FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

mediawiki -- multiple vulnerabilities

Affected packages
mediawiki131 < 1.31.3
mediawiki132 < 1.32.3

Details

VuXML ID 3c5a4fe0-9ebb-11e9-9169-fcaa147e860e
Discovery 2019-04-23
Entry 2019-07-05

Mediawiki reports:

Security fixes: T197279, CVE-2019-12468: Directly POSTing to Special:ChangeEmail would allow for bypassing reauthentication, allowing for potential account takeover. T204729, CVE-2019-12473: Passing invalid titles to the API could cause a DoS by querying the entire `watchlist` table. T207603, CVE-2019-12471: Loading user JavaScript from a non-existent account allows anyone to create the account, and XSS the users' loading that script. T208881: blacklist CSS var(). T199540, CVE-2019-12472: It is possible to bypass the limits on IP range blocks (`$wgBlockCIDRLimit`) by using the API. T212118, CVE-2019-12474: Privileged API responses that include whether a recent change has been patrolled may be cached publicly. T209794, CVE-2019-12467: A spammer can use Special:ChangeEmail to send out spam with no rate limiting or ability to block them. T25227, CVE-2019-12466: An account can be logged out without using a token(CRRF) T222036, CVE-2019-12469: Exposed suppressed username or log in Special:EditTags. T222038, CVE-2019-12470: Exposed suppressed log in RevisionDelete page. T221739, CVE-2019-11358: Fix potential XSS in jQuery.

References

CVE Name CVE-2019-11358
CVE Name CVE-2019-12466
CVE Name CVE-2019-12467
CVE Name CVE-2019-12468
CVE Name CVE-2019-12469
CVE Name CVE-2019-12470
CVE Name CVE-2019-12471
CVE Name CVE-2019-12472
CVE Name CVE-2019-12473
CVE Name CVE-2019-12474
URL https://lists.wikimedia.org/pipermail/mediawiki-announce/2019-June/000230.html