CVSS: 4.3EPSS: 0%CPEs: 2EXPL: 1CVE-2021-30153
https://notcve.org/view.php?id=CVE-2021-30153
15 Apr 2023 — An issue was discovered in the VisualEditor extension in MediaWiki before 1.31.13, and 1.32.x through 1.35.x before 1.35.2. . When using VisualEditor to edit a MediaWiki user page belonging to an existing, but hidden, user, VisualEditor will disclose that the user exists. (It shouldn't because they are hidden.) This is related to ApiVisualEditor. • https://lists.wikimedia.org/hyperkitty/list/wikitech-l%40lists.wikimedia.org/message/XYBF5RSTJRMVCP7QBYK7643W75A3KCIY • CWE-668: Exposure of Resource to Wrong Sphere •
CVSS: 10.0EPSS: 59%CPEs: 1EXPL: 3CVE-2020-29007
https://notcve.org/view.php?id=CVE-2020-29007
15 Apr 2023 — The Score extension through 0.3.0 for MediaWiki has a remote code execution vulnerability due to improper sandboxing of the GNU LilyPond executable. This allows any user with an ability to edit articles (potentially including unauthenticated anonymous users) to execute arbitrary Scheme or shell code by using crafted {{Image data to generate musical scores containing malicious code. • https://github.com/seqred-s-a/cve-2020-29007 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2023-29140
https://notcve.org/view.php?id=CVE-2023-29140
31 Mar 2023 — An issue was discovered in the GrowthExperiments extension for MediaWiki through 1.39.3. Attackers might be able to see edits for which the username has been hidden, because there is no check for rev_deleted. • https://phabricator.wikimedia.org/T327613 • CWE-284: Improper Access Control •
CVSS: 6.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-29139
https://notcve.org/view.php?id=CVE-2023-29139
31 Mar 2023 — An issue was discovered in the CheckUser extension for MediaWiki through 1.39.3. When a user with checkuserlog permissions makes many CheckUserLog API requests in some configurations, denial of service can occur (RequestTimeoutException or upstream request timeout). • https://phabricator.wikimedia.org/T326293 • CWE-400: Uncontrolled Resource Consumption •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2023-29137
https://notcve.org/view.php?id=CVE-2023-29137
31 Mar 2023 — An issue was discovered in the GrowthExperiments extension for MediaWiki through 1.39.3. The UserImpactHandler for GrowthExperiments inadvertently returns the timezone preference for arbitrary users, which can be used to de-anonymize users. • https://phabricator.wikimedia.org/T328643 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 10.0EPSS: 0%CPEs: 4EXPL: 0CVE-2023-29141 – Debian Security Advisory 5447-1
https://notcve.org/view.php?id=CVE-2023-29141
31 Mar 2023 — An issue was discovered in MediaWiki before 1.35.10, 1.36.x through 1.38.x before 1.38.6, and 1.39.x before 1.39.3. An auto-block can occur for an untrusted X-Forwarded-For header. Multiple security issues were discovered in MediaWiki, a website engine for collaborative work, which could result in cross-site scripting, a bypass of vandalism protections or information disclosure. • https://gerrit.wikimedia.org/r/plugins/gitiles/mediawiki/core/+/REL1_39/RELEASE-NOTES-1.39 • CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 1CVE-2017-20175 – DaSchTour matomo-mediawiki-extension Username Piwik.hooks.php cross site scripting
https://notcve.org/view.php?id=CVE-2017-20175
05 Feb 2023 — A vulnerability classified as problematic has been found in DaSchTour matomo-mediawiki-extension up to 2.4.2 on MediaWiki. This affects an unknown part of the file Piwik.hooks.php of the component Username Handler. The manipulation leads to cross site scripting. It is possible to initiate the attack remotely. The complexity of an attack is rather high. • https://github.com/DaSchTour/matomo-mediawiki-extension/commit/681324e4f518a8af4bd1f93867074c728eb9923d • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.3EPSS: 0%CPEs: 4EXPL: 1CVE-2022-39193
https://notcve.org/view.php?id=CVE-2022-39193
20 Jan 2023 — An issue was discovered in the CheckUser extension for MediaWiki through 1.39.x. Various components of this extension can expose information on the performer of edits and logged actions. This information should not allow public viewing: it is supposed to be viewable only by users with suppression rights. • https://phabricator.wikimedia.org/T311337 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 5.5EPSS: 0%CPEs: 5EXPL: 1CVE-2023-22910
https://notcve.org/view.php?id=CVE-2023-22910
20 Jan 2023 — An issue was discovered in MediaWiki before 1.35.9, 1.36.x through 1.38.x before 1.38.5, and 1.39.x before 1.39.1. There is XSS in Wikibase date formatting via wikibase-time-precision-* fields. This allows JavaScript execution by staff/admin users who do not intentionally have the editsitejs capability. • https://phabricator.wikimedia.org/T323592 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.3EPSS: 0%CPEs: 5EXPL: 1CVE-2023-22912
https://notcve.org/view.php?id=CVE-2023-22912
20 Jan 2023 — An issue was discovered in MediaWiki before 1.35.9, 1.36.x through 1.38.x before 1.38.5, and 1.39.x before 1.39.1. CheckUser TokenManager insecurely uses AES-CTR encryption with a repeated (aka re-used) nonce, allowing an adversary to decrypt. • https://phabricator.wikimedia.org/T315123 • CWE-330: Use of Insufficiently Random Values •