CVE-2013-1818
https://notcve.org/view.php?id=CVE-2013-1818
maintenance/mwdoc-filter.php in MediaWiki before 1.20.3 allows remote attackers to read arbitrary files via unspecified vectors. maintenance/mwdoc-filter.php en MediaWiki anterior a 1.20.3 permite a atacantes remotos leer archivos arbitrarios a través de vectores no especificados. • http://www.mediawiki.org/wiki/Release_notes/1.20 http://www.securityfocus.com/bid/58304 https://bugzilla.wikimedia.org/show_bug.cgi?id=45355 https://exchange.xforce.ibmcloud.com/vulnerabilities/88363 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVE-2013-4304
https://notcve.org/view.php?id=CVE-2013-4304
The CentralAuth extension for MediaWiki 1.19.x before 1.19.8, 1.20.x before 1.20.7, and 1.21.x before 1.21.2 caches a valid CentralAuthUser object in the centralauth_User cookie even when a user has not successfully logged in, which allows remote attackers to bypass authentication without a password. La extensión de MediaWiki CentralAuth 1.19.x anterior a 1.19.8, 1.20.7 anterior a 1.20.x y 1.21.x anterior 1.21.2 almacena en caché un objeto CentralAuthUser válida en la cookie centralauth_User incluso cuando el usuario no ha iniciado la sesión correctamente, lo que permite atacantes remotos evitar la autenticación sin contraseña. • http://lists.wikimedia.org/pipermail/mediawiki-announce/2013-September/000133.html http://osvdb.org/96910 http://seclists.org/oss-sec/2013/q3/553 http://secunia.com/advisories/54723 https://bugzilla.wikimedia.org/show_bug.cgi?id=52338 https://exchange.xforce.ibmcloud.com/vulnerabilities/86894 • CWE-287: Improper Authentication •
CVE-2013-1951
https://notcve.org/view.php?id=CVE-2013-1951
A cross-site scripting (XSS) vulnerability in MediaWiki before 1.19.5 and 1.20.x before 1.20.4 and allows remote attackers to inject arbitrary web script or HTML via Lua function names. Una vulnerabilidad de tipo cross-site scripting (XSS) en MediaWiki versiones anteriores a 1.19.5 y versiones 1.20.x anteriores a 1.20.4 y permite a atacantes remotos inyectar script web o HTML arbitrario por medio de nombres de función de Lua. • http://lists.fedoraproject.org/pipermail/package-announce/2013-April/104022.html http://lists.fedoraproject.org/pipermail/package-announce/2013-April/104027.html http://security.gentoo.org/glsa/glsa-201310-21.xml http://www.openwall.com/lists/oss-security/2013/04/16/12 http://www.securityfocus.com/bid/59077 https://bugs.gentoo.org/show_bug.cgi?id=CVE-2013-1951 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-1951 https://phabricator.wikimedia.org/T48084 https://security-tr • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2013-2031
https://notcve.org/view.php?id=CVE-2013-2031
MediaWiki before 1.19.6 and 1.20.x before 1.20.5 allows remote attackers to conduct cross-site scripting (XSS) attacks, as demonstrated by a CDATA section containing valid UTF-7 encoded sequences in a SVG file, which is then incorrectly interpreted as UTF-8 by Chrome and Firefox. MediaWiki anteriores a 1.19.6, y 1.20.x anteriores a 1.20.5, permite a atacantes remotos realizar ataques cross-site scripting (XSS), como demostrado por una sección CDATA conteniendo secuencias válidas codificadas con UTF-7 en un fichero SVG, el cual es interpretado incorrectamente como UTF-8 por Chrome y Firefox. • http://lists.fedoraproject.org/pipermail/package-announce/2013-May/105784.html http://lists.fedoraproject.org/pipermail/package-announce/2013-May/105825.html http://lists.fedoraproject.org/pipermail/package-announce/2013-May/106293.html http://lists.wikimedia.org/pipermail/mediawiki-announce/2013-April/000129.html http://secunia.com/advisories/55433 http://secunia.com/advisories/57472 http://security.gentoo.org/glsa/glsa-201310-21.xml http://www.debian.org/security/2014/dsa-2891 http://www • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2013-2032
https://notcve.org/view.php?id=CVE-2013-2032
MediaWiki before 1.19.6 and 1.20.x before 1.20.5 does not allow extensions to prevent password changes without using both Special:PasswordReset and Special:ChangePassword, which allows remote attackers to bypass the intended restrictions of an extension that only implements one of these blocks. MediaWiki anteriores a 1.19.6, y 1.20.x anteriores a 1.20.5 no permite a las extensiones prevenir cambios en las contraseñas sin usar Special:PasswordReset y Special:ChangePassword, lo cual permite a atacantes remotos sortear restricciones de acceso en extensiones que sólo implementan uno de estos bloques. • http://lists.fedoraproject.org/pipermail/package-announce/2013-May/105784.html http://lists.fedoraproject.org/pipermail/package-announce/2013-May/105825.html http://lists.fedoraproject.org/pipermail/package-announce/2013-May/106293.html http://lists.wikimedia.org/pipermail/mediawiki-announce/2013-April/000129.html http://secunia.com/advisories/55433 http://security.gentoo.org/glsa/glsa-201310-21.xml https://bugzilla.wikimedia.org/show_bug.cgi?id=46590 • CWE-264: Permissions, Privileges, and Access Controls •