Search criteria
20 vulnerabilities found for MediaWiki by Wikimedia Foundation
CVE-2025-32700 (GCVE-0-2025-32700)
Vulnerability from cvelistv5 – Published: 2025-04-10 18:31 – Updated: 2025-04-10 18:49
VLAI?
Title
AbuseFilter log interfaces expose global private and hidden filters when central DB is not available
Summary
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Wikimedia Foundation AbuseFilter. This vulnerability is associated with program files includes/Api/QueryAbuseLog.Php, includes/Pager/AbuseLogPager.Php, includes/Special/SpecialAbuseLog.Php, includes/View/AbuseFilterViewExamine.Php.
This issue affects AbuseFilter: from >= 1.43.0 before 1.43.1.
Severity ?
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Wikimedia Foundation | MediaWiki |
Affected:
>= 1.43.0 , < 1.43.1
(semver)
|
Credits
Dreamy_Jazz
Dreamy_Jazz
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-32700",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-10T18:49:42.892657Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-10T18:49:53.510Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"packageName": "AbuseFilter",
"product": "MediaWiki",
"programFiles": [
"includes/Api/QueryAbuseLog.php",
"includes/Pager/AbuseLogPager.php",
"includes/Special/SpecialAbuseLog.php",
"includes/View/AbuseFilterViewExamine.php"
],
"repo": "https://gerrit.wikimedia.org/g/mediawiki/extensions/AbuseFilter/+/refs/heads/master",
"vendor": "Wikimedia Foundation",
"versions": [
{
"lessThan": "1.43.1",
"status": "affected",
"version": "\u003e= 1.43.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Dreamy_Jazz"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Dreamy_Jazz"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Wikimedia Foundation AbuseFilter.\u003cp\u003e This vulnerability is associated with program files \u003ctt\u003eincludes/Api/QueryAbuseLog.Php\u003c/tt\u003e, \u003ctt\u003eincludes/Pager/AbuseLogPager.Php\u003c/tt\u003e, \u003ctt\u003eincludes/Special/SpecialAbuseLog.Php\u003c/tt\u003e, \u003ctt\u003eincludes/View/AbuseFilterViewExamine.Php\u003c/tt\u003e.\u003c/p\u003e\u003cp\u003eThis issue affects AbuseFilter: from \u0026gt;= 1.43.0 before 1.43.1.\u003c/p\u003e"
}
],
"value": "Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Wikimedia Foundation AbuseFilter. This vulnerability is associated with program files includes/Api/QueryAbuseLog.Php, includes/Pager/AbuseLogPager.Php, includes/Special/SpecialAbuseLog.Php, includes/View/AbuseFilterViewExamine.Php.\n\nThis issue affects AbuseFilter: from \u003e= 1.43.0 before 1.43.1."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 2.3,
"baseSeverity": "LOW",
"privilegesRequired": "NONE",
"providerUrgency": "GREEN",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "NONE",
"userInteraction": "PASSIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N/RE:M/U:Green",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "MODERATE"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-10T18:31:03.497Z",
"orgId": "c4f26cc8-17ff-4c99-b5e2-38fc1793eacc",
"shortName": "wikimedia-foundation"
},
"references": [
{
"url": "https://phabricator.wikimedia.org/T389235"
}
],
"source": {
"defect": [
"https://phabricator.wikimedia.org/T389235"
],
"discovery": "INTERNAL"
},
"title": "AbuseFilter log interfaces expose global private and hidden filters when central DB is not available",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "c4f26cc8-17ff-4c99-b5e2-38fc1793eacc",
"assignerShortName": "wikimedia-foundation",
"cveId": "CVE-2025-32700",
"datePublished": "2025-04-10T18:31:03.497Z",
"dateReserved": "2025-04-09T12:54:49.385Z",
"dateUpdated": "2025-04-10T18:49:53.510Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-32699 (GCVE-0-2025-32699)
Vulnerability from cvelistv5 – Published: 2025-04-10 18:30 – Updated: 2025-11-03 19:53
VLAI?
Title
Potential javascript injection attack enabled by Unicode normalization in Action API
Summary
Vulnerability in Wikimedia Foundation MediaWiki, Wikimedia Foundation Parsoid.This issue affects MediaWiki: before 1.39.12, 1.42.6, 1.43.1; Parsoid: before 0.16.5, 0.19.2, 0.20.2.
Severity ?
CWE
Assigner
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Wikimedia Foundation | MediaWiki |
Affected:
0 , < 1.39.12, 1.42.6, 1.43.1
(semver)
|
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-32699",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-10T18:51:20.639216Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-10T18:51:28.531Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-03T19:53:36.439Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/07/msg00012.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "MediaWiki",
"repo": "https://gerrit.wikimedia.org/g/mediawiki/core/+/refs/heads/master",
"vendor": "Wikimedia Foundation",
"versions": [
{
"lessThan": "1.39.12, 1.42.6, 1.43.1",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Parsoid",
"repo": "https://gerrit.wikimedia.org/g/mediawiki/services/parsoid/+/refs/heads/master",
"vendor": "Wikimedia Foundation",
"versions": [
{
"lessThan": "0.16.5, 0.19.2, 0.20.2",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Vulnerability in Wikimedia Foundation MediaWiki, Wikimedia Foundation Parsoid.\u003cp\u003eThis issue affects MediaWiki: before 1.39.12, 1.42.6, 1.43.1; Parsoid: before 0.16.5, 0.19.2, 0.20.2.\u003c/p\u003e"
}
],
"value": "Vulnerability in Wikimedia Foundation MediaWiki, Wikimedia Foundation Parsoid.This issue affects MediaWiki: before 1.39.12, 1.42.6, 1.43.1; Parsoid: before 0.16.5, 0.19.2, 0.20.2."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "HIGH",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 2.1,
"baseSeverity": "LOW",
"privilegesRequired": "NONE",
"providerUrgency": "AMBER",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "ACTIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/RE:M/U:Amber",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "MODERATE"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-74",
"description": "CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component (\u0027Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-10T18:30:24.238Z",
"orgId": "c4f26cc8-17ff-4c99-b5e2-38fc1793eacc",
"shortName": "wikimedia-foundation"
},
"references": [
{
"url": "https://phabricator.wikimedia.org/T387130"
}
],
"source": {
"defect": [
"https://phabricator.wikimedia.org/T387130"
],
"discovery": "INTERNAL"
},
"title": "Potential javascript injection attack enabled by Unicode normalization in Action API",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "c4f26cc8-17ff-4c99-b5e2-38fc1793eacc",
"assignerShortName": "wikimedia-foundation",
"cveId": "CVE-2025-32699",
"datePublished": "2025-04-10T18:30:24.238Z",
"dateReserved": "2025-04-09T12:54:49.385Z",
"dateUpdated": "2025-11-03T19:53:36.439Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-32698 (GCVE-0-2025-32698)
Vulnerability from cvelistv5 – Published: 2025-04-10 18:29 – Updated: 2025-11-03 19:53
VLAI?
Title
LogPager.php: Restriction enforcer functions do not correctly enforce suppression restrictions
Summary
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/logging/LogPager.Php.
This issue affects MediaWiki: before 1.39.12, 1.42.6, 1.43.1.
Severity ?
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Wikimedia Foundation | MediaWiki |
Affected:
0 , < 1.39.12, 1.42.6, 1.43.1
(semver)
|
Credits
A_smart_kitten
Bartosz Dziewoński
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-32698",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-10T18:51:46.269330Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-10T18:51:57.692Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-03T19:53:35.072Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/07/msg00012.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "MediaWiki",
"programFiles": [
"includes/logging/LogPager.php"
],
"repo": "https://gerrit.wikimedia.org/g/mediawiki/core/+/refs/heads/master",
"vendor": "Wikimedia Foundation",
"versions": [
{
"lessThan": "1.39.12, 1.42.6, 1.43.1",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "A_smart_kitten"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Bartosz Dziewo\u0144ski"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Wikimedia Foundation MediaWiki.\u003cp\u003e This vulnerability is associated with program files \u003ctt\u003eincludes/logging/LogPager.Php\u003c/tt\u003e.\u003c/p\u003e\u003cp\u003eThis issue affects MediaWiki: before 1.39.12, 1.42.6, 1.43.1.\u003c/p\u003e"
}
],
"value": "Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/logging/LogPager.Php.\n\nThis issue affects MediaWiki: before 1.39.12, 1.42.6, 1.43.1."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 2.1,
"baseSeverity": "LOW",
"privilegesRequired": "NONE",
"providerUrgency": "GREEN",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "ACTIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/RE:M/U:Green",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "MODERATE"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-10T18:29:52.354Z",
"orgId": "c4f26cc8-17ff-4c99-b5e2-38fc1793eacc",
"shortName": "wikimedia-foundation"
},
"references": [
{
"url": "https://phabricator.wikimedia.org/T385958"
}
],
"source": {
"defect": [
"https://phabricator.wikimedia.org/T385958"
],
"discovery": "UNKNOWN"
},
"title": "LogPager.php: Restriction enforcer functions do not correctly enforce suppression restrictions",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "c4f26cc8-17ff-4c99-b5e2-38fc1793eacc",
"assignerShortName": "wikimedia-foundation",
"cveId": "CVE-2025-32698",
"datePublished": "2025-04-10T18:29:52.354Z",
"dateReserved": "2025-04-09T12:54:49.385Z",
"dateUpdated": "2025-11-03T19:53:35.072Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-32697 (GCVE-0-2025-32697)
Vulnerability from cvelistv5 – Published: 2025-04-10 18:29 – Updated: 2025-04-10 19:05
VLAI?
Title
Cascading protection is not preventing file reversions
Summary
Improper Preservation of Permissions vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/editpage/IntroMessageBuilder.Php, includes/Permissions/PermissionManager.Php, includes/Permissions/RestrictionStore.Php.
This issue affects MediaWiki: before 1.42.6, 1.43.1.
Severity ?
CWE
- CWE-281 - Improper Preservation of Permissions
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Wikimedia Foundation | MediaWiki |
Affected:
0 , < 1.42.6, 1.43.1
(semver)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-32697",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-10T19:05:19.090332Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-10T19:05:48.098Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "MediaWiki",
"programFiles": [
"includes/editpage/IntroMessageBuilder.php",
"includes/Permissions/PermissionManager.php",
"includes/Permissions/RestrictionStore.php"
],
"repo": "https://gerrit.wikimedia.org/g/mediawiki/core/+/refs/heads/master",
"vendor": "Wikimedia Foundation",
"versions": [
{
"lessThan": "1.42.6, 1.43.1",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Preservation of Permissions vulnerability in Wikimedia Foundation MediaWiki.\u003cp\u003e This vulnerability is associated with program files \u003ctt\u003eincludes/editpage/IntroMessageBuilder.Php\u003c/tt\u003e, \u003ctt\u003eincludes/Permissions/PermissionManager.Php\u003c/tt\u003e, \u003ctt\u003eincludes/Permissions/RestrictionStore.Php\u003c/tt\u003e.\u003c/p\u003e\u003cp\u003eThis issue affects MediaWiki: before 1.42.6, 1.43.1.\u003c/p\u003e"
}
],
"value": "Improper Preservation of Permissions vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/editpage/IntroMessageBuilder.Php, includes/Permissions/PermissionManager.Php, includes/Permissions/RestrictionStore.Php.\n\nThis issue affects MediaWiki: before 1.42.6, 1.43.1."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 0,
"baseSeverity": "NONE",
"privilegesRequired": "LOW",
"providerUrgency": "GREEN",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "PASSIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:N/SI:N/SA:N/RE:M/U:Green",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "MODERATE"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-281",
"description": "CWE-281 Improper Preservation of Permissions",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-10T18:29:17.482Z",
"orgId": "c4f26cc8-17ff-4c99-b5e2-38fc1793eacc",
"shortName": "wikimedia-foundation"
},
"references": [
{
"url": "https://phabricator.wikimedia.org/T140010"
},
{
"url": "https://phabricator.wikimedia.org/T62109"
},
{
"url": "https://phabricator.wikimedia.org/T24521"
}
],
"source": {
"defect": [
"https://phabricator.wikimedia.org/T140010"
],
"discovery": "UNKNOWN"
},
"title": "Cascading protection is not preventing file reversions",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "c4f26cc8-17ff-4c99-b5e2-38fc1793eacc",
"assignerShortName": "wikimedia-foundation",
"cveId": "CVE-2025-32697",
"datePublished": "2025-04-10T18:29:17.482Z",
"dateReserved": "2025-04-09T12:54:49.385Z",
"dateUpdated": "2025-04-10T19:05:48.098Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-32696 (GCVE-0-2025-32696)
Vulnerability from cvelistv5 – Published: 2025-04-10 18:28 – Updated: 2025-11-03 19:53
VLAI?
Title
"reupload-own" restriction can be bypassed by reverting file
Summary
Improper Preservation of Permissions vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/actions/RevertAction.Php, includes/api/ApiFileRevert.Php.
This issue affects MediaWiki: before 1.39.12, 1.42.6, 1.43.1.
Severity ?
CWE
- CWE-281 - Improper Preservation of Permissions
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Wikimedia Foundation | MediaWiki |
Affected:
0 , < 1.39.12, 1.42.6, 1.43.1
(semver)
|
Credits
Porplemontage
Bartosz Dziewoński
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-32696",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-10T19:06:02.895680Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-10T19:06:14.490Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-03T19:53:33.707Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/07/msg00012.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "MediaWiki",
"programFiles": [
"includes/actions/RevertAction.php",
"includes/api/ApiFileRevert.php"
],
"repo": "https://gerrit.wikimedia.org/g/mediawiki/core/+/refs/heads/master",
"vendor": "Wikimedia Foundation",
"versions": [
{
"lessThan": "1.39.12, 1.42.6, 1.43.1",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Porplemontage"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Bartosz Dziewo\u0144ski"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Preservation of Permissions vulnerability in Wikimedia Foundation MediaWiki.\u003cp\u003e This vulnerability is associated with program files \u003ctt\u003eincludes/actions/RevertAction.Php\u003c/tt\u003e, \u003ctt\u003eincludes/api/ApiFileRevert.Php\u003c/tt\u003e.\u003c/p\u003e\u003cp\u003eThis issue affects MediaWiki: before 1.39.12, 1.42.6, 1.43.1.\u003c/p\u003e"
}
],
"value": "Improper Preservation of Permissions vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/actions/RevertAction.Php, includes/api/ApiFileRevert.Php.\n\nThis issue affects MediaWiki: before 1.39.12, 1.42.6, 1.43.1."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 0,
"baseSeverity": "NONE",
"privilegesRequired": "LOW",
"providerUrgency": "GREEN",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "PASSIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:N/VA:N/SC:N/SI:N/SA:N/RE:M/U:Green",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "MODERATE"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-281",
"description": "CWE-281 Improper Preservation of Permissions",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-10T18:28:48.161Z",
"orgId": "c4f26cc8-17ff-4c99-b5e2-38fc1793eacc",
"shortName": "wikimedia-foundation"
},
"references": [
{
"url": "https://phabricator.wikimedia.org/T304474"
}
],
"source": {
"defect": [
"https://phabricator.wikimedia.org/T304474"
],
"discovery": "UNKNOWN"
},
"title": "\"reupload-own\" restriction can be bypassed by reverting file",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "c4f26cc8-17ff-4c99-b5e2-38fc1793eacc",
"assignerShortName": "wikimedia-foundation",
"cveId": "CVE-2025-32696",
"datePublished": "2025-04-10T18:28:48.161Z",
"dateReserved": "2025-04-09T12:54:49.385Z",
"dateUpdated": "2025-11-03T19:53:33.707Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-3469 (GCVE-0-2025-3469)
Vulnerability from cvelistv5 – Published: 2025-04-10 18:28 – Updated: 2025-11-03 19:53
VLAI?
Title
i18n XSS vulnerability in HTMLMultiSelectField when sections are used
Summary
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/htmlform/fields/HTMLMultiSelectField.Php.
This issue affects MediaWiki: before 1.39.12, 1.42.6, 1.43.1.
Severity ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Wikimedia Foundation | MediaWiki |
Affected:
0 , < 1.39.12, 1.42.6, 1.43.1
(semv)
|
Credits
Daimona
Daimona
Daimona
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-3469",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-10T19:06:28.941077Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-10T19:06:36.330Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-03T19:53:59.985Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/07/msg00012.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "MediaWiki",
"programFiles": [
"includes/htmlform/fields/HTMLMultiSelectField.php"
],
"repo": "https://gerrit.wikimedia.org/g/mediawiki/core/+/refs/heads/master",
"vendor": "Wikimedia Foundation",
"versions": [
{
"lessThan": "1.39.12, 1.42.6, 1.43.1",
"status": "affected",
"version": "0",
"versionType": "semv"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Daimona"
},
{
"lang": "en",
"type": "reporter",
"value": "Daimona"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Daimona"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027) vulnerability in Wikimedia Foundation MediaWiki.\u003cp\u003e This vulnerability is associated with program files \u003ctt\u003eincludes/htmlform/fields/HTMLMultiSelectField.Php\u003c/tt\u003e.\u003c/p\u003e\u003cp\u003eThis issue affects MediaWiki: before 1.39.12, 1.42.6, 1.43.1.\u003c/p\u003e"
}
],
"value": "Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027) vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/htmlform/fields/HTMLMultiSelectField.Php.\n\nThis issue affects MediaWiki: before 1.39.12, 1.42.6, 1.43.1."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 0,
"baseSeverity": "NONE",
"privilegesRequired": "NONE",
"providerUrgency": "GREEN",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:N/RE:M/U:Green",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "MODERATE"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-10T18:28:13.370Z",
"orgId": "c4f26cc8-17ff-4c99-b5e2-38fc1793eacc",
"shortName": "wikimedia-foundation"
},
"references": [
{
"url": "https://phabricator.wikimedia.org/T358689"
}
],
"source": {
"defect": [
"https://phabricator.wikimedia.org/T358689"
],
"discovery": "INTERNAL"
},
"title": "i18n XSS vulnerability in HTMLMultiSelectField when sections are used",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "c4f26cc8-17ff-4c99-b5e2-38fc1793eacc",
"assignerShortName": "wikimedia-foundation",
"cveId": "CVE-2025-3469",
"datePublished": "2025-04-10T18:28:13.370Z",
"dateReserved": "2025-04-09T14:30:16.780Z",
"dateUpdated": "2025-11-03T19:53:59.985Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2013-4572 (GCVE-0-2013-4572)
Vulnerability from cvelistv5 – Published: 2020-02-06 14:40 – Updated: 2024-08-06 16:45
VLAI?
Summary
The CentralNotice extension for MediaWiki before 1.19.9, 1.20.x before 1.20.8, and 1.21.x before 1.21.3 sets the Cache-Control header to cache session cookies when a user is autocreated, which allows remote attackers to authenticate as the created user.
Severity ?
No CVSS data available.
CWE
- Other
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Wikimedia Foundation | MediaWiki |
Affected:
before 1.19.9
Affected: 1.20.x before 1.20.8 Affected: 1.21.x before 1.21.3 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T16:45:15.240Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://bugzilla.wikimedia.org/show_bug.cgi?id=53032"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2013-December/123011.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2013-December/122998.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://lists.wikimedia.org/pipermail/mediawiki-announce/2013-November/000135.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "MediaWiki",
"vendor": "Wikimedia Foundation",
"versions": [
{
"status": "affected",
"version": "before 1.19.9"
},
{
"status": "affected",
"version": "1.20.x before 1.20.8"
},
{
"status": "affected",
"version": "1.21.x before 1.21.3"
}
]
}
],
"datePublic": "2013-08-19T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The CentralNotice extension for MediaWiki before 1.19.9, 1.20.x before 1.20.8, and 1.21.x before 1.21.3 sets the Cache-Control header to cache session cookies when a user is autocreated, which allows remote attackers to authenticate as the created user."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Other",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-02-06T14:40:13",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://bugzilla.wikimedia.org/show_bug.cgi?id=53032"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2013-December/123011.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2013-December/122998.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://lists.wikimedia.org/pipermail/mediawiki-announce/2013-November/000135.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2013-4572",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "MediaWiki",
"version": {
"version_data": [
{
"version_value": "before 1.19.9"
},
{
"version_value": "1.20.x before 1.20.8"
},
{
"version_value": "1.21.x before 1.21.3"
}
]
}
}
]
},
"vendor_name": "Wikimedia Foundation"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The CentralNotice extension for MediaWiki before 1.19.9, 1.20.x before 1.20.8, and 1.21.x before 1.21.3 sets the Cache-Control header to cache session cookies when a user is autocreated, which allows remote attackers to authenticate as the created user."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Other"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://bugzilla.wikimedia.org/show_bug.cgi?id=53032",
"refsource": "MISC",
"url": "https://bugzilla.wikimedia.org/show_bug.cgi?id=53032"
},
{
"name": "http://lists.fedoraproject.org/pipermail/package-announce/2013-December/123011.html",
"refsource": "MISC",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2013-December/123011.html"
},
{
"name": "http://lists.fedoraproject.org/pipermail/package-announce/2013-December/122998.html",
"refsource": "MISC",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2013-December/122998.html"
},
{
"name": "http://lists.wikimedia.org/pipermail/mediawiki-announce/2013-November/000135.html",
"refsource": "CONFIRM",
"url": "http://lists.wikimedia.org/pipermail/mediawiki-announce/2013-November/000135.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2013-4572",
"datePublished": "2020-02-06T14:40:13",
"dateReserved": "2013-06-12T00:00:00",
"dateUpdated": "2024-08-06T16:45:15.240Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2013-6451 (GCVE-0-2013-6451)
Vulnerability from cvelistv5 – Published: 2020-01-28 14:56 – Updated: 2024-08-06 17:39
VLAI?
Summary
Cross-site scripting (XSS) vulnerability in MediaWiki 1.19.9 before 1.19.10, 1.2x before 1.21.4, and 1.22.x before 1.22.1 allows remote attackers to inject arbitrary web script or HTML via unspecified CSS values.
Severity ?
No CVSS data available.
CWE
- Cross-Site Scripting
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Wikimedia Foundation | MediaWiki |
Affected:
1.19.9 before 1.19.10
Affected: 1.2x before 1.21.4 Affected: 1.22.x before 1.22.1 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T17:39:01.483Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://lists.wikimedia.org/pipermail/mediawiki-announce/2014-January/000138.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "MediaWiki",
"vendor": "Wikimedia Foundation",
"versions": [
{
"status": "affected",
"version": "1.19.9 before 1.19.10"
},
{
"status": "affected",
"version": "1.2x before 1.21.4"
},
{
"status": "affected",
"version": "1.22.x before 1.22.1"
}
]
}
],
"datePublic": "2014-01-14T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in MediaWiki 1.19.9 before 1.19.10, 1.2x before 1.21.4, and 1.22.x before 1.22.1 allows remote attackers to inject arbitrary web script or HTML via unspecified CSS values."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Cross-Site Scripting",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-01-28T14:56:22",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "http://lists.wikimedia.org/pipermail/mediawiki-announce/2014-January/000138.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2013-6451",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "MediaWiki",
"version": {
"version_data": [
{
"version_value": "1.19.9 before 1.19.10"
},
{
"version_value": "1.2x before 1.21.4"
},
{
"version_value": "1.22.x before 1.22.1"
}
]
}
}
]
},
"vendor_name": "Wikimedia Foundation"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-site scripting (XSS) vulnerability in MediaWiki 1.19.9 before 1.19.10, 1.2x before 1.21.4, and 1.22.x before 1.22.1 allows remote attackers to inject arbitrary web script or HTML via unspecified CSS values."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Cross-Site Scripting"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://lists.wikimedia.org/pipermail/mediawiki-announce/2014-January/000138.html",
"refsource": "MISC",
"url": "http://lists.wikimedia.org/pipermail/mediawiki-announce/2014-January/000138.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2013-6451",
"datePublished": "2020-01-28T14:56:22",
"dateReserved": "2013-11-04T00:00:00",
"dateUpdated": "2024-08-06T17:39:01.483Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2013-6455 (GCVE-0-2013-6455)
Vulnerability from cvelistv5 – Published: 2020-01-28 14:54 – Updated: 2024-08-06 17:39
VLAI?
Summary
The CentralAuth extension for MediaWiki before 1.19.10, 1.2x before 1.21.4, and 1.22.x before 1.22.1 allows remote attackers to obtain usernames via vectors related to writing the names to the DOM of a page.
Severity ?
No CVSS data available.
CWE
- Path Disclosure
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Wikimedia Foundation | MediaWiki |
Affected:
before 1.19.10
Affected: 1.2x before 1.21.4 Affected: 1.22.x before 1.22.1 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T17:39:01.461Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://lists.wikimedia.org/pipermail/mediawiki-announce/2014-January/000138.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "MediaWiki",
"vendor": "Wikimedia Foundation",
"versions": [
{
"status": "affected",
"version": "before 1.19.10"
},
{
"status": "affected",
"version": "1.2x before 1.21.4"
},
{
"status": "affected",
"version": "1.22.x before 1.22.1"
}
]
}
],
"datePublic": "2014-01-14T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The CentralAuth extension for MediaWiki before 1.19.10, 1.2x before 1.21.4, and 1.22.x before 1.22.1 allows remote attackers to obtain usernames via vectors related to writing the names to the DOM of a page."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Path Disclosure",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-01-28T14:54:22",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "http://lists.wikimedia.org/pipermail/mediawiki-announce/2014-January/000138.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2013-6455",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "MediaWiki",
"version": {
"version_data": [
{
"version_value": "before 1.19.10"
},
{
"version_value": "1.2x before 1.21.4"
},
{
"version_value": "1.22.x before 1.22.1"
}
]
}
}
]
},
"vendor_name": "Wikimedia Foundation"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The CentralAuth extension for MediaWiki before 1.19.10, 1.2x before 1.21.4, and 1.22.x before 1.22.1 allows remote attackers to obtain usernames via vectors related to writing the names to the DOM of a page."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Path Disclosure"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://lists.wikimedia.org/pipermail/mediawiki-announce/2014-January/000138.html",
"refsource": "MISC",
"url": "http://lists.wikimedia.org/pipermail/mediawiki-announce/2014-January/000138.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2013-6455",
"datePublished": "2020-01-28T14:54:22",
"dateReserved": "2013-11-04T00:00:00",
"dateUpdated": "2024-08-06T17:39:01.461Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2013-4303 (GCVE-0-2013-4303)
Vulnerability from cvelistv5 – Published: 2019-12-11 18:30 – Updated: 2024-08-06 16:38
VLAI?
Summary
includes/libs/IEUrlExtension.php in the MediaWiki API in MediaWiki 1.19.x before 1.19.8, 1.20.x before 1.20.7, and 1.21.x before 1.21.2 does not properly detect extensions when there are an even number of "." (period) characters in a string, which allows remote attackers to conduct cross-site scripting (XSS) attacks via the siprop parameter in a query action to wiki/api.php.
Severity ?
No CVSS data available.
CWE
- Cross-Site Scripting
Assigner
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Wikimedia Foundation | MediaWiki |
Affected:
1.19.x before 1.19.8
Affected: 1.20.x before 1.20.7 Affected: and 1.21.x before 1.21.2 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T16:38:01.957Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://lists.wikimedia.org/pipermail/mediawiki-announce/2013-September/000133.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://seclists.org/oss-sec/2013/q3/553"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://bugzilla.wikimedia.org/show_bug.cgi?id=52746"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/62194"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/86897"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "MediaWiki",
"vendor": "Wikimedia Foundation",
"versions": [
{
"status": "affected",
"version": "1.19.x before 1.19.8"
},
{
"status": "affected",
"version": "1.20.x before 1.20.7"
},
{
"status": "affected",
"version": "and 1.21.x before 1.21.2"
}
]
}
],
"datePublic": "2013-09-03T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "includes/libs/IEUrlExtension.php in the MediaWiki API in MediaWiki 1.19.x before 1.19.8, 1.20.x before 1.20.7, and 1.21.x before 1.21.2 does not properly detect extensions when there are an even number of \".\" (period) characters in a string, which allows remote attackers to conduct cross-site scripting (XSS) attacks via the siprop parameter in a query action to wiki/api.php."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Cross-Site Scripting",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-12-11T18:30:37",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "http://lists.wikimedia.org/pipermail/mediawiki-announce/2013-September/000133.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://seclists.org/oss-sec/2013/q3/553"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://bugzilla.wikimedia.org/show_bug.cgi?id=52746"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://www.securityfocus.com/bid/62194"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/86897"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2013-4303",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "MediaWiki",
"version": {
"version_data": [
{
"version_value": "1.19.x before 1.19.8"
},
{
"version_value": "1.20.x before 1.20.7"
},
{
"version_value": "and 1.21.x before 1.21.2"
}
]
}
}
]
},
"vendor_name": "Wikimedia Foundation"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "includes/libs/IEUrlExtension.php in the MediaWiki API in MediaWiki 1.19.x before 1.19.8, 1.20.x before 1.20.7, and 1.21.x before 1.21.2 does not properly detect extensions when there are an even number of \".\" (period) characters in a string, which allows remote attackers to conduct cross-site scripting (XSS) attacks via the siprop parameter in a query action to wiki/api.php."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Cross-Site Scripting"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://lists.wikimedia.org/pipermail/mediawiki-announce/2013-September/000133.html",
"refsource": "MISC",
"url": "http://lists.wikimedia.org/pipermail/mediawiki-announce/2013-September/000133.html"
},
{
"name": "http://seclists.org/oss-sec/2013/q3/553",
"refsource": "MISC",
"url": "http://seclists.org/oss-sec/2013/q3/553"
},
{
"name": "https://bugzilla.wikimedia.org/show_bug.cgi?id=52746",
"refsource": "MISC",
"url": "https://bugzilla.wikimedia.org/show_bug.cgi?id=52746"
},
{
"name": "http://www.securityfocus.com/bid/62194",
"refsource": "MISC",
"url": "http://www.securityfocus.com/bid/62194"
},
{
"name": "https://exchange.xforce.ibmcloud.com/vulnerabilities/86897",
"refsource": "MISC",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/86897"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2013-4303",
"datePublished": "2019-12-11T18:30:37",
"dateReserved": "2013-06-12T00:00:00",
"dateUpdated": "2024-08-06T16:38:01.957Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-32700 (GCVE-0-2025-32700)
Vulnerability from nvd – Published: 2025-04-10 18:31 – Updated: 2025-04-10 18:49
VLAI?
Title
AbuseFilter log interfaces expose global private and hidden filters when central DB is not available
Summary
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Wikimedia Foundation AbuseFilter. This vulnerability is associated with program files includes/Api/QueryAbuseLog.Php, includes/Pager/AbuseLogPager.Php, includes/Special/SpecialAbuseLog.Php, includes/View/AbuseFilterViewExamine.Php.
This issue affects AbuseFilter: from >= 1.43.0 before 1.43.1.
Severity ?
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Wikimedia Foundation | MediaWiki |
Affected:
>= 1.43.0 , < 1.43.1
(semver)
|
Credits
Dreamy_Jazz
Dreamy_Jazz
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-32700",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-10T18:49:42.892657Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-10T18:49:53.510Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"packageName": "AbuseFilter",
"product": "MediaWiki",
"programFiles": [
"includes/Api/QueryAbuseLog.php",
"includes/Pager/AbuseLogPager.php",
"includes/Special/SpecialAbuseLog.php",
"includes/View/AbuseFilterViewExamine.php"
],
"repo": "https://gerrit.wikimedia.org/g/mediawiki/extensions/AbuseFilter/+/refs/heads/master",
"vendor": "Wikimedia Foundation",
"versions": [
{
"lessThan": "1.43.1",
"status": "affected",
"version": "\u003e= 1.43.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Dreamy_Jazz"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Dreamy_Jazz"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Wikimedia Foundation AbuseFilter.\u003cp\u003e This vulnerability is associated with program files \u003ctt\u003eincludes/Api/QueryAbuseLog.Php\u003c/tt\u003e, \u003ctt\u003eincludes/Pager/AbuseLogPager.Php\u003c/tt\u003e, \u003ctt\u003eincludes/Special/SpecialAbuseLog.Php\u003c/tt\u003e, \u003ctt\u003eincludes/View/AbuseFilterViewExamine.Php\u003c/tt\u003e.\u003c/p\u003e\u003cp\u003eThis issue affects AbuseFilter: from \u0026gt;= 1.43.0 before 1.43.1.\u003c/p\u003e"
}
],
"value": "Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Wikimedia Foundation AbuseFilter. This vulnerability is associated with program files includes/Api/QueryAbuseLog.Php, includes/Pager/AbuseLogPager.Php, includes/Special/SpecialAbuseLog.Php, includes/View/AbuseFilterViewExamine.Php.\n\nThis issue affects AbuseFilter: from \u003e= 1.43.0 before 1.43.1."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 2.3,
"baseSeverity": "LOW",
"privilegesRequired": "NONE",
"providerUrgency": "GREEN",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "NONE",
"userInteraction": "PASSIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N/RE:M/U:Green",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "MODERATE"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-10T18:31:03.497Z",
"orgId": "c4f26cc8-17ff-4c99-b5e2-38fc1793eacc",
"shortName": "wikimedia-foundation"
},
"references": [
{
"url": "https://phabricator.wikimedia.org/T389235"
}
],
"source": {
"defect": [
"https://phabricator.wikimedia.org/T389235"
],
"discovery": "INTERNAL"
},
"title": "AbuseFilter log interfaces expose global private and hidden filters when central DB is not available",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "c4f26cc8-17ff-4c99-b5e2-38fc1793eacc",
"assignerShortName": "wikimedia-foundation",
"cveId": "CVE-2025-32700",
"datePublished": "2025-04-10T18:31:03.497Z",
"dateReserved": "2025-04-09T12:54:49.385Z",
"dateUpdated": "2025-04-10T18:49:53.510Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-32699 (GCVE-0-2025-32699)
Vulnerability from nvd – Published: 2025-04-10 18:30 – Updated: 2025-11-03 19:53
VLAI?
Title
Potential javascript injection attack enabled by Unicode normalization in Action API
Summary
Vulnerability in Wikimedia Foundation MediaWiki, Wikimedia Foundation Parsoid.This issue affects MediaWiki: before 1.39.12, 1.42.6, 1.43.1; Parsoid: before 0.16.5, 0.19.2, 0.20.2.
Severity ?
CWE
Assigner
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Wikimedia Foundation | MediaWiki |
Affected:
0 , < 1.39.12, 1.42.6, 1.43.1
(semver)
|
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-32699",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-10T18:51:20.639216Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-10T18:51:28.531Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-03T19:53:36.439Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/07/msg00012.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "MediaWiki",
"repo": "https://gerrit.wikimedia.org/g/mediawiki/core/+/refs/heads/master",
"vendor": "Wikimedia Foundation",
"versions": [
{
"lessThan": "1.39.12, 1.42.6, 1.43.1",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Parsoid",
"repo": "https://gerrit.wikimedia.org/g/mediawiki/services/parsoid/+/refs/heads/master",
"vendor": "Wikimedia Foundation",
"versions": [
{
"lessThan": "0.16.5, 0.19.2, 0.20.2",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Vulnerability in Wikimedia Foundation MediaWiki, Wikimedia Foundation Parsoid.\u003cp\u003eThis issue affects MediaWiki: before 1.39.12, 1.42.6, 1.43.1; Parsoid: before 0.16.5, 0.19.2, 0.20.2.\u003c/p\u003e"
}
],
"value": "Vulnerability in Wikimedia Foundation MediaWiki, Wikimedia Foundation Parsoid.This issue affects MediaWiki: before 1.39.12, 1.42.6, 1.43.1; Parsoid: before 0.16.5, 0.19.2, 0.20.2."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "HIGH",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 2.1,
"baseSeverity": "LOW",
"privilegesRequired": "NONE",
"providerUrgency": "AMBER",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "ACTIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/RE:M/U:Amber",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "MODERATE"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-74",
"description": "CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component (\u0027Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-10T18:30:24.238Z",
"orgId": "c4f26cc8-17ff-4c99-b5e2-38fc1793eacc",
"shortName": "wikimedia-foundation"
},
"references": [
{
"url": "https://phabricator.wikimedia.org/T387130"
}
],
"source": {
"defect": [
"https://phabricator.wikimedia.org/T387130"
],
"discovery": "INTERNAL"
},
"title": "Potential javascript injection attack enabled by Unicode normalization in Action API",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "c4f26cc8-17ff-4c99-b5e2-38fc1793eacc",
"assignerShortName": "wikimedia-foundation",
"cveId": "CVE-2025-32699",
"datePublished": "2025-04-10T18:30:24.238Z",
"dateReserved": "2025-04-09T12:54:49.385Z",
"dateUpdated": "2025-11-03T19:53:36.439Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-32698 (GCVE-0-2025-32698)
Vulnerability from nvd – Published: 2025-04-10 18:29 – Updated: 2025-11-03 19:53
VLAI?
Title
LogPager.php: Restriction enforcer functions do not correctly enforce suppression restrictions
Summary
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/logging/LogPager.Php.
This issue affects MediaWiki: before 1.39.12, 1.42.6, 1.43.1.
Severity ?
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Wikimedia Foundation | MediaWiki |
Affected:
0 , < 1.39.12, 1.42.6, 1.43.1
(semver)
|
Credits
A_smart_kitten
Bartosz Dziewoński
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-32698",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-10T18:51:46.269330Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-10T18:51:57.692Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-03T19:53:35.072Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/07/msg00012.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "MediaWiki",
"programFiles": [
"includes/logging/LogPager.php"
],
"repo": "https://gerrit.wikimedia.org/g/mediawiki/core/+/refs/heads/master",
"vendor": "Wikimedia Foundation",
"versions": [
{
"lessThan": "1.39.12, 1.42.6, 1.43.1",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "A_smart_kitten"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Bartosz Dziewo\u0144ski"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Wikimedia Foundation MediaWiki.\u003cp\u003e This vulnerability is associated with program files \u003ctt\u003eincludes/logging/LogPager.Php\u003c/tt\u003e.\u003c/p\u003e\u003cp\u003eThis issue affects MediaWiki: before 1.39.12, 1.42.6, 1.43.1.\u003c/p\u003e"
}
],
"value": "Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/logging/LogPager.Php.\n\nThis issue affects MediaWiki: before 1.39.12, 1.42.6, 1.43.1."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 2.1,
"baseSeverity": "LOW",
"privilegesRequired": "NONE",
"providerUrgency": "GREEN",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "ACTIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/RE:M/U:Green",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "MODERATE"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-10T18:29:52.354Z",
"orgId": "c4f26cc8-17ff-4c99-b5e2-38fc1793eacc",
"shortName": "wikimedia-foundation"
},
"references": [
{
"url": "https://phabricator.wikimedia.org/T385958"
}
],
"source": {
"defect": [
"https://phabricator.wikimedia.org/T385958"
],
"discovery": "UNKNOWN"
},
"title": "LogPager.php: Restriction enforcer functions do not correctly enforce suppression restrictions",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "c4f26cc8-17ff-4c99-b5e2-38fc1793eacc",
"assignerShortName": "wikimedia-foundation",
"cveId": "CVE-2025-32698",
"datePublished": "2025-04-10T18:29:52.354Z",
"dateReserved": "2025-04-09T12:54:49.385Z",
"dateUpdated": "2025-11-03T19:53:35.072Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-32697 (GCVE-0-2025-32697)
Vulnerability from nvd – Published: 2025-04-10 18:29 – Updated: 2025-04-10 19:05
VLAI?
Title
Cascading protection is not preventing file reversions
Summary
Improper Preservation of Permissions vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/editpage/IntroMessageBuilder.Php, includes/Permissions/PermissionManager.Php, includes/Permissions/RestrictionStore.Php.
This issue affects MediaWiki: before 1.42.6, 1.43.1.
Severity ?
CWE
- CWE-281 - Improper Preservation of Permissions
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Wikimedia Foundation | MediaWiki |
Affected:
0 , < 1.42.6, 1.43.1
(semver)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-32697",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-10T19:05:19.090332Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-10T19:05:48.098Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "MediaWiki",
"programFiles": [
"includes/editpage/IntroMessageBuilder.php",
"includes/Permissions/PermissionManager.php",
"includes/Permissions/RestrictionStore.php"
],
"repo": "https://gerrit.wikimedia.org/g/mediawiki/core/+/refs/heads/master",
"vendor": "Wikimedia Foundation",
"versions": [
{
"lessThan": "1.42.6, 1.43.1",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Preservation of Permissions vulnerability in Wikimedia Foundation MediaWiki.\u003cp\u003e This vulnerability is associated with program files \u003ctt\u003eincludes/editpage/IntroMessageBuilder.Php\u003c/tt\u003e, \u003ctt\u003eincludes/Permissions/PermissionManager.Php\u003c/tt\u003e, \u003ctt\u003eincludes/Permissions/RestrictionStore.Php\u003c/tt\u003e.\u003c/p\u003e\u003cp\u003eThis issue affects MediaWiki: before 1.42.6, 1.43.1.\u003c/p\u003e"
}
],
"value": "Improper Preservation of Permissions vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/editpage/IntroMessageBuilder.Php, includes/Permissions/PermissionManager.Php, includes/Permissions/RestrictionStore.Php.\n\nThis issue affects MediaWiki: before 1.42.6, 1.43.1."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 0,
"baseSeverity": "NONE",
"privilegesRequired": "LOW",
"providerUrgency": "GREEN",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "PASSIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:N/SI:N/SA:N/RE:M/U:Green",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "MODERATE"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-281",
"description": "CWE-281 Improper Preservation of Permissions",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-10T18:29:17.482Z",
"orgId": "c4f26cc8-17ff-4c99-b5e2-38fc1793eacc",
"shortName": "wikimedia-foundation"
},
"references": [
{
"url": "https://phabricator.wikimedia.org/T140010"
},
{
"url": "https://phabricator.wikimedia.org/T62109"
},
{
"url": "https://phabricator.wikimedia.org/T24521"
}
],
"source": {
"defect": [
"https://phabricator.wikimedia.org/T140010"
],
"discovery": "UNKNOWN"
},
"title": "Cascading protection is not preventing file reversions",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "c4f26cc8-17ff-4c99-b5e2-38fc1793eacc",
"assignerShortName": "wikimedia-foundation",
"cveId": "CVE-2025-32697",
"datePublished": "2025-04-10T18:29:17.482Z",
"dateReserved": "2025-04-09T12:54:49.385Z",
"dateUpdated": "2025-04-10T19:05:48.098Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-32696 (GCVE-0-2025-32696)
Vulnerability from nvd – Published: 2025-04-10 18:28 – Updated: 2025-11-03 19:53
VLAI?
Title
"reupload-own" restriction can be bypassed by reverting file
Summary
Improper Preservation of Permissions vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/actions/RevertAction.Php, includes/api/ApiFileRevert.Php.
This issue affects MediaWiki: before 1.39.12, 1.42.6, 1.43.1.
Severity ?
CWE
- CWE-281 - Improper Preservation of Permissions
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Wikimedia Foundation | MediaWiki |
Affected:
0 , < 1.39.12, 1.42.6, 1.43.1
(semver)
|
Credits
Porplemontage
Bartosz Dziewoński
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-32696",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-10T19:06:02.895680Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-10T19:06:14.490Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-03T19:53:33.707Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/07/msg00012.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "MediaWiki",
"programFiles": [
"includes/actions/RevertAction.php",
"includes/api/ApiFileRevert.php"
],
"repo": "https://gerrit.wikimedia.org/g/mediawiki/core/+/refs/heads/master",
"vendor": "Wikimedia Foundation",
"versions": [
{
"lessThan": "1.39.12, 1.42.6, 1.43.1",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Porplemontage"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Bartosz Dziewo\u0144ski"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Preservation of Permissions vulnerability in Wikimedia Foundation MediaWiki.\u003cp\u003e This vulnerability is associated with program files \u003ctt\u003eincludes/actions/RevertAction.Php\u003c/tt\u003e, \u003ctt\u003eincludes/api/ApiFileRevert.Php\u003c/tt\u003e.\u003c/p\u003e\u003cp\u003eThis issue affects MediaWiki: before 1.39.12, 1.42.6, 1.43.1.\u003c/p\u003e"
}
],
"value": "Improper Preservation of Permissions vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/actions/RevertAction.Php, includes/api/ApiFileRevert.Php.\n\nThis issue affects MediaWiki: before 1.39.12, 1.42.6, 1.43.1."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 0,
"baseSeverity": "NONE",
"privilegesRequired": "LOW",
"providerUrgency": "GREEN",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "PASSIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:N/VA:N/SC:N/SI:N/SA:N/RE:M/U:Green",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "MODERATE"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-281",
"description": "CWE-281 Improper Preservation of Permissions",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-10T18:28:48.161Z",
"orgId": "c4f26cc8-17ff-4c99-b5e2-38fc1793eacc",
"shortName": "wikimedia-foundation"
},
"references": [
{
"url": "https://phabricator.wikimedia.org/T304474"
}
],
"source": {
"defect": [
"https://phabricator.wikimedia.org/T304474"
],
"discovery": "UNKNOWN"
},
"title": "\"reupload-own\" restriction can be bypassed by reverting file",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "c4f26cc8-17ff-4c99-b5e2-38fc1793eacc",
"assignerShortName": "wikimedia-foundation",
"cveId": "CVE-2025-32696",
"datePublished": "2025-04-10T18:28:48.161Z",
"dateReserved": "2025-04-09T12:54:49.385Z",
"dateUpdated": "2025-11-03T19:53:33.707Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-3469 (GCVE-0-2025-3469)
Vulnerability from nvd – Published: 2025-04-10 18:28 – Updated: 2025-11-03 19:53
VLAI?
Title
i18n XSS vulnerability in HTMLMultiSelectField when sections are used
Summary
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/htmlform/fields/HTMLMultiSelectField.Php.
This issue affects MediaWiki: before 1.39.12, 1.42.6, 1.43.1.
Severity ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Wikimedia Foundation | MediaWiki |
Affected:
0 , < 1.39.12, 1.42.6, 1.43.1
(semv)
|
Credits
Daimona
Daimona
Daimona
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-3469",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-10T19:06:28.941077Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-10T19:06:36.330Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-03T19:53:59.985Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/07/msg00012.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "MediaWiki",
"programFiles": [
"includes/htmlform/fields/HTMLMultiSelectField.php"
],
"repo": "https://gerrit.wikimedia.org/g/mediawiki/core/+/refs/heads/master",
"vendor": "Wikimedia Foundation",
"versions": [
{
"lessThan": "1.39.12, 1.42.6, 1.43.1",
"status": "affected",
"version": "0",
"versionType": "semv"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Daimona"
},
{
"lang": "en",
"type": "reporter",
"value": "Daimona"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Daimona"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027) vulnerability in Wikimedia Foundation MediaWiki.\u003cp\u003e This vulnerability is associated with program files \u003ctt\u003eincludes/htmlform/fields/HTMLMultiSelectField.Php\u003c/tt\u003e.\u003c/p\u003e\u003cp\u003eThis issue affects MediaWiki: before 1.39.12, 1.42.6, 1.43.1.\u003c/p\u003e"
}
],
"value": "Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027) vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/htmlform/fields/HTMLMultiSelectField.Php.\n\nThis issue affects MediaWiki: before 1.39.12, 1.42.6, 1.43.1."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 0,
"baseSeverity": "NONE",
"privilegesRequired": "NONE",
"providerUrgency": "GREEN",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:N/RE:M/U:Green",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "MODERATE"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-10T18:28:13.370Z",
"orgId": "c4f26cc8-17ff-4c99-b5e2-38fc1793eacc",
"shortName": "wikimedia-foundation"
},
"references": [
{
"url": "https://phabricator.wikimedia.org/T358689"
}
],
"source": {
"defect": [
"https://phabricator.wikimedia.org/T358689"
],
"discovery": "INTERNAL"
},
"title": "i18n XSS vulnerability in HTMLMultiSelectField when sections are used",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "c4f26cc8-17ff-4c99-b5e2-38fc1793eacc",
"assignerShortName": "wikimedia-foundation",
"cveId": "CVE-2025-3469",
"datePublished": "2025-04-10T18:28:13.370Z",
"dateReserved": "2025-04-09T14:30:16.780Z",
"dateUpdated": "2025-11-03T19:53:59.985Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2013-4572 (GCVE-0-2013-4572)
Vulnerability from nvd – Published: 2020-02-06 14:40 – Updated: 2024-08-06 16:45
VLAI?
Summary
The CentralNotice extension for MediaWiki before 1.19.9, 1.20.x before 1.20.8, and 1.21.x before 1.21.3 sets the Cache-Control header to cache session cookies when a user is autocreated, which allows remote attackers to authenticate as the created user.
Severity ?
No CVSS data available.
CWE
- Other
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Wikimedia Foundation | MediaWiki |
Affected:
before 1.19.9
Affected: 1.20.x before 1.20.8 Affected: 1.21.x before 1.21.3 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T16:45:15.240Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://bugzilla.wikimedia.org/show_bug.cgi?id=53032"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2013-December/123011.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2013-December/122998.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://lists.wikimedia.org/pipermail/mediawiki-announce/2013-November/000135.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "MediaWiki",
"vendor": "Wikimedia Foundation",
"versions": [
{
"status": "affected",
"version": "before 1.19.9"
},
{
"status": "affected",
"version": "1.20.x before 1.20.8"
},
{
"status": "affected",
"version": "1.21.x before 1.21.3"
}
]
}
],
"datePublic": "2013-08-19T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The CentralNotice extension for MediaWiki before 1.19.9, 1.20.x before 1.20.8, and 1.21.x before 1.21.3 sets the Cache-Control header to cache session cookies when a user is autocreated, which allows remote attackers to authenticate as the created user."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Other",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-02-06T14:40:13",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://bugzilla.wikimedia.org/show_bug.cgi?id=53032"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2013-December/123011.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2013-December/122998.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://lists.wikimedia.org/pipermail/mediawiki-announce/2013-November/000135.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2013-4572",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "MediaWiki",
"version": {
"version_data": [
{
"version_value": "before 1.19.9"
},
{
"version_value": "1.20.x before 1.20.8"
},
{
"version_value": "1.21.x before 1.21.3"
}
]
}
}
]
},
"vendor_name": "Wikimedia Foundation"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The CentralNotice extension for MediaWiki before 1.19.9, 1.20.x before 1.20.8, and 1.21.x before 1.21.3 sets the Cache-Control header to cache session cookies when a user is autocreated, which allows remote attackers to authenticate as the created user."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Other"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://bugzilla.wikimedia.org/show_bug.cgi?id=53032",
"refsource": "MISC",
"url": "https://bugzilla.wikimedia.org/show_bug.cgi?id=53032"
},
{
"name": "http://lists.fedoraproject.org/pipermail/package-announce/2013-December/123011.html",
"refsource": "MISC",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2013-December/123011.html"
},
{
"name": "http://lists.fedoraproject.org/pipermail/package-announce/2013-December/122998.html",
"refsource": "MISC",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2013-December/122998.html"
},
{
"name": "http://lists.wikimedia.org/pipermail/mediawiki-announce/2013-November/000135.html",
"refsource": "CONFIRM",
"url": "http://lists.wikimedia.org/pipermail/mediawiki-announce/2013-November/000135.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2013-4572",
"datePublished": "2020-02-06T14:40:13",
"dateReserved": "2013-06-12T00:00:00",
"dateUpdated": "2024-08-06T16:45:15.240Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2013-6451 (GCVE-0-2013-6451)
Vulnerability from nvd – Published: 2020-01-28 14:56 – Updated: 2024-08-06 17:39
VLAI?
Summary
Cross-site scripting (XSS) vulnerability in MediaWiki 1.19.9 before 1.19.10, 1.2x before 1.21.4, and 1.22.x before 1.22.1 allows remote attackers to inject arbitrary web script or HTML via unspecified CSS values.
Severity ?
No CVSS data available.
CWE
- Cross-Site Scripting
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Wikimedia Foundation | MediaWiki |
Affected:
1.19.9 before 1.19.10
Affected: 1.2x before 1.21.4 Affected: 1.22.x before 1.22.1 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T17:39:01.483Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://lists.wikimedia.org/pipermail/mediawiki-announce/2014-January/000138.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "MediaWiki",
"vendor": "Wikimedia Foundation",
"versions": [
{
"status": "affected",
"version": "1.19.9 before 1.19.10"
},
{
"status": "affected",
"version": "1.2x before 1.21.4"
},
{
"status": "affected",
"version": "1.22.x before 1.22.1"
}
]
}
],
"datePublic": "2014-01-14T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in MediaWiki 1.19.9 before 1.19.10, 1.2x before 1.21.4, and 1.22.x before 1.22.1 allows remote attackers to inject arbitrary web script or HTML via unspecified CSS values."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Cross-Site Scripting",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-01-28T14:56:22",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "http://lists.wikimedia.org/pipermail/mediawiki-announce/2014-January/000138.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2013-6451",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "MediaWiki",
"version": {
"version_data": [
{
"version_value": "1.19.9 before 1.19.10"
},
{
"version_value": "1.2x before 1.21.4"
},
{
"version_value": "1.22.x before 1.22.1"
}
]
}
}
]
},
"vendor_name": "Wikimedia Foundation"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-site scripting (XSS) vulnerability in MediaWiki 1.19.9 before 1.19.10, 1.2x before 1.21.4, and 1.22.x before 1.22.1 allows remote attackers to inject arbitrary web script or HTML via unspecified CSS values."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Cross-Site Scripting"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://lists.wikimedia.org/pipermail/mediawiki-announce/2014-January/000138.html",
"refsource": "MISC",
"url": "http://lists.wikimedia.org/pipermail/mediawiki-announce/2014-January/000138.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2013-6451",
"datePublished": "2020-01-28T14:56:22",
"dateReserved": "2013-11-04T00:00:00",
"dateUpdated": "2024-08-06T17:39:01.483Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2013-6455 (GCVE-0-2013-6455)
Vulnerability from nvd – Published: 2020-01-28 14:54 – Updated: 2024-08-06 17:39
VLAI?
Summary
The CentralAuth extension for MediaWiki before 1.19.10, 1.2x before 1.21.4, and 1.22.x before 1.22.1 allows remote attackers to obtain usernames via vectors related to writing the names to the DOM of a page.
Severity ?
No CVSS data available.
CWE
- Path Disclosure
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Wikimedia Foundation | MediaWiki |
Affected:
before 1.19.10
Affected: 1.2x before 1.21.4 Affected: 1.22.x before 1.22.1 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T17:39:01.461Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://lists.wikimedia.org/pipermail/mediawiki-announce/2014-January/000138.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "MediaWiki",
"vendor": "Wikimedia Foundation",
"versions": [
{
"status": "affected",
"version": "before 1.19.10"
},
{
"status": "affected",
"version": "1.2x before 1.21.4"
},
{
"status": "affected",
"version": "1.22.x before 1.22.1"
}
]
}
],
"datePublic": "2014-01-14T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The CentralAuth extension for MediaWiki before 1.19.10, 1.2x before 1.21.4, and 1.22.x before 1.22.1 allows remote attackers to obtain usernames via vectors related to writing the names to the DOM of a page."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Path Disclosure",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-01-28T14:54:22",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "http://lists.wikimedia.org/pipermail/mediawiki-announce/2014-January/000138.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2013-6455",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "MediaWiki",
"version": {
"version_data": [
{
"version_value": "before 1.19.10"
},
{
"version_value": "1.2x before 1.21.4"
},
{
"version_value": "1.22.x before 1.22.1"
}
]
}
}
]
},
"vendor_name": "Wikimedia Foundation"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The CentralAuth extension for MediaWiki before 1.19.10, 1.2x before 1.21.4, and 1.22.x before 1.22.1 allows remote attackers to obtain usernames via vectors related to writing the names to the DOM of a page."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Path Disclosure"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://lists.wikimedia.org/pipermail/mediawiki-announce/2014-January/000138.html",
"refsource": "MISC",
"url": "http://lists.wikimedia.org/pipermail/mediawiki-announce/2014-January/000138.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2013-6455",
"datePublished": "2020-01-28T14:54:22",
"dateReserved": "2013-11-04T00:00:00",
"dateUpdated": "2024-08-06T17:39:01.461Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2013-4303 (GCVE-0-2013-4303)
Vulnerability from nvd – Published: 2019-12-11 18:30 – Updated: 2024-08-06 16:38
VLAI?
Summary
includes/libs/IEUrlExtension.php in the MediaWiki API in MediaWiki 1.19.x before 1.19.8, 1.20.x before 1.20.7, and 1.21.x before 1.21.2 does not properly detect extensions when there are an even number of "." (period) characters in a string, which allows remote attackers to conduct cross-site scripting (XSS) attacks via the siprop parameter in a query action to wiki/api.php.
Severity ?
No CVSS data available.
CWE
- Cross-Site Scripting
Assigner
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Wikimedia Foundation | MediaWiki |
Affected:
1.19.x before 1.19.8
Affected: 1.20.x before 1.20.7 Affected: and 1.21.x before 1.21.2 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T16:38:01.957Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://lists.wikimedia.org/pipermail/mediawiki-announce/2013-September/000133.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://seclists.org/oss-sec/2013/q3/553"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://bugzilla.wikimedia.org/show_bug.cgi?id=52746"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/62194"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/86897"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "MediaWiki",
"vendor": "Wikimedia Foundation",
"versions": [
{
"status": "affected",
"version": "1.19.x before 1.19.8"
},
{
"status": "affected",
"version": "1.20.x before 1.20.7"
},
{
"status": "affected",
"version": "and 1.21.x before 1.21.2"
}
]
}
],
"datePublic": "2013-09-03T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "includes/libs/IEUrlExtension.php in the MediaWiki API in MediaWiki 1.19.x before 1.19.8, 1.20.x before 1.20.7, and 1.21.x before 1.21.2 does not properly detect extensions when there are an even number of \".\" (period) characters in a string, which allows remote attackers to conduct cross-site scripting (XSS) attacks via the siprop parameter in a query action to wiki/api.php."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Cross-Site Scripting",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-12-11T18:30:37",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "http://lists.wikimedia.org/pipermail/mediawiki-announce/2013-September/000133.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://seclists.org/oss-sec/2013/q3/553"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://bugzilla.wikimedia.org/show_bug.cgi?id=52746"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://www.securityfocus.com/bid/62194"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/86897"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2013-4303",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "MediaWiki",
"version": {
"version_data": [
{
"version_value": "1.19.x before 1.19.8"
},
{
"version_value": "1.20.x before 1.20.7"
},
{
"version_value": "and 1.21.x before 1.21.2"
}
]
}
}
]
},
"vendor_name": "Wikimedia Foundation"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "includes/libs/IEUrlExtension.php in the MediaWiki API in MediaWiki 1.19.x before 1.19.8, 1.20.x before 1.20.7, and 1.21.x before 1.21.2 does not properly detect extensions when there are an even number of \".\" (period) characters in a string, which allows remote attackers to conduct cross-site scripting (XSS) attacks via the siprop parameter in a query action to wiki/api.php."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Cross-Site Scripting"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://lists.wikimedia.org/pipermail/mediawiki-announce/2013-September/000133.html",
"refsource": "MISC",
"url": "http://lists.wikimedia.org/pipermail/mediawiki-announce/2013-September/000133.html"
},
{
"name": "http://seclists.org/oss-sec/2013/q3/553",
"refsource": "MISC",
"url": "http://seclists.org/oss-sec/2013/q3/553"
},
{
"name": "https://bugzilla.wikimedia.org/show_bug.cgi?id=52746",
"refsource": "MISC",
"url": "https://bugzilla.wikimedia.org/show_bug.cgi?id=52746"
},
{
"name": "http://www.securityfocus.com/bid/62194",
"refsource": "MISC",
"url": "http://www.securityfocus.com/bid/62194"
},
{
"name": "https://exchange.xforce.ibmcloud.com/vulnerabilities/86897",
"refsource": "MISC",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/86897"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2013-4303",
"datePublished": "2019-12-11T18:30:37",
"dateReserved": "2013-06-12T00:00:00",
"dateUpdated": "2024-08-06T16:38:01.957Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}