CVSS: 5.3EPSS: 0%CPEs: 3EXPL: 0CVE-2022-41767 – Gentoo Linux Security Advisory 202305-24
https://notcve.org/view.php?id=CVE-2022-41767
26 Dec 2022 — An issue was discovered in MediaWiki before 1.35.8, 1.36.x and 1.37.x before 1.37.5, and 1.38.x before 1.38.3. When changes made by an IP address are reassigned to a user (using reassignEdits.php), the changes will still be attributed to the IP address on Special:Contributions when doing a range lookup. Se descubrió un problema en MediaWiki antes de 1.35.8, 1.36.x y 1.37.x antes de 1.37.5 y 1.38.x antes de 1.38.3. Cuando los cambios realizados por una dirección IP se reasignan a un usuario (usando reassignE... • https://phabricator.wikimedia.org/T316304 •
CVSS: 4.4EPSS: 0%CPEs: 5EXPL: 1CVE-2022-28201
https://notcve.org/view.php?id=CVE-2022-28201
19 Sep 2022 — An issue was discovered in MediaWiki before 1.35.6, 1.36.x before 1.36.4, and 1.37.x before 1.37.2. Users with the editinterface permission can trigger infinite recursion, because a bare local interwiki is mishandled for the mainpage message. Se ha detectado un problema en MediaWiki versiones anteriores a 1.35.6, 1.36.x anteriores a 1.36.4 y 1.37.x anteriores a 1.37.2. Los usuarios con el permiso editinterface pueden desencadenar una recursión infinita, porque un interwiki local desnudo es manejado inapropi... • https://blog.legoktm.com/2022/07/03/a-belated-writeup-of-cve-2022-28201-in-mediawiki.html • CWE-674: Uncontrolled Recursion •
CVSS: 7.8EPSS: 0%CPEs: 5EXPL: 1CVE-2022-28203
https://notcve.org/view.php?id=CVE-2022-28203
19 Sep 2022 — A denial-of-service issue was discovered in MediaWiki before 1.35.6, 1.36.x before 1.36.4, and 1.37.x before 1.37.2. When many files exist, requesting Special:NewFiles with actor as a condition can result in a very long running query. Se ha detectado un problema de denegación de servicio en MediaWiki versiones anteriores a 1.35.6, 1.36.x anteriores a 1.36.4 y 1.37.x anteriores a 1.37.2. Cuando se presentan muchos archivos, la petición de Special:NewFiles con actor como condición puede resultar en una consul... • https://lists.debian.org/debian-lts-announce/2022/09/msg00027.html • CWE-763: Release of Invalid Pointer or Reference •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2022-39194
https://notcve.org/view.php?id=CVE-2022-39194
02 Sep 2022 — An issue was discovered in the MediaWiki through 1.38.2. The community configuration pages for the GrowthExperiments extension could cause a site to become unavailable due to insufficient validation when certain actions (including page moves) were performed. Se ha detectado un problema en MediaWiki versiones hasta 1.38.2. Las páginas de configuración de la comunidad para la extensión GrowthExperiments podían causar que un sitio no estuviera disponible debido a una comprobación insuficiente cuando son llevad... • https://phabricator.wikimedia.org/T313205 • CWE-400: Uncontrolled Resource Consumption •
CVSS: 6.1EPSS: 0%CPEs: 7EXPL: 0CVE-2022-34911 – Gentoo Linux Security Advisory 202305-24
https://notcve.org/view.php?id=CVE-2022-34911
02 Jul 2022 — An issue was discovered in MediaWiki before 1.35.7, 1.36.x and 1.37.x before 1.37.3, and 1.38.x before 1.38.1. XSS can occur in configurations that allow a JavaScript payload in a username. After account creation, when it sets the page title to "Welcome" followed by the username, the username is not escaped: SpecialCreateAccount::successfulAction() calls ::showSuccessPage() with a message as second parameter, and OutputPage::setPageTitle() uses text(). Se ha detectado un problema en MediaWiki versiones ante... • https://lists.debian.org/debian-lts-announce/2022/09/msg00027.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 6EXPL: 0CVE-2022-34912 – Gentoo Linux Security Advisory 202305-24
https://notcve.org/view.php?id=CVE-2022-34912
02 Jul 2022 — An issue was discovered in MediaWiki before 1.37.3 and 1.38.x before 1.38.1. The contributions-title, used on Special:Contributions, is used as page title without escaping. Hence, in a non-default configuration where a username contains HTML entities, it won't be escaped. Se ha descubierto un problema en MediaWiki versiones anteriores a 1.37.3 y en versiones 1.38.x anteriores a 1.38.1. El contributions-title, usa en Special:Contributions, es usadao como título de la página sin escapar. • https://lists.debian.org/debian-lts-announce/2022/09/msg00027.html •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2022-34750
https://notcve.org/view.php?id=CVE-2022-34750
28 Jun 2022 — An issue was discovered in MediaWiki through 1.38.1. The lemma length of a Wikibase lexeme is currently capped at a thousand characters. Unfortunately, this length is not validated, allowing much larger lexemes to be created, which introduces various denial-of-service attack vectors within the Wikibase and WikibaseLexeme extensions. This is related to Special:NewLexeme and Special:NewProperty. Se ha detectado un problema en MediaWiki versiones hasta 1.38.1. • https://gerrit.wikimedia.org/r/q/I8171bfef73e525d73efa60b407ce147130ea4742 • CWE-770: Allocation of Resources Without Limits or Throttling •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2022-28323
https://notcve.org/view.php?id=CVE-2022-28323
30 Apr 2022 — An issue was discovered in MediaWiki through 1.37.2. The SecurePoll extension allows a leak because sorting by timestamp is supported, Se ha detectado un problema en MediaWiki versiones hasta 1.37.2. La extensión SecurePoll permite un filtrado porque es admitida una ordenación por marca de tiempo • https://gerrit.wikimedia.org/r/q/93758c4c13b972d240a6313e0472df1667118893 •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 1CVE-2022-29903
https://notcve.org/view.php?id=CVE-2022-29903
29 Apr 2022 — The Private Domains extension for MediaWiki through 1.37.2 (before 1ad65d4c1c199b375ea80988d99ab51ae068f766) allows CSRF for editing pages that store the extension's configuration. The attacker must trigger a POST request to Special:PrivateDomains. La extensión Private Domains para MediaWiki versiones hasta 1.37.2, (anteriores a 1ad65d4c1c199b375ea80988d99ab51ae068f766) permite una vulnerabilidad de tipo CSRF para la edición de páginas que almacenan la configuración de la extensión. El atacante debe lanzar ... • https://gerrit.wikimedia.org/r/c/mediawiki/extensions/PrivateDomains/+/783416 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 9.8EPSS: 13%CPEs: 1EXPL: 1CVE-2022-29904
https://notcve.org/view.php?id=CVE-2022-29904
29 Apr 2022 — The SemanticDrilldown extension for MediaWiki through 1.37.2 (before e688bdba6434591b5dff689a45e4d53459954773) allows SQL injection with certain '-' and '_' constraints. La extensión SemanticDrilldown para MediaWiki versiones hasta 1.37.2 (anteriores a e688bdba6434591b5dff689a45e4d53459954773) permite una inyección SQL con determinadas restricciones "-" y "_" • https://gerrit.wikimedia.org/r/c/mediawiki/extensions/SemanticDrilldown/+/785213 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •