Mediawiki: >> Mediawiki >> 1.35.12 Security Vulnerabilities
An issue was discovered in the Cargo extension for MediaWiki through 1.39.3. It allows one to store javascript: URLs in URL fields, and automatically links these URLs.
CVSS Score
6.1
EPSS Score
0.004
Published
2023-06-29
An issue was discovered in the GoogleAnalyticsMetrics extension for MediaWiki through 1.39.3. The googleanalyticstrackurl parser function does not properly escape JavaScript in the onclick handler and does not prevent use of javascript: URLs.
CVSS Score
6.1
EPSS Score
0.004
Published
2023-06-29
An issue was discovered in the GrowthExperiments extension for MediaWiki through 1.39.3. The UserImpactHandler for GrowthExperiments inadvertently returns the timezone preference for arbitrary users, which can be used to de-anonymize users.
CVSS Score
4.3
EPSS Score
0.004
Published
2023-03-31
An issue was discovered in the CheckUser extension for MediaWiki through 1.39.3. When a user with checkuserlog permissions makes many CheckUserLog API requests in some configurations, denial of service can occur (RequestTimeoutException or upstream request timeout).
CVSS Score
6.5
EPSS Score
0.006
Published
2023-03-31
An issue was discovered in the GrowthExperiments extension for MediaWiki through 1.39.3. Attackers might be able to see edits for which the username has been hidden, because there is no check for rev_deleted.
CVSS Score
5.3
EPSS Score
0.004
Published
2023-03-31
In the GrowthExperiments extension for MediaWiki through 1.39, the growthmanagementorlist API allows blocked users (blocked in ApiManageMentorList) to enroll as mentors or edit any of their mentorship-related properties.
CVSS Score
4.3
EPSS Score
0.005
Published
2023-01-11
An issue was discovered in SecurePoll in the Growth extension in MediaWiki through 1.36.2. Simple polls allow users to create alerts by changing their User-Agent HTTP header and submitting a vote.
CVSS Score
5.4
EPSS Score
0.006
Published
2022-09-29
An issue was discovered in the GlobalWatchlist extension in MediaWiki through 1.36.2. The rev-deleted-user and ntimes messages were not properly escaped and allowed for users to inject HTML and JavaScript.
CVSS Score
6.1
EPSS Score
0.008
Published
2022-09-29
An issue was discovered in the Growth extension in MediaWiki through 1.36.2. On any Wiki with the Mentor Dashboard feature enabled, users can login with a mentor account and trigger an XSS payload (such as alert) via Growthexperiments-mentor-dashboard-mentee-overview-no-js-fallback.
CVSS Score
5.4
EPSS Score
0.006
Published
2022-09-29
An issue was discovered in the Growth extension in MediaWiki through 1.36.2. Any admin can add arbitrary JavaScript code to the Newcomer home page footer, which can be executed by viewers with zero edits.
CVSS Score
4.8
EPSS Score
0.006
Published
2022-09-29