x before 1.40.1. SportsTeams: Special:SportsManagerLogo and Special:SportsTeamsManagerLogo do not check for the sportsteamsmanager user right, and thus an attacker may be able to affect pages that are concerned with sports teams. Se descubrió un problema en la extensión SportsTeams para MediaWiki antes de 1.35.12, 1.36.x hasta 1.39.x antes de 1.39.5 y 1.40.x antes de 1.40.1. SportsTeams: Special:SportsManagerLogo y Special:SportsTeamsManagerLogo no verifican el derecho de usuario de sportsteamsmanager y, por lo tanto, un atacante puede afectar páginas relacionadas con equipos deportivos. • https://gerrit.wikimedia.org/r/c/mediawiki/extensions/SportsTeams/+/959699 https://phabricator.wikimedia.org/T345680 • CWE-862: Missing Authorization •