CVE-2013-4301
https://notcve.org/view.php?id=CVE-2013-4301
includes/resourceloader/ResourceLoaderContext.php in MediaWiki 1.19.x before 1.19.8, 1.20.x before 1.20.7, and 1.21.x before 1.21.2 allows remote attackers to obtain sensitive information via a "<" (open angle bracket) character in the lang parameter to w/load.php, which reveals the installation path in an error message. includes/resourceloader/ResourceLoaderContext.php en MediaWiki 1.19.x anterior a la versión 1.19.8, 1.20.x anterior a 1.20.7, y 1.21.x anterior a la versión 1.21.2 permite a atacantes remotos obtener información sensible a través de "<" (bracket de ángulo abierto) carácter en el parámetro de lenguaje a w/load.php, lo que revela el directorio de instalación en un mensaje de error. • http://lists.wikimedia.org/pipermail/mediawiki-announce/2013-September/000133.html http://osvdb.org/96913 http://seclists.org/oss-sec/2013/q3/553 http://secunia.com/advisories/54715 https://bugzilla.wikimedia.org/show_bug.cgi?id=46332 https://exchange.xforce.ibmcloud.com/vulnerabilities/86895 https://www.mediawiki.org/wiki/Release_notes/1.19 https://www.mediawiki.org/wiki/Release_notes/1.20 https://www.mediawiki.org/wiki/Release_notes/1.21 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVE-2013-4303
https://notcve.org/view.php?id=CVE-2013-4303
includes/libs/IEUrlExtension.php in the MediaWiki API in MediaWiki 1.19.x before 1.19.8, 1.20.x before 1.20.7, and 1.21.x before 1.21.2 does not properly detect extensions when there are an even number of "." (period) characters in a string, which allows remote attackers to conduct cross-site scripting (XSS) attacks via the siprop parameter in a query action to wiki/api.php. El archivo includes/libs/IEUrlExtension.php en la API MediaWiki en MediaWiki versiones 1.19.x anteriores a 1.19.8, versiones 1.20.x anteriores a 1.20.7 y versiones 1.21.x anteriores a 1.21.2 no detecta apropiadamente las extensiones cuando existe un número par de caracteres "." (punto) en una cadena, lo que permite a atacantes remotos realizar ataques de tipo cross-site scripting (XSS) por medio del parámetro siprop en una acción query en el archivo wiki/api.php. • http://lists.wikimedia.org/pipermail/mediawiki-announce/2013-September/000133.html http://seclists.org/oss-sec/2013/q3/553 http://www.securityfocus.com/bid/62194 https://bugzilla.wikimedia.org/show_bug.cgi?id=52746 https://exchange.xforce.ibmcloud.com/vulnerabilities/86897 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2013-4302
https://notcve.org/view.php?id=CVE-2013-4302
(1) ApiBlock.php, (2) ApiCreateAccount.php, (3) ApiLogin.php, (4) ApiMain.php, (5) ApiQueryDeletedrevs.php, (6) ApiTokens.php, and (7) ApiUnblock.php in includes/api/ in MediaWiki 1.19.x before 1.19.8, 1.20.x before 1.20.7, and 1.21.x before 1.21.2 allow remote attackers to obtain CSRF tokens and bypass the cross-site request forgery (CSRF) protection mechanism via a JSONP request to wiki/api.php. Los scripts ApiBlock.php, ApiCreateAccount.php, ApiLogin.php, ApiMain.php, ApiQueryDeletedrevs.php, ApiTokens.php, y ApiUnblock.php en includes/api en MediaWiki 1.19.x anterior a 1.19.8, 1.20.x anterior a 1.20.7, y 1.21.x anterior a 1.21.2 permite a atacantes remotos obtener tokens CSFR y evitar la protección contra CSFR via peticiones JSON a wiki/api.php • http://lists.wikimedia.org/pipermail/mediawiki-announce/2013-September/000133.html http://osvdb.org/96912 http://seclists.org/oss-sec/2013/q3/553 http://secunia.com/advisories/54715 http://www.debian.org/security/2013/dsa-2753 https://bugzilla.wikimedia.org/show_bug.cgi?id=49090 https://exchange.xforce.ibmcloud.com/vulnerabilities/86896 https://www.mediawiki.org/wiki/Release_notes/1.19 https://www.mediawiki.org/wiki/Release_notes/1.20 https://www.mediawiki.org/wiki/Relea • CWE-264: Permissions, Privileges, and Access Controls •
CVE-2013-4308
https://notcve.org/view.php?id=CVE-2013-4308
Cross-site scripting (XSS) vulnerability in pages/TalkpageHistoryView.php in the LiquidThreads (LQT) extension 2.x and possibly 3.x for MediaWiki 1.19.x before 1.19.8, 1.20.x before 1.20.7, and 1.21.x before 1.21.2 allows remote attackers to inject arbitrary web script or HTML via a thread subject. Vulnerabilidad cross-site scripting (XSS) en pages/TalkpageHistoryView.php en la extensión LiquidThreads (LQT) 2.x y posiblemente 3.x para MediaWiki 1.19.x (anteriores a 1.19.8) 1.20.x (anteriores a 1.20.7) y 1.21.x (anteriores a 1.21.2) permite a atacantes remotos inyectar script web o HTML a discrección a través de un Asunto de hilo. • http://lists.wikimedia.org/pipermail/mediawiki-announce/2013-September/000133.html http://osvdb.org/96906 http://seclists.org/oss-sec/2013/q3/553 http://www.securityfocus.com/bid/62218 https://bugzilla.wikimedia.org/show_bug.cgi?id=53320 https://exchange.xforce.ibmcloud.com/vulnerabilities/86891 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2013-4307
https://notcve.org/view.php?id=CVE-2013-4307
Multiple cross-site scripting (XSS) vulnerabilities in repo/includes/EntityView.php in the Wikibase extension for MediaWiki 1.19.x before 1.19.8, 1.20.x before 1.20.7, and 1.21.x before 1.21.2 allow (1) remote attackers to inject arbitrary web script or HTML via a label in the "In other languages" section or (2) remote administrators to inject arbitrary web script or HTML via a description. Multiples vulnerabilidades XSS en repo/includes/EntityView.php en la extensión de Wikibase para MediaWiki 1.19.x anteriores a 1.19.8, 1.20.x anteriores a 1.20.7, y 1.21.x anteriores a 1.21.2 permite (1) a atacantes remotos inyectar scripts web o HTML arbitrarios a través de una etiqueta en la sección "In other languages" o (2) a administradores remotos inyectar scripts web o HTML arbitrarios a través de una descripción. • http://lists.wikimedia.org/pipermail/mediawiki-announce/2013-September/000133.html http://osvdb.org/96907 http://seclists.org/oss-sec/2013/q3/553 http://www.securityfocus.com/bid/62201 https://bugzilla.wikimedia.org/show_bug.cgi?id=53472 https://exchange.xforce.ibmcloud.com/vulnerabilities/86892 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •