FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

mediawiki -- multiple vulnerabilities

Affected packages
mediawiki135 < 1.35.5
mediawiki136 < 1.36.3
mediawiki137 < 1.37.1

Details

VuXML ID 0a50bb48-625f-11ec-a1fb-080027cb2f6f
Discovery 2021-12-01
Entry 2021-12-21

Mediawiki reports:

(T292763. CVE-2021-44854) REST API incorrectly publicly caches autocomplete search results from private wikis.

(T271037, CVE-2021-44856) Title blocked in AbuseFilter can be created via Special:ChangeContentModel.

(T297322, CVE-2021-44857) Unauthorized users can use action=mcrundo to replace the content of arbitrary pages.

(T297322, CVE-2021-44858) Unauthorized users can view contents of private wikis using various actions.

(T297574, CVE-2021-45038) Unauthorized users can access private wiki contents using rollback action

(T293589, CVE-2021-44855) Blind Stored XSS in VisualEditor media dialog.

(T294686) Special:Nuke doesn't actually delete pages.

[source]

References

CVE Name CVE-2021-44854
CVE Name CVE-2021-44855
CVE Name CVE-2021-44856
CVE Name CVE-2021-44857
CVE Name CVE-2021-44858
CVE Name CVE-2021-45038
URL https://lists.wikimedia.org/hyperkitty/list/mediawiki-announce@lists.wikimedia.org/message/QEN3EK4JXAVJMJ5GF3GYOAKNJPEKFQYA/

Copyright © 2003-2005 Jacques Vidrine and contributors.
Please see the source of this document for full copyright information.