Note:
This project will be discontinued after December 13, 2021. [more]
Product:
Mediawiki
(Mediawiki)Repositories |
• https://github.com/wikimedia/mediawiki
• https://github.com/wikimedia/mediawiki-core |
#Vulnerabilities | 354 |
Date | Id | Summary | Products | Score | Patch | Annotated |
---|---|---|---|---|---|---|
2021-01-29 | CVE-2020-29005 | The API in the Push extension for MediaWiki through 1.35 used cleartext for ApiPush credentials, allowing for potential information disclosure. | Mediawiki | 7.5 | ||
2021-07-02 | CVE-2021-36125 | An issue was discovered in the CentralAuth extension in MediaWiki through 1.36. The Special:GlobalRenameRequest page is vulnerable to infinite loops and denial of service attacks when a user's current username is beyond an arbitrary maximum configuration value (MaxNameChars). | Mediawiki | 7.5 | ||
2021-07-02 | CVE-2021-36126 | An issue was discovered in the AbuseFilter extension in MediaWiki through 1.36. If the MediaWiki:Abusefilter-blocker message is invalid within the content language, the filter user falls back to the English version, but that English version could also be invalid on a wiki. This would result in a fatal error, and potentially fail to block or restrict a potentially nefarious user. | Mediawiki | 9.8 | ||
2021-07-02 | CVE-2021-36127 | An issue was discovered in the CentralAuth extension in MediaWiki through 1.36. The Special:GlobalUserRights page provided search results which, for a suppressed MediaWiki user, were different than for any other user, thus easily disclosing suppressed accounts (which are supposed to be completely hidden). | Mediawiki | 4.3 | ||
2021-07-02 | CVE-2021-36129 | An issue was discovered in the Translate extension in MediaWiki through 1.36. The Aggregategroups Action API module does not validate the parameter for aggregategroup when action=remove is set, thus allowing users with the translate-manage right to silently delete various groups' metadata. | Mediawiki | 4.3 | ||
2021-07-02 | CVE-2021-36130 | An XSS issue was discovered in the SocialProfile extension in MediaWiki through 1.36. Within several gift-related special pages, a privileged user with the awardmanage right could inject arbitrary HTML and JavaScript within various gift-related data fields. The attack could easily propagate across many pages for many users. | Mediawiki | 4.8 | ||
2021-07-02 | CVE-2021-36132 | An issue was discovered in the FileImporter extension in MediaWiki through 1.36. For certain relaxed configurations of the $wgFileImporterRequiredRight variable, it might not validate all appropriate user rights, thus allowing a user with insufficient rights to perform operations (specifically file uploads) that they should not be allowed to perform. | Mediawiki | 8.8 | ||
2021-07-02 | CVE-2021-36131 | An XSS issue was discovered in the SportsTeams extension in MediaWiki through 1.36. Within several special pages, a privileged user could inject arbitrary HTML and JavaScript within various data fields. The attack could easily propagate across many pages for many users. | Mediawiki | 4.8 | ||
2021-04-22 | CVE-2021-31550 | An issue was discovered in the CommentBox extension for MediaWiki through 1.35.2. Via crafted configuration variables, a malicious actor could introduce XSS payloads into various layers. | Mediawiki | 5.4 | ||
2021-04-22 | CVE-2021-31555 | An issue was discovered in the Oauth extension for MediaWiki through 1.35.2. It did not validate the oarc_version (aka oauth_registered_consumer.oarc_version) parameter's length. | Mediawiki | 7.5 |