CVE-2013-4305
https://notcve.org/view.php?id=CVE-2013-4305
Cross-site scripting (XSS) vulnerability in contrib/example.php in the SyntaxHighlight GeSHi extension for MediaWiki, possibly as downloaded before September 2013, allows remote attackers to inject arbitrary web script or HTML via the PATH_INFO. Vulnerabilidad de XSS en contrib/example.php de la extensión SyntaxHighlight GeSHi para MediaWiki, posiblemente la descargada antes de septiembre de 2013, permite a atacantes remotos inyectar script web arbitrario o HTML a través de PATH_INFO. • http://lists.wikimedia.org/pipermail/mediawiki-announce/2013-September/000133.html http://osvdb.org/96909 http://seclists.org/oss-sec/2013/q3/553 https://bugzilla.wikimedia.org/show_bug.cgi?id=49070 https://exchange.xforce.ibmcloud.com/vulnerabilities/86890 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2013-4306
https://notcve.org/view.php?id=CVE-2013-4306
Cross-site request forgery (CSRF) vulnerability in api/ApiQueryCheckUser.php in the CheckUser extension for MediaWiki, possibly Checkuser before 2.3, allows remote attackers to hijack the authentication of arbitrary users for requests that "perform sensitive write actions" via unspecified vectors. Vulnerabilidad cross-site request forgery (CSRF) en api/ApiQueryCheckUser.php en la extensión CheckUser para MediaWiki, posiblemente CheckUser anteriores a 2.3, permite a atacantes remotos secuestrar la autenticación de usuarios de forma arbitraria para peticiones que "realizan acciones de escritura sensibles" a través de vectores no especificados. • http://lists.wikimedia.org/pipermail/mediawiki-announce/2013-September/000133.html http://osvdb.org/96908 http://seclists.org/oss-sec/2013/q3/553 http://www.securityfocus.com/bid/62210 https://bugzilla.wikimedia.org/show_bug.cgi?id=45019 https://exchange.xforce.ibmcloud.com/vulnerabilities/86893 https://git.wikimedia.org/commit/mediawiki%2Fextensions%2FCheckUser.git/99ad25d066ce6111e798427cba7f21526827f651 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVE-2013-4301
https://notcve.org/view.php?id=CVE-2013-4301
includes/resourceloader/ResourceLoaderContext.php in MediaWiki 1.19.x before 1.19.8, 1.20.x before 1.20.7, and 1.21.x before 1.21.2 allows remote attackers to obtain sensitive information via a "<" (open angle bracket) character in the lang parameter to w/load.php, which reveals the installation path in an error message. includes/resourceloader/ResourceLoaderContext.php en MediaWiki 1.19.x anterior a la versión 1.19.8, 1.20.x anterior a 1.20.7, y 1.21.x anterior a la versión 1.21.2 permite a atacantes remotos obtener información sensible a través de "<" (bracket de ángulo abierto) carácter en el parámetro de lenguaje a w/load.php, lo que revela el directorio de instalación en un mensaje de error. • http://lists.wikimedia.org/pipermail/mediawiki-announce/2013-September/000133.html http://osvdb.org/96913 http://seclists.org/oss-sec/2013/q3/553 http://secunia.com/advisories/54715 https://bugzilla.wikimedia.org/show_bug.cgi?id=46332 https://exchange.xforce.ibmcloud.com/vulnerabilities/86895 https://www.mediawiki.org/wiki/Release_notes/1.19 https://www.mediawiki.org/wiki/Release_notes/1.20 https://www.mediawiki.org/wiki/Release_notes/1.21 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVE-2013-4303
https://notcve.org/view.php?id=CVE-2013-4303
includes/libs/IEUrlExtension.php in the MediaWiki API in MediaWiki 1.19.x before 1.19.8, 1.20.x before 1.20.7, and 1.21.x before 1.21.2 does not properly detect extensions when there are an even number of "." (period) characters in a string, which allows remote attackers to conduct cross-site scripting (XSS) attacks via the siprop parameter in a query action to wiki/api.php. El archivo includes/libs/IEUrlExtension.php en la API MediaWiki en MediaWiki versiones 1.19.x anteriores a 1.19.8, versiones 1.20.x anteriores a 1.20.7 y versiones 1.21.x anteriores a 1.21.2 no detecta apropiadamente las extensiones cuando existe un número par de caracteres "." (punto) en una cadena, lo que permite a atacantes remotos realizar ataques de tipo cross-site scripting (XSS) por medio del parámetro siprop en una acción query en el archivo wiki/api.php. • http://lists.wikimedia.org/pipermail/mediawiki-announce/2013-September/000133.html http://seclists.org/oss-sec/2013/q3/553 http://www.securityfocus.com/bid/62194 https://bugzilla.wikimedia.org/show_bug.cgi?id=52746 https://exchange.xforce.ibmcloud.com/vulnerabilities/86897 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2013-4302
https://notcve.org/view.php?id=CVE-2013-4302
(1) ApiBlock.php, (2) ApiCreateAccount.php, (3) ApiLogin.php, (4) ApiMain.php, (5) ApiQueryDeletedrevs.php, (6) ApiTokens.php, and (7) ApiUnblock.php in includes/api/ in MediaWiki 1.19.x before 1.19.8, 1.20.x before 1.20.7, and 1.21.x before 1.21.2 allow remote attackers to obtain CSRF tokens and bypass the cross-site request forgery (CSRF) protection mechanism via a JSONP request to wiki/api.php. Los scripts ApiBlock.php, ApiCreateAccount.php, ApiLogin.php, ApiMain.php, ApiQueryDeletedrevs.php, ApiTokens.php, y ApiUnblock.php en includes/api en MediaWiki 1.19.x anterior a 1.19.8, 1.20.x anterior a 1.20.7, y 1.21.x anterior a 1.21.2 permite a atacantes remotos obtener tokens CSFR y evitar la protección contra CSFR via peticiones JSON a wiki/api.php • http://lists.wikimedia.org/pipermail/mediawiki-announce/2013-September/000133.html http://osvdb.org/96912 http://seclists.org/oss-sec/2013/q3/553 http://secunia.com/advisories/54715 http://www.debian.org/security/2013/dsa-2753 https://bugzilla.wikimedia.org/show_bug.cgi?id=49090 https://exchange.xforce.ibmcloud.com/vulnerabilities/86896 https://www.mediawiki.org/wiki/Release_notes/1.19 https://www.mediawiki.org/wiki/Release_notes/1.20 https://www.mediawiki.org/wiki/Relea • CWE-264: Permissions, Privileges, and Access Controls •