CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2022-4561 – SemanticDrilldown Extension GET Parameter SDBrowseDataPage.php printFilterLine cross site scripting
https://notcve.org/view.php?id=CVE-2022-4561
16 Dec 2022 — A vulnerability classified as problematic has been found in SemanticDrilldown Extension. Affected is the function printFilterLine of the file includes/specials/SDBrowseDataPage.php of the component GET Parameter Handler. The manipulation of the argument value leads to cross site scripting. It is possible to launch the attack remotely. The name of the patch is 6e18cf740a4548166c1d95f6d3a28541d298a3aa. • https://github.com/wikimedia/mediawiki-extensions-SemanticDrilldown/commit/6e18cf740a4548166c1d95f6d3a28541d298a3aa • CWE-707: Improper Neutralization •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 1CVE-2022-28204
https://notcve.org/view.php?id=CVE-2022-28204
19 Sep 2022 — A denial-of-service issue was discovered in MediaWiki 1.37.x before 1.37.2. Rendering of w/index.php?title=Special%3AWhatLinksHere&target=Property%3AP31&namespace=1&invert=1 can take more than thirty seconds. There is a DDoS risk. Se ha detectado un problema de denegación de servicio en MediaWiki versiones 1.37.x anteriores a 1.37.2. • https://phabricator.wikimedia.org/T297754 •
CVSS: 4.4EPSS: 0%CPEs: 5EXPL: 1CVE-2022-28201
https://notcve.org/view.php?id=CVE-2022-28201
19 Sep 2022 — An issue was discovered in MediaWiki before 1.35.6, 1.36.x before 1.36.4, and 1.37.x before 1.37.2. Users with the editinterface permission can trigger infinite recursion, because a bare local interwiki is mishandled for the mainpage message. Se ha detectado un problema en MediaWiki versiones anteriores a 1.35.6, 1.36.x anteriores a 1.36.4 y 1.37.x anteriores a 1.37.2. Los usuarios con el permiso editinterface pueden desencadenar una recursión infinita, porque un interwiki local desnudo es manejado inapropi... • https://blog.legoktm.com/2022/07/03/a-belated-writeup-of-cve-2022-28201-in-mediawiki.html • CWE-674: Uncontrolled Recursion •
CVSS: 7.8EPSS: 0%CPEs: 5EXPL: 1CVE-2022-28203
https://notcve.org/view.php?id=CVE-2022-28203
19 Sep 2022 — A denial-of-service issue was discovered in MediaWiki before 1.35.6, 1.36.x before 1.36.4, and 1.37.x before 1.37.2. When many files exist, requesting Special:NewFiles with actor as a condition can result in a very long running query. Se ha detectado un problema de denegación de servicio en MediaWiki versiones anteriores a 1.35.6, 1.36.x anteriores a 1.36.4 y 1.37.x anteriores a 1.37.2. Cuando se presentan muchos archivos, la petición de Special:NewFiles con actor como condición puede resultar en una consul... • https://lists.debian.org/debian-lts-announce/2022/09/msg00027.html • CWE-763: Release of Invalid Pointer or Reference •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2022-39194
https://notcve.org/view.php?id=CVE-2022-39194
02 Sep 2022 — An issue was discovered in the MediaWiki through 1.38.2. The community configuration pages for the GrowthExperiments extension could cause a site to become unavailable due to insufficient validation when certain actions (including page moves) were performed. Se ha detectado un problema en MediaWiki versiones hasta 1.38.2. Las páginas de configuración de la comunidad para la extensión GrowthExperiments podían causar que un sitio no estuviera disponible debido a una comprobación insuficiente cuando son llevad... • https://phabricator.wikimedia.org/T313205 • CWE-400: Uncontrolled Resource Consumption •
CVSS: 6.1EPSS: 0%CPEs: 6EXPL: 0CVE-2022-34912 – Gentoo Linux Security Advisory 202305-24
https://notcve.org/view.php?id=CVE-2022-34912
02 Jul 2022 — An issue was discovered in MediaWiki before 1.37.3 and 1.38.x before 1.38.1. The contributions-title, used on Special:Contributions, is used as page title without escaping. Hence, in a non-default configuration where a username contains HTML entities, it won't be escaped. Se ha descubierto un problema en MediaWiki versiones anteriores a 1.37.3 y en versiones 1.38.x anteriores a 1.38.1. El contributions-title, usa en Special:Contributions, es usadao como título de la página sin escapar. • https://lists.debian.org/debian-lts-announce/2022/09/msg00027.html •
CVSS: 6.1EPSS: 0%CPEs: 7EXPL: 0CVE-2022-34911 – Gentoo Linux Security Advisory 202305-24
https://notcve.org/view.php?id=CVE-2022-34911
02 Jul 2022 — An issue was discovered in MediaWiki before 1.35.7, 1.36.x and 1.37.x before 1.37.3, and 1.38.x before 1.38.1. XSS can occur in configurations that allow a JavaScript payload in a username. After account creation, when it sets the page title to "Welcome" followed by the username, the username is not escaped: SpecialCreateAccount::successfulAction() calls ::showSuccessPage() with a message as second parameter, and OutputPage::setPageTitle() uses text(). Se ha detectado un problema en MediaWiki versiones ante... • https://lists.debian.org/debian-lts-announce/2022/09/msg00027.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2022-34750
https://notcve.org/view.php?id=CVE-2022-34750
28 Jun 2022 — An issue was discovered in MediaWiki through 1.38.1. The lemma length of a Wikibase lexeme is currently capped at a thousand characters. Unfortunately, this length is not validated, allowing much larger lexemes to be created, which introduces various denial-of-service attack vectors within the Wikibase and WikibaseLexeme extensions. This is related to Special:NewLexeme and Special:NewProperty. Se ha detectado un problema en MediaWiki versiones hasta 1.38.1. • https://gerrit.wikimedia.org/r/q/I8171bfef73e525d73efa60b407ce147130ea4742 • CWE-770: Allocation of Resources Without Limits or Throttling •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2022-29969
https://notcve.org/view.php?id=CVE-2022-29969
02 May 2022 — The RSS extension before 2022-04-29 for MediaWiki allows XSS via an rss element (if the feed is in $wgRSSUrlWhitelist and $wgRSSAllowLinkTag is true). La extensión RSS versiones anteriores a 29-04-2022 para MediaWiki permite un ataque de tipo XSS por medio de un elemento rss (si el feed está en $wgRSSUrlWhitelist y $wgRSSAllowLinkTag es true) • https://gerrit.wikimedia.org/r/c/787807 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2022-28323
https://notcve.org/view.php?id=CVE-2022-28323
30 Apr 2022 — An issue was discovered in MediaWiki through 1.37.2. The SecurePoll extension allows a leak because sorting by timestamp is supported, Se ha detectado un problema en MediaWiki versiones hasta 1.37.2. La extensión SecurePoll permite un filtrado porque es admitida una ordenación por marca de tiempo • https://gerrit.wikimedia.org/r/q/93758c4c13b972d240a6313e0472df1667118893 •