CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2023-37251
https://notcve.org/view.php?id=CVE-2023-37251
29 Jun 2023 — An issue was discovered in the GoogleAnalyticsMetrics extension for MediaWiki through 1.39.3. The googleanalyticstrackurl parser function does not properly escape JavaScript in the onclick handler and does not prevent use of javascript: URLs. • https://phabricator.wikimedia.org/T333980 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 1CVE-2023-37254
https://notcve.org/view.php?id=CVE-2023-37254
29 Jun 2023 — An issue was discovered in the Cargo extension for MediaWiki through 1.39.3. XSS can occur in Special:CargoQuery via a crafted page item when using the default format. • https://phabricator.wikimedia.org/T331065 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 1CVE-2023-37255
https://notcve.org/view.php?id=CVE-2023-37255
29 Jun 2023 — An issue was discovered in the CheckUser extension for MediaWiki through 1.39.3. In Special:CheckUser, a check of the "get edits" type is vulnerable to HTML injection through the User-Agent HTTP request header. • https://phabricator.wikimedia.org/T333569 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 1CVE-2023-37256
https://notcve.org/view.php?id=CVE-2023-37256
29 Jun 2023 — An issue was discovered in the Cargo extension for MediaWiki through 1.39.3. It allows one to store javascript: URLs in URL fields, and automatically links these URLs. • https://phabricator.wikimedia.org/T331311 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.4EPSS: 1%CPEs: 3EXPL: 1CVE-2023-36675 – Debian Security Advisory 5447-1
https://notcve.org/view.php?id=CVE-2023-36675
26 Jun 2023 — An issue was discovered in MediaWiki before 1.35.11, 1.36.x through 1.38.x before 1.38.7, and 1.39.x before 1.39.4. BlockLogFormatter.php in BlockLogFormatter allows XSS in the partial blocks feature. Se descubrió un problema en MediaWiki antes de 1.35.11, 1.36.x hasta 1.38.x antes de 1.38.7 y 1.39.x antes de 1.39.4. BlockLogFormatter.php en BlockLogFormatter permite XSS en la función de bloques parciales. Multiple security issues were discovered in MediaWiki, a website engine for collaborative work, which ... • https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2UIVGYECQGTUC2LLPVCZBPDLCTOHL2F6 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2023-29137
https://notcve.org/view.php?id=CVE-2023-29137
31 Mar 2023 — An issue was discovered in the GrowthExperiments extension for MediaWiki through 1.39.3. The UserImpactHandler for GrowthExperiments inadvertently returns the timezone preference for arbitrary users, which can be used to de-anonymize users. • https://phabricator.wikimedia.org/T328643 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 6.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-29139
https://notcve.org/view.php?id=CVE-2023-29139
31 Mar 2023 — An issue was discovered in the CheckUser extension for MediaWiki through 1.39.3. When a user with checkuserlog permissions makes many CheckUserLog API requests in some configurations, denial of service can occur (RequestTimeoutException or upstream request timeout). • https://phabricator.wikimedia.org/T326293 • CWE-400: Uncontrolled Resource Consumption •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2023-29140
https://notcve.org/view.php?id=CVE-2023-29140
31 Mar 2023 — An issue was discovered in the GrowthExperiments extension for MediaWiki through 1.39.3. Attackers might be able to see edits for which the username has been hidden, because there is no check for rev_deleted. • https://phabricator.wikimedia.org/T327613 • CWE-284: Improper Access Control •
CVSS: 10.0EPSS: 0%CPEs: 4EXPL: 0CVE-2023-29141 – Debian Security Advisory 5447-1
https://notcve.org/view.php?id=CVE-2023-29141
31 Mar 2023 — An issue was discovered in MediaWiki before 1.35.10, 1.36.x through 1.38.x before 1.38.6, and 1.39.x before 1.39.3. An auto-block can occur for an untrusted X-Forwarded-For header. Multiple security issues were discovered in MediaWiki, a website engine for collaborative work, which could result in cross-site scripting, a bypass of vandalism protections or information disclosure. • https://gerrit.wikimedia.org/r/plugins/gitiles/mediawiki/core/+/REL1_39/RELEASE-NOTES-1.39 • CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') •
CVSS: 5.3EPSS: 0%CPEs: 4EXPL: 1CVE-2022-39193
https://notcve.org/view.php?id=CVE-2022-39193
20 Jan 2023 — An issue was discovered in the CheckUser extension for MediaWiki through 1.39.x. Various components of this extension can expose information on the performer of edits and logged actions. This information should not allow public viewing: it is supposed to be viewable only by users with suppression rights. • https://phabricator.wikimedia.org/T311337 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •