MediaWiki Wiki Platform

An issue was discovered in MediaWiki before 1.35.5, 1.36.x before 1.36.3, and 1.37.x before 1.37.1

CVE-2021-46150 4.8 - Medium - January 10, 2022

An issue was discovered in MediaWiki before 1.35.5, 1.36.x before 1.36.3, and 1.37.x before 1.37.1. Special:CheckUserLog allows CheckUser XSS because of date mishandling, as demonstrated by an XSS payload in MediaWiki:October.

XSS

An issue was discovered in MediaWiki before 1.35.5, 1.36.x before 1.36.3, and 1.37.x before 1.37.1

CVE-2021-46149 7.5 - High - January 10, 2022

An issue was discovered in MediaWiki before 1.35.5, 1.36.x before 1.36.3, and 1.37.x before 1.37.1. A denial of service (resource consumption) can be accomplished by searching for a very long key in a Language Name Search.

Resource Exhaustion

An issue was discovered in MediaWiki before 1.35.5, 1.36.x before 1.36.3, and 1.37.x before 1.37.1

CVE-2021-46148 6.5 - Medium - January 10, 2022

An issue was discovered in MediaWiki before 1.35.5, 1.36.x before 1.36.3, and 1.37.x before 1.37.1. Some unprivileged users can view confidential information (e.g., IP addresses and User-Agent headers for election traffic) on a testwiki SecurePoll instance.

Information Disclosure

An issue was discovered in MediaWiki before 1.35.5, 1.36.x before 1.36.3, and 1.37.x before 1.37.1

CVE-2021-46147 8.8 - High - January 10, 2022

An issue was discovered in MediaWiki before 1.35.5, 1.36.x before 1.36.3, and 1.37.x before 1.37.1. MassEditRegex allows CSRF.

Session Riding

An issue was discovered in MediaWiki before 1.35.5, 1.36.x before 1.36.3, and 1.37.x before 1.37.1

CVE-2021-46146 5.4 - Medium - January 10, 2022

An issue was discovered in MediaWiki before 1.35.5, 1.36.x before 1.36.3, and 1.37.x before 1.37.1. The WikibaseMediaInfo component is vulnerable to XSS via the caption fields for a given media file.

XSS

In MediaWiki through 1.37, XSS can occur in Wikibase because an external identifier property can have a URL format

CVE-2021-45472 6.1 - Medium - December 24, 2021

In MediaWiki through 1.37, XSS can occur in Wikibase because an external identifier property can have a URL format that includes a $1 formatter substitution marker, and the javascript: URL scheme (among others) can be used.

XSS

In MediaWiki through 1.37, the Special:ImportFile URI (aka FileImporter)

CVE-2021-45474 6.1 - Medium - December 24, 2021

In MediaWiki through 1.37, the Special:ImportFile URI (aka FileImporter) allows XSS, as demonstrated by the clientUrl parameter.

XSS

In MediaWiki through 1.37, Wikibase item descriptions

CVE-2021-45473 6.1 - Medium - December 24, 2021

In MediaWiki through 1.37, Wikibase item descriptions allow XSS, which is triggered upon a visit to an action=info URL (aka a page-information sidebar).

XSS

In MediaWiki through 1.37, blocked IP addresses are

CVE-2021-45471 5.3 - Medium - December 24, 2021

In MediaWiki through 1.37, blocked IP addresses are allowed to edit EntitySchema items.

An issue was discovered in MediaWiki before 1.35.5, 1.36.x before 1.36.3, and 1.37.x before 1.37.1

CVE-2021-44858 7.5 - High - December 20, 2021

An issue was discovered in MediaWiki before 1.35.5, 1.36.x before 1.36.3, and 1.37.x before 1.37.1. It is possible to use action=edit&undo= followed by action=mcrundo and action=mcrrestore to view private pages on a private wiki that has at least one page set in $wgWhitelistRead.

Incorrect Default Permissions

An issue was discovered in MediaWiki before 1.35.5, 1.36.x before 1.36.3, and 1.37.x before 1.37.1

CVE-2021-45038 5.3 - Medium - December 17, 2021

An issue was discovered in MediaWiki before 1.35.5, 1.36.x before 1.36.3, and 1.37.x before 1.37.1. By using an action=rollback query, attackers can view private wiki contents.

Information Disclosure

An issue was discovered in MediaWiki before 1.35.5, 1.36.x before 1.36.3, and 1.37.x before 1.37.1

CVE-2021-44857 6.5 - Medium - December 17, 2021

An issue was discovered in MediaWiki before 1.35.5, 1.36.x before 1.36.3, and 1.37.x before 1.37.1. It is possible to use action=mcrundo followed by action=mcrrestore to replace the content of any arbitrary page (that the user doesn't have edit rights for). This applies to any public wiki, or a private wiki that has at least one page set in $wgWhitelistRead.

Improper Privilege Management

MediaWiki before 1.36.2 allows XSS

CVE-2021-41798 6.1 - Medium - October 11, 2021

MediaWiki before 1.36.2 allows XSS. Month related MediaWiki messages are not escaped before being used on the Special:Search results page.

XSS

MediaWiki before 1.36.2 allows a denial of service (resource consumption because of lengthy query processing time)

CVE-2021-41800 5.3 - Medium - October 11, 2021

MediaWiki before 1.36.2 allows a denial of service (resource consumption because of lengthy query processing time). Visiting Special:Contributions can sometimes result in a long running SQL query because PoolCounter protection is mishandled.

Allocation of Resources Without Limits or Throttling

MediaWiki before 1.36.2 allows a denial of service (resource consumption because of lengthy query processing time)

CVE-2021-41799 7.5 - High - October 11, 2021

MediaWiki before 1.36.2 allows a denial of service (resource consumption because of lengthy query processing time). ApiQueryBacklinks (action=query&list=backlinks) can cause a full table scan.

Allocation of Resources Without Limits or Throttling

The ReplaceText extension through 1.41 for MediaWiki has Incorrect Access Control

CVE-2021-41801 8.8 - High - October 11, 2021

The ReplaceText extension through 1.41 for MediaWiki has Incorrect Access Control. When a user is blocked after submitting a replace job, the job is still run, even if it may be run at a later time (due to the job queue backlog)

AuthZ

An issue was discovered in CentralAuth in MediaWiki through 1.36.2

CVE-2021-42041 6.1 - Medium - October 06, 2021

An issue was discovered in CentralAuth in MediaWiki through 1.36.2. The rightsnone MediaWiki message was not being properly sanitized and allowed for the injection and execution of HTML and JavaScript via the setchange log.

XSS

An issue was discovered in MediaWiki through 1.36.2

CVE-2021-42040 7.5 - High - October 06, 2021

An issue was discovered in MediaWiki through 1.36.2. A parser function related to loop control allowed for an infinite loop (and php-fpm hang) within the Loops extension because egLoopsCountLimit is mishandled. This could lead to memory exhaustion.

Infinite Loop

An issue was discovered in the Mentor dashboard in the GrowthExperiments extension in MediaWiki through 1.36.2

CVE-2021-42044 4.8 - Medium - October 06, 2021

An issue was discovered in the Mentor dashboard in the GrowthExperiments extension in MediaWiki through 1.36.2. The Growthexperiments-mentor-dashboard-mentee-overview-add-filter-total-edits-headline, growthexperiments-mentor-dashboard-mentee-overview-add-filter-starred-headline, growthexperiments-mentor-dashboard-mentee-overview-info-text, growthexperiments-mentor-dashboard-mentee-overview-info-legend-headline, and growthexperiments-mentor-dashboard-mentee-overview-active-ago MediaWiki messages were not being properly sanitized and allowed for the injection and execution of HTML and JavaScript.

XSS

An issue was discovered in Special:MediaSearch in the MediaSearch extension in MediaWiki through 1.36.2

CVE-2021-42043 6.1 - Medium - October 06, 2021

An issue was discovered in Special:MediaSearch in the MediaSearch extension in MediaWiki through 1.36.2. The suggestion text (a parameter to mediasearch-did-you-mean) was not being properly sanitized and allowed for the injection and execution of HTML and JavaScript via the intitle: search operator within the query.

XSS

An issue was discovered in SpecialEditGrowthConfig in the GrowthExperiments extension in MediaWiki through 1.36.2

CVE-2021-42042 4.8 - Medium - October 06, 2021

An issue was discovered in SpecialEditGrowthConfig in the GrowthExperiments extension in MediaWiki through 1.36.2. The growthexperiments-edit-config-error-invalid-title MediaWiki message was not being properly sanitized and allowed for the injection and execution of HTML and JavaScript.

XSS

An issue was discovered in the Oauth extension for MediaWiki through 1.35.2

CVE-2021-31556 9.8 - Critical - August 12, 2021

An issue was discovered in the Oauth extension for MediaWiki through 1.35.2. MWOAuthConsumerSubmitControl.php does not ensure that the length of an RSA key will fit in a MySQL blob.

Use of a Broken or Risky Cryptographic Algorithm

An issue was discovered in the FileImporter extension in MediaWiki through 1.36

CVE-2021-36132 8.8 - High - July 02, 2021

An issue was discovered in the FileImporter extension in MediaWiki through 1.36. For certain relaxed configurations of the $wgFileImporterRequiredRight variable, it might not validate all appropriate user rights, thus allowing a user with insufficient rights to perform operations (specifically file uploads) that they should not be allowed to perform.

AuthZ

An XSS issue was discovered in the SportsTeams extension in MediaWiki through 1.36

CVE-2021-36131 4.8 - Medium - July 02, 2021

An XSS issue was discovered in the SportsTeams extension in MediaWiki through 1.36. Within several special pages, a privileged user could inject arbitrary HTML and JavaScript within various data fields. The attack could easily propagate across many pages for many users.

XSS

An XSS issue was discovered in the SocialProfile extension in MediaWiki through 1.36

CVE-2021-36130 4.8 - Medium - July 02, 2021

An XSS issue was discovered in the SocialProfile extension in MediaWiki through 1.36. Within several gift-related special pages, a privileged user with the awardmanage right could inject arbitrary HTML and JavaScript within various gift-related data fields. The attack could easily propagate across many pages for many users.

XSS

An issue was discovered in the Translate extension in MediaWiki through 1.36

CVE-2021-36129 4.3 - Medium - July 02, 2021

An issue was discovered in the Translate extension in MediaWiki through 1.36. The Aggregategroups Action API module does not validate the parameter for aggregategroup when action=remove is set, thus allowing users with the translate-manage right to silently delete various groups' metadata.

Incorrect Permission Assignment for Critical Resource

An issue was discovered in the CentralAuth extension in MediaWiki through 1.36

CVE-2021-36128 9.8 - Critical - July 02, 2021

An issue was discovered in the CentralAuth extension in MediaWiki through 1.36. Autoblocks for CentralAuth-issued suppression blocks are not properly implemented.

authentification

An issue was discovered in the CentralAuth extension in MediaWiki through 1.36

CVE-2021-36127 4.3 - Medium - July 02, 2021

An issue was discovered in the CentralAuth extension in MediaWiki through 1.36. The Special:GlobalUserRights page provided search results which, for a suppressed MediaWiki user, were different than for any other user, thus easily disclosing suppressed accounts (which are supposed to be completely hidden).

Insecure Storage of Sensitive Information

An issue was discovered in the AbuseFilter extension in MediaWiki through 1.36

CVE-2021-36126 9.8 - Critical - July 02, 2021

An issue was discovered in the AbuseFilter extension in MediaWiki through 1.36. If the MediaWiki:Abusefilter-blocker message is invalid within the content language, the filter user falls back to the English version, but that English version could also be invalid on a wiki. This would result in a fatal error, and potentially fail to block or restrict a potentially nefarious user.

An issue was discovered in the CentralAuth extension in MediaWiki through 1.36

CVE-2021-36125 7.5 - High - July 02, 2021

An issue was discovered in the CentralAuth extension in MediaWiki through 1.36. The Special:GlobalRenameRequest page is vulnerable to infinite loops and denial of service attacks when a user's current username is beyond an arbitrary maximum configuration value (MaxNameChars).

Infinite Loop

In MediaWiki before 1.31.15, 1.32.x through 1.35.x before 1.35.3, and 1.36.x before 1.36.1, bots have certain unintended API access

CVE-2021-35197 7.5 - High - July 02, 2021

In MediaWiki before 1.31.15, 1.32.x through 1.35.x before 1.35.3, and 1.36.x before 1.36.1, bots have certain unintended API access. When a bot account has a "sitewide block" applied, it is able to still "purge" pages through the MediaWiki Action API (which a "sitewide block" should have prevented).

Exposure of Resource to Wrong Sphere

An issue was discovered in the AbuseFilter extension for MediaWiki through 1.35.2

CVE-2021-31545 5.3 - Medium - April 22, 2021

An issue was discovered in the AbuseFilter extension for MediaWiki through 1.35.2. The page_recent_contributors leaked the existence of certain deleted MediaWiki usernames, related to rev_deleted.

Information Disclosure

An issue was discovered in the AbuseFilter extension for MediaWiki through 1.35.2

CVE-2021-31546 4.3 - Medium - April 22, 2021

An issue was discovered in the AbuseFilter extension for MediaWiki through 1.35.2. It incorrectly logged sensitive suppression deletions, which should not have been visible to users with access to view AbuseFilter log data.

Information Disclosure

An issue was discovered in the AbuseFilter extension for MediaWiki through 1.35.2

CVE-2021-31547 4.3 - Medium - April 22, 2021

An issue was discovered in the AbuseFilter extension for MediaWiki through 1.35.2. Its AbuseFilterCheckMatch API reveals suppressed edits and usernames to unprivileged users through the iteration of crafted AbuseFilter rules.

Exposure of Resource to Wrong Sphere

An issue was discovered in the AbuseFilter extension for MediaWiki through 1.35.2

CVE-2021-31548 6.5 - Medium - April 22, 2021

An issue was discovered in the AbuseFilter extension for MediaWiki through 1.35.2. A MediaWiki user who is partially blocked or was unsuccessfully blocked could bypass AbuseFilter and have their edits completed.

Exposure of Resource to Wrong Sphere

An issue was discovered in the AbuseFilter extension for MediaWiki through 1.35.2

CVE-2021-31549 4.3 - Medium - April 22, 2021

An issue was discovered in the AbuseFilter extension for MediaWiki through 1.35.2. The Special:AbuseFilter/examine form allowed for the disclosure of suppressed MediaWiki usernames to unprivileged users.

Information Disclosure

An issue was discovered in the CommentBox extension for MediaWiki through 1.35.2

CVE-2021-31550 5.4 - Medium - April 22, 2021

An issue was discovered in the CommentBox extension for MediaWiki through 1.35.2. Via crafted configuration variables, a malicious actor could introduce XSS payloads into various layers.

XSS

An issue was discovered in the PageForms extension for MediaWiki through 1.35.2

CVE-2021-31551 6.1 - Medium - April 22, 2021

An issue was discovered in the PageForms extension for MediaWiki through 1.35.2. Crafted payloads for Token-related query parameters allowed for XSS on certain PageForms-managed MediaWiki pages.

XSS

An issue was discovered in the AbuseFilter extension for MediaWiki through 1.35.2

CVE-2021-31552 5.4 - Medium - April 22, 2021

An issue was discovered in the AbuseFilter extension for MediaWiki through 1.35.2. It incorrectly executed certain rules related to blocking accounts after account creation. Such rules would allow for user accounts to be created while blocking only the IP address used to create an account (and not the user account itself). Such rules could also be used by a nefarious, unprivileged user to catalog and enumerate any number of IP addresses related to these account creations.

Exposure of Resource to Wrong Sphere

An issue was discovered in the CheckUser extension for MediaWiki through 1.35.2

CVE-2021-31553 6.5 - Medium - April 22, 2021

An issue was discovered in the CheckUser extension for MediaWiki through 1.35.2. MediaWiki usernames with trailing whitespace could be stored in the cu_log database table such that denial of service occurred for certain CheckUser extension pages and functionality. For example, the attacker could turn off Special:CheckUserLog and thus interfere with usage tracking.

Unquoted Search Path or Element

An issue was discovered in the AbuseFilter extension for MediaWiki through 1.35.2

CVE-2021-31554 5.4 - Medium - April 22, 2021

An issue was discovered in the AbuseFilter extension for MediaWiki through 1.35.2. It improperly handled account blocks for certain automatically created MediaWiki user accounts, thus allowing nefarious users to remain unblocked.

Exposure of Resource to Wrong Sphere

An issue was discovered in the Oauth extension for MediaWiki through 1.35.2

CVE-2021-31555 7.5 - High - April 22, 2021

An issue was discovered in the Oauth extension for MediaWiki through 1.35.2. It did not validate the oarc_version (aka oauth_registered_consumer.oarc_version) parameter's length.

Improper Input Validation

An issue was discovered in MediaWiki before 1.31.13 and 1.32.x through 1.35.x before 1.35.2

CVE-2021-30152 4.3 - Medium - April 09, 2021

An issue was discovered in MediaWiki before 1.31.13 and 1.32.x through 1.35.x before 1.35.2. When using the MediaWiki API to "protect" a page, a user is currently able to protect to a higher level than they currently have permissions for.

Incorrect Permission Assignment for Critical Resource

An issue was discovered in MediaWiki before 1.31.12 and 1.32.x through 1.35.x before 1.35.2

CVE-2021-30155 4.3 - Medium - April 09, 2021

An issue was discovered in MediaWiki before 1.31.12 and 1.32.x through 1.35.x before 1.35.2. ContentModelChange does not check if a user has correct permissions to create and set the content model of a nonexistent page.

AuthZ

An issue was discovered in MediaWiki before 1.31.12 and 1.32.x through 1.35.x before 1.35.2

CVE-2021-30156 4.3 - Medium - April 09, 2021

An issue was discovered in MediaWiki before 1.31.12 and 1.32.x through 1.35.x before 1.35.2. Special:Contributions can leak that a "hidden" user exists.

Incorrect Permission Assignment for Critical Resource

An issue was discovered in MediaWiki before 1.31.12 and 1.32.x through 1.35.x before 1.35.2

CVE-2021-30159 4.3 - Medium - April 09, 2021

An issue was discovered in MediaWiki before 1.31.12 and 1.32.x through 1.35.x before 1.35.2. Users can bypass intended restrictions on deleting pages in certain "fast double move" situations. MovePage::isValidMoveTarget() uses FOR UPDATE, but it's only called if Title::getArticleID() returns non-zero with no special flags. Next, MovePage::moveToInternal() will delete the page if getArticleID(READ_LATEST) is non-zero. Therefore, if the page is missing in the replica DB, isValidMove() will return true, and then moveToInternal() will unconditionally delete the page if it can be found in the master.

An issue was discovered in MediaWiki before 1.31.12 and 1.32.x through 1.35.x before 1.35.2

CVE-2021-30154 6.1 - Medium - April 06, 2021

An issue was discovered in MediaWiki before 1.31.12 and 1.32.x through 1.35.x before 1.35.2. On Special:NewFiles, all the mediastatistics-header-* messages are output in HTML unescaped, leading to XSS.

XSS

An issue was discovered in MediaWiki before 1.31.12 and 1.32.x through 1.35.x before 1.35.2

CVE-2021-30154 6.1 - Medium - April 06, 2021

An issue was discovered in MediaWiki before 1.31.12 and 1.32.x through 1.35.x before 1.35.2. On Special:NewFiles, all the mediastatistics-header-* messages are output in HTML unescaped, leading to XSS.

XSS

An issue was discovered in MediaWiki before 1.31.12 and 1.32.x through 1.35.x before 1.35.2

CVE-2021-30158 5.3 - Medium - April 06, 2021

An issue was discovered in MediaWiki before 1.31.12 and 1.32.x through 1.35.x before 1.35.2. Blocked users are unable to use Special:ResetTokens. This has security relevance because a blocked user might have accidentally shared a token, or might know that a token has been compromised, and yet is not able to block any potential future use of the token by an unauthorized party.

authentification

An issue was discovered in MediaWiki before 1.31.12 and 1.32.x through 1.35.x before 1.35.2

CVE-2021-30158 5.3 - Medium - April 06, 2021

An issue was discovered in MediaWiki before 1.31.12 and 1.32.x through 1.35.x before 1.35.2. Blocked users are unable to use Special:ResetTokens. This has security relevance because a blocked user might have accidentally shared a token, or might know that a token has been compromised, and yet is not able to block any potential future use of the token by an unauthorized party.

authentification

An issue was discovered in MediaWiki before 1.31.12 and 1.32.x through 1.35.x before 1.35.2

CVE-2021-30157 6.1 - Medium - April 06, 2021

An issue was discovered in MediaWiki before 1.31.12 and 1.32.x through 1.35.x before 1.35.2. On ChangesList special pages such as Special:RecentChanges and Special:Watchlist, some of the rcfilters-filter-* label messages are output in HTML unescaped, leading to XSS.

XSS

An issue was discovered in MediaWiki before 1.31.12 and 1.32.x through 1.35.x before 1.35.2

CVE-2021-30157 6.1 - Medium - April 06, 2021

An issue was discovered in MediaWiki before 1.31.12 and 1.32.x through 1.35.x before 1.35.2. On ChangesList special pages such as Special:RecentChanges and Special:Watchlist, some of the rcfilters-filter-* label messages are output in HTML unescaped, leading to XSS.

XSS

The API in the Push extension for MediaWiki through 1.35 did not require an edit token in ApiPushBase.php and therefore facilitated a CSRF attack.

CVE-2020-29004 8.8 - High - January 29, 2021

The API in the Push extension for MediaWiki through 1.35 did not require an edit token in ApiPushBase.php and therefore facilitated a CSRF attack.

Session Riding

The API in the Push extension for MediaWiki through 1.35 used cleartext for ApiPush credentials

CVE-2020-29005 7.5 - High - January 29, 2021

The API in the Push extension for MediaWiki through 1.35 used cleartext for ApiPush credentials, allowing for potential information disclosure.

Insufficiently Protected Credentials

An issue was discovered in the GlobalUsage extension for MediaWiki through 1.35.1

CVE-2020-35622 6.1 - Medium - December 21, 2020

An issue was discovered in the GlobalUsage extension for MediaWiki through 1.35.1. SpecialGlobalUsage.php calls WikiMap::makeForeignLink unsafely. The $page variable within the formatItem function was not being properly escaped, allowing for XSS under certain conditions.

XSS

An issue was discovered in the CasAuth extension for MediaWiki through 1.35.1

CVE-2020-35623 7.5 - High - December 21, 2020

An issue was discovered in the CasAuth extension for MediaWiki through 1.35.1. Due to improper username validation, it allowed user impersonation with trivial manipulations of certain characters within a given username. An ordinary user may be able to login as a "bureaucrat user" who has a similar username, as demonstrated by usernames that differ only in (1) bidirectional override symbols or (2) blank space.

Insufficiently Protected Credentials

An issue was discovered in the SecurePoll extension for MediaWiki through 1.35.1

CVE-2020-35624 5.3 - Medium - December 21, 2020

An issue was discovered in the SecurePoll extension for MediaWiki through 1.35.1. The non-admin vote list contains a full vote timestamp, which may provide unintended clues about how a voting process unfolded.

Side Channel Attack

An issue was discovered in the Widgets extension for MediaWiki through 1.35.1

CVE-2020-35625 8.8 - High - December 21, 2020

An issue was discovered in the Widgets extension for MediaWiki through 1.35.1. Any user with the ability to edit pages within the Widgets namespace could call any static function within any class (defined within PHP or MediaWiki) via a crafted HTML comment, related to a Smarty template. For example, a person in the Widget Editors group could use \MediaWiki\Shell\Shell::command within a comment.

Incorrect Permission Assignment for Critical Resource

An issue was discovered in the PushToWatch extension for MediaWiki through 1.35.1

CVE-2020-35626 8.8 - High - December 21, 2020

An issue was discovered in the PushToWatch extension for MediaWiki through 1.35.1. The primary form did not implement an anti-CSRF token and therefore was completely vulnerable to CSRF attacks against onSkinAddFooterLinks in PushToWatch.php.

Session Riding

In MediaWiki before 1.35.1, the combination of Html::rawElement and Message::text leads to XSS because the definition of MediaWiki:recentchanges-legend-watchlistexpiry can be changed onwiki so

CVE-2020-35474 6.1 - Medium - December 18, 2020

In MediaWiki before 1.35.1, the combination of Html::rawElement and Message::text leads to XSS because the definition of MediaWiki:recentchanges-legend-watchlistexpiry can be changed onwiki so that the output is raw HTML.

XSS

In MediaWiki before 1.35.1, the messages userrights-expiry-current and userrights-expiry-none can contain raw HTML

CVE-2020-35475 7.5 - High - December 18, 2020

In MediaWiki before 1.35.1, the messages userrights-expiry-current and userrights-expiry-none can contain raw HTML. XSS can happen when a user visits Special:UserRights but does not have rights to change all userrights, and the table on the left side has unchangeable groups in it. (The right column with the changeable groups is not affected and is escaped correctly.)

Output Sanitization

MediaWiki before 1.35.1 blocks legitimate attempts to hide log entries in some situations

CVE-2020-35477 5.3 - Medium - December 18, 2020

MediaWiki before 1.35.1 blocks legitimate attempts to hide log entries in some situations. If one sets MediaWiki:Mainpage to Special:MyLanguage/Main Page, visits a log entry on Special:Log, and toggles the "Change visibility of selected log entries" checkbox (or a tags checkbox) next to it, there is a redirection to the main page's action=historysubmit (instead of the desired behavior in which a revision-deletion form appears).

Improper Input Validation

MediaWiki before 1.35.1 allows XSS via BlockLogFormatter.php

CVE-2020-35478 6.1 - Medium - December 18, 2020

MediaWiki before 1.35.1 allows XSS via BlockLogFormatter.php. MediaWiki:blanknamespace potentially can be output as raw HTML with SCRIPT tags via LogFormatter::makePageLink(). This affects MediaWiki 1.33.0 and later.

XSS

MediaWiki before 1.35.1 allows XSS via BlockLogFormatter.php

CVE-2020-35479 6.1 - Medium - December 18, 2020

MediaWiki before 1.35.1 allows XSS via BlockLogFormatter.php. Language::translateBlockExpiry itself does not escape in all code paths. For example, the return of Language::userTimeAndDate is is always unsafe for HTML in a month value. This affects MediaWiki 1.12.0 and later.

XSS

An issue was discovered in MediaWiki before 1.35.1

CVE-2020-35480 5.3 - Medium - December 18, 2020

An issue was discovered in MediaWiki before 1.35.1. Missing users (accounts that don't exist) and hidden users (accounts that have been explicitly hidden due to being abusive, or similar) that the viewer cannot see are handled differently, exposing sensitive information about the hidden status to unprivileged viewers. This exists on various code paths.

Information Disclosure

includes/CologneBlueTemplate.php in the CologneBlue skin for MediaWiki through 1.35

CVE-2020-29002 4.8 - Medium - November 24, 2020

includes/CologneBlueTemplate.php in the CologneBlue skin for MediaWiki through 1.35 allows XSS via a qbfind message supplied by an administrator.

XSS

The PollNY extension for MediaWiki through 1.35

CVE-2020-29003 5.4 - Medium - November 24, 2020

The PollNY extension for MediaWiki through 1.35 allows XSS via an answer option for a poll question, entered during Special:CreatePoll or Special:UpdatePoll.

XSS

The RandomGameUnit extension for MediaWiki through 1.35 was not properly escaping various title-related data

CVE-2020-27957 5.4 - Medium - October 28, 2020

The RandomGameUnit extension for MediaWiki through 1.35 was not properly escaping various title-related data. When certain varieties of games were created within MediaWiki, their names or titles could be manipulated to generate stored XSS within the RandomGameUnit extension.

XSS

The FileImporter extension in MediaWiki through 1.35.0 was not properly attributing various user actions to a specific user's IP address

CVE-2020-27621 4.3 - Medium - October 22, 2020

The FileImporter extension in MediaWiki through 1.35.0 was not properly attributing various user actions to a specific user's IP address. Instead, for various actions, it would report the IP address of an internal Wikimedia Foundation server by omitting X-Forwarded-For data. This resulted in an inability to properly audit and attribute various user actions performed via the FileImporter extension.

An issue was discovered in MediaWiki 1.34.x before 1.34.4

CVE-2020-25812 6.1 - Medium - September 27, 2020

An issue was discovered in MediaWiki 1.34.x before 1.34.4. On Special:Contributions, the NS filter uses unescaped messages as keys in the option key for an HTMLForm specifier. This is vulnerable to a mild XSS if one of those messages is changed to include raw HTML.

XSS

In MediaWiki before 1.31.10 and 1.32.x through 1.34.x before 1.34.4

CVE-2020-25813 5.3 - Medium - September 27, 2020

In MediaWiki before 1.31.10 and 1.32.x through 1.34.x before 1.34.4, Special:UserRights exposes the existence of hidden users.

In MediaWiki before 1.31.10 and 1.32.x through 1.34.x before 1.34.4, XSS related to jQuery can occur

CVE-2020-25814 6.1 - Medium - September 27, 2020

In MediaWiki before 1.31.10 and 1.32.x through 1.34.x before 1.34.4, XSS related to jQuery can occur. The attacker creates a message with [javascript:payload xss] and turns it into a jQuery object with mw.message().parse(). The expected result is that the jQuery object does not contain an <a> tag (or it does not have a href attribute, or it's empty, etc.). The actual result is that the object contains an <a href ="javascript... that executes when clicked.

XSS

An issue was discovered in MediaWiki 1.32.x through 1.34.x before 1.34.4

CVE-2020-25815 6.1 - Medium - September 27, 2020

An issue was discovered in MediaWiki 1.32.x through 1.34.x before 1.34.4. LogEventList::getFiltersDesc is insecurely using message text to build options names for an HTML multi-select field. The relevant code should use escaped() instead of text().

XSS

An issue was discovered in the OATHAuth extension in MediaWiki before 1.31.10 and 1.32.x through 1.34.x before 1.34.4

CVE-2020-25827 7.5 - High - September 27, 2020

An issue was discovered in the OATHAuth extension in MediaWiki before 1.31.10 and 1.32.x through 1.34.x before 1.34.4. For Wikis using OATHAuth on a farm/cluster (such as via CentralAuth), rate limiting of OATH tokens is only done on a single site level. Thus, multiple requests can be made across many wikis/sites concurrently.

Improper Restriction of Excessive Authentication Attempts

An issue was discovered in MediaWiki before 1.31.10 and 1.32.x through 1.34.x before 1.34.4

CVE-2020-25828 6.1 - Medium - September 27, 2020

An issue was discovered in MediaWiki before 1.31.10 and 1.32.x through 1.34.x before 1.34.4. The non-jqueryMsg version of mw.message().parse() doesn't escape HTML. This affects both message contents (which are generally safe) and the parameters (which can be based on user input). (When jqueryMsg is loaded, it correctly accepts only whitelisted tags in message contents, and escapes all parameters. Situations with an unloaded jqueryMsg are rare in practice, but can for example occur for Special:SpecialPages on a wiki with no extensions installed.)

XSS

An information leak was discovered in MediaWiki before 1.31.10 and 1.32.x through 1.34.x before 1.34.4

CVE-2020-25869 7.5 - High - September 27, 2020

An information leak was discovered in MediaWiki before 1.31.10 and 1.32.x through 1.34.x before 1.34.4. Handling of actor ID does not necessarily use the correct database or correct wiki.

AuthZ

XSS exists in the MobileFrontend extension for MediaWiki before 1.34.4

CVE-2020-26120 6.1 - Medium - September 27, 2020

XSS exists in the MobileFrontend extension for MediaWiki before 1.34.4 because section.line is mishandled during regex section line replacement from PageGateway. Using crafted HTML, an attacker can elicit an XSS attack via jQuery's parseHTML method, which can cause image callbacks to fire even without the element being appended to the DOM.

XSS

An issue was discovered in the FileImporter extension for MediaWiki before 1.34.4

CVE-2020-26121 7.5 - High - September 27, 2020

An issue was discovered in the FileImporter extension for MediaWiki before 1.34.4. An attacker can import a file even when the target page is protected against "page creation" and the attacker should not be able to create it. This occurs because of a mishandled distinction between an upload restriction and a create restriction. An attacker cannot leverage this to overwrite anything, but can leverage this to force a wiki to have a page with a disallowed title.

AuthZ

In MediaWiki before 1.31.8

CVE-2020-15005 3.1 - Low - June 24, 2020

In MediaWiki before 1.31.8, 1.32.x and 1.33.x before 1.33.4, and 1.34.x before 1.34.2, private wikis behind a caching server using the img_auth.php image authorization security feature may have had their files cached publicly, so any unauthorized user could view them. This occurs because Cache-Control and Vary headers were mishandled.

Information Disclosure

resources/src/mediawiki.page.ready/ready.js in MediaWiki before 1.35

CVE-2020-10959 6.1 - Medium - June 02, 2020

resources/src/mediawiki.page.ready/ready.js in MediaWiki before 1.35 allows remote attackers to force a logout and external redirection via HTML content in a MediaWiki page.

Open Redirect

The CentralAuth extension through REL1_34 for MediaWiki

CVE-2020-12051 7.5 - High - April 21, 2020

The CentralAuth extension through REL1_34 for MediaWiki allows remote attackers to obtain sensitive hidden account information via an api.php?action=query&meta=globaluserinfo&guiuser= request. In other words, the information can be retrieved via the action API even though access would be denied when simply visiting wiki/Special:CentralAuth in a web browser.

Information Disclosure

In MediaWiki before 1.34.1, users can add various Cascading Style Sheets (CSS) classes (which can affect what content is shown or hidden in the user interface) to arbitrary DOM nodes

CVE-2020-10960 5.3 - Medium - April 03, 2020

In MediaWiki before 1.34.1, users can add various Cascading Style Sheets (CSS) classes (which can affect what content is shown or hidden in the user interface) to arbitrary DOM nodes via HTML content within a MediaWiki page. This occurs because jquery.makeCollapsible allows applying an event handler to any Cascading Style Sheets (CSS) selector. There is no known way to exploit this for cross-site scripting (XSS).

Output Sanitization

In the GlobalBlocking extension before 2020-03-10 for MediaWiki through 1.34.0

CVE-2020-10534 9.8 - Critical - March 12, 2020

In the GlobalBlocking extension before 2020-03-10 for MediaWiki through 1.34.0, an issue related to IP range evaluation resulted in blocked users re-gaining escalated privileges. This is related to the case in which an IP address is contained in two ranges, one of which is locally disabled.

Improper Privilege Management

The WikibaseMediaInfo extension 1.35 for MediaWiki

CVE-2020-6163 6.1 - Medium - January 08, 2020

The WikibaseMediaInfo extension 1.35 for MediaWiki allows XSS because of improper template syntax within the PropertySuggestionsWidget template (in the templates/search/PropertySuggestionsWidget.mustache+dom file).

XSS

The MinervaNeue Skin in MediaWiki

CVE-2019-19910 6.1 - Medium - December 19, 2019

The MinervaNeue Skin in MediaWiki from 2019-11-05 to 2019-12-13 (1.35 and/or 1.34) mishandles certain HTML attributes, as demonstrated by IMG onmouseover= (impact is XSS) and IMG src=http (impact is disclosing the client's IP address). This can occur within a talk page topical header that is viewed within a mobile (MobileFrontend) context.

XSS

MediaWiki through 1.33.1 allows attackers to bypass the Title_blacklist protection mechanism by starting with an arbitrary title, establishing a non-resolvable redirect for the associated page, and using redirect=1 in the action API when editing

CVE-2019-19709 6.1 - Medium - December 11, 2019

MediaWiki through 1.33.1 allows attackers to bypass the Title_blacklist protection mechanism by starting with an arbitrary title, establishing a non-resolvable redirect for the associated page, and using redirect=1 in the action API when editing that page.

Open Redirect

In MediaWiki through 1.33.0, Special:Redirect

CVE-2019-16738 5.3 - Medium - September 26, 2019

In MediaWiki through 1.33.0, Special:Redirect allows information disclosure of suppressed usernames via a User ID Lookup.

Information Disclosure

MediaWiki through 1.32.1 has Incorrect Access Control

CVE-2019-12469 6.5 - Medium - July 10, 2019

MediaWiki through 1.32.1 has Incorrect Access Control. Suppressed username or log in Special:EditTags are exposed. Fixed in 1.32.2, 1.31.2, 1.30.2 and 1.27.6.

AuthZ

Wikimedia MediaWiki through 1.32.1 has Incorrect Access Control

CVE-2019-12470 6.5 - Medium - July 10, 2019

Wikimedia MediaWiki through 1.32.1 has Incorrect Access Control. Suppressed log in RevisionDelete page is exposed. Fixed in 1.32.2, 1.31.2, 1.30.2 and 1.27.6.

AuthZ

Wikimedia MediaWiki through 1.32.1

CVE-2019-12466 8.8 - High - July 10, 2019

Wikimedia MediaWiki through 1.32.1 allows CSRF.

Session Riding

Wikimedia MediaWiki 1.30.0 through 1.32.1 has XSS

CVE-2019-12471 6.1 - Medium - July 10, 2019

Wikimedia MediaWiki 1.30.0 through 1.32.1 has XSS. Loading user JavaScript from a non-existent account allows anyone to create the account, and perform XSS on users loading that script. Fixed in 1.32.2, 1.31.2, 1.30.2 and 1.27.6.

XSS

An Incorrect Access Control vulnerability was found in Wikimedia MediaWiki 1.18.0 through 1.32.1

CVE-2019-12472 7.5 - High - July 10, 2019

An Incorrect Access Control vulnerability was found in Wikimedia MediaWiki 1.18.0 through 1.32.1. It is possible to bypass the limits on IP range blocks ($wgBlockCIDRLimit) by using the API. Fixed in 1.32.2, 1.31.2, 1.30.2 and 1.27.6.

Wikimedia MediaWiki 1.27.0 through 1.32.1 might allow DoS

CVE-2019-12473 7.5 - High - July 10, 2019

Wikimedia MediaWiki 1.27.0 through 1.32.1 might allow DoS. Passing invalid titles to the API could cause a DoS by querying the entire watchlist table. Fixed in 1.32.2, 1.31.2, 1.30.2 and 1.27.6.

Wikimedia MediaWiki 1.23.0 through 1.32.1 has an information leak

CVE-2019-12474 7.5 - High - July 10, 2019

Wikimedia MediaWiki 1.23.0 through 1.32.1 has an information leak. Privileged API responses that include whether a recent change has been patrolled may be cached publicly. Fixed in 1.32.2, 1.31.2, 1.30.2 and 1.27.6.

MediaWiki through 1.32.1 has Incorrect Access Control (issue 1 of 3)

CVE-2019-12467 5.3 - Medium - July 10, 2019

MediaWiki through 1.32.1 has Incorrect Access Control (issue 1 of 3). A spammer can use Special:ChangeEmail to send out spam with no rate limiting or ability to block them. Fixed in 1.32.2, 1.31.2, 1.30.2 and 1.27.6.

An Incorrect Access Control vulnerability was found in Wikimedia MediaWiki 1.27.0 through 1.32.1

CVE-2019-12468 9.8 - Critical - July 10, 2019

An Incorrect Access Control vulnerability was found in Wikimedia MediaWiki 1.27.0 through 1.32.1. Directly POSTing to Special:ChangeEmail would allow for bypassing re-authentication, allowing for potential account takeover.

Missing Authentication for Critical Function

Mediawiki 1.31 before 1.31.1, 1.30.1, 1.29.3 and 1.27.5 contains a flaw where contrary to the documentation, $wgRateLimits entry for 'user' overrides

CVE-2018-0503 4.3 - Medium - October 04, 2018

Mediawiki 1.31 before 1.31.1, 1.30.1, 1.29.3 and 1.27.5 contains a flaw where contrary to the documentation, $wgRateLimits entry for 'user' overrides that for 'newbie'.

Improper Privilege Management

Mediawiki 1.31 before 1.31.1

CVE-2018-0504 6.5 - Medium - October 04, 2018

Mediawiki 1.31 before 1.31.1, 1.30.1, 1.29.3 and 1.27.5 contains an information disclosure flaw in the Special:Redirect/logid

Insertion of Sensitive Information into Log File

Mediawiki 1.31 before 1.31.1, 1.30.1, 1.29.3 and 1.27.5 contains a flaw where BotPasswords

CVE-2018-0505 6.5 - Medium - October 04, 2018

Mediawiki 1.31 before 1.31.1, 1.30.1, 1.29.3 and 1.27.5 contains a flaw where BotPasswords can bypass CentralAuth's account lock

authentification

Mediawiki 1.31 before 1.31.1 misses .htaccess files in the provided tarball used to protect some directories

CVE-2018-13258 5.3 - Medium - October 04, 2018

Mediawiki 1.31 before 1.31.1 misses .htaccess files in the provided tarball used to protect some directories that shouldn't be web accessible.

Information Disclosure