Mediawiki: >> Mediawiki >> 1.36.4 Security Vulnerabilities
An issue was discovered in MediaWiki through 1.37.1. The CentralAuth extension mishandles a ttl issue for groups expiring in the future.
CVSS Score
9.8
EPSS Score
0.003
Published
2022-03-30
An issue was discovered in MediaWiki through 1.37.1. ImportPlanValidator.php in the FileImporter extension mishandles the check for edit rights.
CVSS Score
9.8
EPSS Score
0.004
Published
2022-03-30
An issue was discovered in Mediawiki through 1.37.1. The check for the override-antispoof permission in the AntiSpoof extension is incorrect.
CVSS Score
9.8
EPSS Score
0.004
Published
2022-03-30
In MediaWiki through 1.37, blocked IP addresses are allowed to edit EntitySchema items.
CVSS Score
5.3
EPSS Score
0.003
Published
2021-12-24
In MediaWiki through 1.37, XSS can occur in Wikibase because an external identifier property can have a URL format that includes a $1 formatter substitution marker, and the javascript: URL scheme (among others) can be used.
CVSS Score
6.1
EPSS Score
0.003
Published
2021-12-24
In MediaWiki through 1.37, the Special:ImportFile URI (aka FileImporter) allows XSS, as demonstrated by the clientUrl parameter.
CVSS Score
6.1
EPSS Score
0.003
Published
2021-12-24
Page 9