CVSS: 5.5EPSS: 0%CPEs: 5EXPL: 1CVE-2023-22910
https://notcve.org/view.php?id=CVE-2023-22910
20 Jan 2023 — An issue was discovered in MediaWiki before 1.35.9, 1.36.x through 1.38.x before 1.38.5, and 1.39.x before 1.39.1. There is XSS in Wikibase date formatting via wikibase-time-precision-* fields. This allows JavaScript execution by staff/admin users who do not intentionally have the editsitejs capability. • https://phabricator.wikimedia.org/T323592 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.3EPSS: 0%CPEs: 5EXPL: 1CVE-2023-22912
https://notcve.org/view.php?id=CVE-2023-22912
20 Jan 2023 — An issue was discovered in MediaWiki before 1.35.9, 1.36.x through 1.38.x before 1.38.5, and 1.39.x before 1.39.1. CheckUser TokenManager insecurely uses AES-CTR encryption with a repeated (aka re-used) nonce, allowing an adversary to decrypt. • https://phabricator.wikimedia.org/T315123 • CWE-330: Use of Insufficiently Random Values •
CVSS: 5.5EPSS: 0%CPEs: 6EXPL: 1CVE-2022-47927 – Gentoo Linux Security Advisory 202305-24
https://notcve.org/view.php?id=CVE-2022-47927
12 Jan 2023 — An issue was discovered in MediaWiki before 1.35.9, 1.36.x through 1.38.x before 1.38.5, and 1.39.x before 1.39.1. When installing with a pre-existing data directory that has weak permissions, the SQLite files are created with file mode 0644, i.e., world readable to local users. These files include credentials data. Se descubrió un problema en MediaWiki antes de 1.35.9, 1.36.x hasta 1.38.x antes de 1.38.5 y 1.39.x antes de 1.39.1. Al instalar con un directorio de datos preexistente que tiene permisos débile... • https://lists.debian.org/debian-lts-announce/2023/07/msg00011.html • CWE-732: Incorrect Permission Assignment for Critical Resource •
CVSS: 4.3EPSS: 0%CPEs: 2EXPL: 0CVE-2023-22945
https://notcve.org/view.php?id=CVE-2023-22945
11 Jan 2023 — In the GrowthExperiments extension for MediaWiki through 1.39, the growthmanagementorlist API allows blocked users (blocked in ApiManageMentorList) to enroll as mentors or edit any of their mentorship-related properties. En la extensión GrowthExperiments para MediaWiki hasta la versión 1.39, la API growthmanagementorlist permite a los usuarios bloqueados (bloqueados en ApiManageMentorList) inscribirse como mentores o editar cualquiera de sus propiedades relacionadas con la tutoría. • https://gerrit.wikimedia.org/r/q/Id1b83fcd58eccb8b2dfea44a3ab2f72314860d88 • CWE-863: Incorrect Authorization •
CVSS: 5.3EPSS: 0%CPEs: 6EXPL: 0CVE-2023-22909
https://notcve.org/view.php?id=CVE-2023-22909
10 Jan 2023 — An issue was discovered in MediaWiki before 1.35.9, 1.36.x through 1.38.x before 1.38.5, and 1.39.x before 1.39.1. SpecialMobileHistory allows remote attackers to cause a denial of service because database queries are slow. • https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AP65YEN762IBNQPOYGUVLTQIDLM5XD2A •
CVSS: 6.4EPSS: 0%CPEs: 6EXPL: 1CVE-2023-22911
https://notcve.org/view.php?id=CVE-2023-22911
10 Jan 2023 — An issue was discovered in MediaWiki before 1.35.9, 1.36.x through 1.38.x before 1.38.5, and 1.39.x before 1.39.1. E-Widgets does widget replacement in HTML attributes, which can lead to XSS, because widget authors often do not expect that their widget is executed in an HTML attribute context. • https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AP65YEN762IBNQPOYGUVLTQIDLM5XD2A • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.3EPSS: 0%CPEs: 3EXPL: 0CVE-2022-41765 – Gentoo Linux Security Advisory 202305-24
https://notcve.org/view.php?id=CVE-2022-41765
26 Dec 2022 — An issue was discovered in MediaWiki before 1.35.8, 1.36.x and 1.37.x before 1.37.5, and 1.38.x before 1.38.3. HTMLUserTextField exposes the existence of hidden users. Se descubrió un problema en MediaWiki antes de 1.35.8, 1.36.x y 1.37.x antes de 1.37.5 y 1.38.x antes de 1.38.3. HTMLUserTextField expone la existencia de usuarios ocultos. Multiple vulnerabilities have been found in MediaWiki, the worst of which could result in denial of service. • https://phabricator.wikimedia.org/T309894 • CWE-203: Observable Discrepancy •
CVSS: 5.3EPSS: 0%CPEs: 3EXPL: 0CVE-2022-41767 – Gentoo Linux Security Advisory 202305-24
https://notcve.org/view.php?id=CVE-2022-41767
26 Dec 2022 — An issue was discovered in MediaWiki before 1.35.8, 1.36.x and 1.37.x before 1.37.5, and 1.38.x before 1.38.3. When changes made by an IP address are reassigned to a user (using reassignEdits.php), the changes will still be attributed to the IP address on Special:Contributions when doing a range lookup. Se descubrió un problema en MediaWiki antes de 1.35.8, 1.36.x y 1.37.x antes de 1.37.5 y 1.38.x antes de 1.38.3. Cuando los cambios realizados por una dirección IP se reasignan a un usuario (usando reassignE... • https://phabricator.wikimedia.org/T316304 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2022-39194
https://notcve.org/view.php?id=CVE-2022-39194
02 Sep 2022 — An issue was discovered in the MediaWiki through 1.38.2. The community configuration pages for the GrowthExperiments extension could cause a site to become unavailable due to insufficient validation when certain actions (including page moves) were performed. Se ha detectado un problema en MediaWiki versiones hasta 1.38.2. Las páginas de configuración de la comunidad para la extensión GrowthExperiments podían causar que un sitio no estuviera disponible debido a una comprobación insuficiente cuando son llevad... • https://phabricator.wikimedia.org/T313205 • CWE-400: Uncontrolled Resource Consumption •
CVSS: 6.1EPSS: 0%CPEs: 7EXPL: 0CVE-2022-34911 – Gentoo Linux Security Advisory 202305-24
https://notcve.org/view.php?id=CVE-2022-34911
02 Jul 2022 — An issue was discovered in MediaWiki before 1.35.7, 1.36.x and 1.37.x before 1.37.3, and 1.38.x before 1.38.1. XSS can occur in configurations that allow a JavaScript payload in a username. After account creation, when it sets the page title to "Welcome" followed by the username, the username is not escaped: SpecialCreateAccount::successfulAction() calls ::showSuccessPage() with a message as second parameter, and OutputPage::setPageTitle() uses text(). Se ha detectado un problema en MediaWiki versiones ante... • https://lists.debian.org/debian-lts-announce/2022/09/msg00027.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •