CVSS: 4.3EPSS: 0%CPEs: 2EXPL: 1CVE-2021-30153
https://notcve.org/view.php?id=CVE-2021-30153
An issue was discovered in the VisualEditor extension in MediaWiki before 1.31.13, and 1.32.x through 1.35.x before 1.35.2. . When using VisualEditor to edit a MediaWiki user page belonging to an existing, but hidden, user, VisualEditor will disclose that the user exists. (It shouldn't because they are hidden.) This is related to ApiVisualEditor. • https://lists.wikimedia.org/hyperkitty/list/wikitech-l%40lists.wikimedia.org/message/XYBF5RSTJRMVCP7QBYK7643W75A3KCIY https://lists.wikimedia.org/pipermail/wikitech-l/2021-April/094418.html https://phabricator.wikimedia.org/T270453 • CWE-668: Exposure of Resource to Wrong Sphere •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2023-29140
https://notcve.org/view.php?id=CVE-2023-29140
An issue was discovered in the GrowthExperiments extension for MediaWiki through 1.39.3. Attackers might be able to see edits for which the username has been hidden, because there is no check for rev_deleted. • https://phabricator.wikimedia.org/T327613 •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2023-29137
https://notcve.org/view.php?id=CVE-2023-29137
An issue was discovered in the GrowthExperiments extension for MediaWiki through 1.39.3. The UserImpactHandler for GrowthExperiments inadvertently returns the timezone preference for arbitrary users, which can be used to de-anonymize users. • https://phabricator.wikimedia.org/T328643 •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2023-29139
https://notcve.org/view.php?id=CVE-2023-29139
An issue was discovered in the CheckUser extension for MediaWiki through 1.39.3. When a user with checkuserlog permissions makes many CheckUserLog API requests in some configurations, denial of service can occur (RequestTimeoutException or upstream request timeout). • https://phabricator.wikimedia.org/T326293 •
CVSS: 9.8EPSS: 0%CPEs: 4EXPL: 0CVE-2023-29141
https://notcve.org/view.php?id=CVE-2023-29141
An issue was discovered in MediaWiki before 1.35.10, 1.36.x through 1.38.x before 1.38.6, and 1.39.x before 1.39.3. An auto-block can occur for an untrusted X-Forwarded-For header. • https://gerrit.wikimedia.org/r/plugins/gitiles/mediawiki/core/+/REL1_39/RELEASE-NOTES-1.39 https://lists.debian.org/debian-lts-announce/2023/08/msg00029.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ONWHGOBFD6CQAEGOP5O375XAP2N6RUHT https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZGK4NZPIJ5ET2ANRZOUYPCRIB5I64JR7 https://phabricator.wikimedia.org/T285159 https://www.debian.org/security/2023/dsa-5447 •