Security Advisories - mediawiki/core

mediawiki/core Security Advisories for 1.30.0-rc.0 (16)

[HIGH] MediaWiki Denial of Service vulnerability

PKSA-wzph-c8jf-dsw9 CVE-2023-45363 GHSA-w5fx-cx7f-6vr9

Affected version: =1.40.0|>=1.36.0,<1.39.5|<1.35.12

Reported by:
GitHub
[CRITICAL] X-Forwarded-For header allows brute-forcing autoblocked IP addresses

PKSA-sywz-vkhh-67ff CVE-2023-29141 GHSA-5vj8-g3qg-4qh6

Affected version: <1.35.10|>=1.38.0,<1.38.6|>=1.39.0,<1.39.3

Reported by:
GitHub
[MEDIUM] MediaWiki allows a denial of service

PKSA-qcmj-k84v-rjky CVE-2021-41800 GHSA-c8wv-qwwc-6j73

Affected version: <1.36.2

Reported by:
GitHub
[MEDIUM] img_auth.php may leak private extension images into the public cache

PKSA-ddy8-wbbj-hqfh CVE-2020-15005 GHSA-xpv7-93cm-4mxv

Affected version: >=1.34.0,<1.34.2|>=1.32.0,<1.33.4|<1.31.8

Reported by:
GitHub
[MEDIUM] Exposed suppressed log in RevisionDelete page

PKSA-jpp4-6j25-9ryr CVE-2019-12470 GHSA-733q-m38x-q7cc

Affected version: >=1.27.0,<1.27.6|>=1.30.0,<1.30.2|>=1.31.0,<1.31.2|>=1.32.0,<1.32.2

Reported by:
GitHub, FriendsOfPHP/security-advisories
[HIGH] API responses for unpatrolled or (not) autopatrolled recent changes require privileges but may be cached publicly

PKSA-fksz-ptgz-3jth CVE-2019-12474 GHSA-2qrr-c2gh-pr35

Affected version: >=1.27.0,<1.27.6|>=1.30.0,<1.30.2|>=1.31.0,<1.31.2|>=1.32.0,<1.32.2

Reported by:
GitHub, FriendsOfPHP/security-advisories
[HIGH] Forbid blocking IP ranges as big as /1 and /2, as done on ruwikiquote using the API

PKSA-2rqt-w99v-qcks CVE-2019-12472 GHSA-7mqg-5fgh-xh4r

Affected version: >=1.27.0,<1.27.6|>=1.30.0,<1.30.2|>=1.31.0,<1.31.2|>=1.32.0,<1.32.2

Reported by:
GitHub, FriendsOfPHP/security-advisories
[MEDIUM] Exposed suppressed username or log in Special:EditTags

PKSA-92kc-wmpx-tswg CVE-2019-12469 GHSA-x3fr-w7r5-x7rg

Affected version: >=1.27.0,<1.27.6|>=1.30.0,<1.30.2|>=1.31.0,<1.31.2|>=1.32.0,<1.32.2

Reported by:
GitHub, FriendsOfPHP/security-advisories
[CRITICAL] Direct POST to Special:ChangeEmail will bypass reauth check

PKSA-kgmc-xj3p-ddfr CVE-2019-12468 GHSA-wrhx-3pxr-6vgg

Affected version: >=1.27.0,<1.27.6|>=1.30.0,<1.30.2|>=1.31.0,<1.31.2|>=1.32.0,<1.32.2

Reported by:
GitHub, FriendsOfPHP/security-advisories
[MEDIUM] Need to make a limit of count of attempts to change email address

PKSA-79fc-46xz-1c8z CVE-2019-12467 GHSA-6vfg-8ppv-h5hg

Affected version: >=1.27.0,<1.27.6|>=1.30.0,<1.30.2|>=1.31.0,<1.31.2|>=1.32.0,<1.32.2

Reported by:
GitHub, FriendsOfPHP/security-advisories
[HIGH] Use token when logging out

PKSA-kb8d-c7hc-dy3v CVE-2019-12466 GHSA-27fw-r78j-h898

Affected version: >=1.27.0,<1.27.6|>=1.30.0,<1.30.2|>=1.31.0,<1.31.2|>=1.32.0,<1.32.2|>=1.32.99,<1.33.0

Reported by:
GitHub, FriendsOfPHP/security-advisories
[MEDIUM] Loading JS from user space where the username is not a registered account is dangerous and should be banned

PKSA-qc4c-7cdq-417d CVE-2019-12471 GHSA-2rm7-xxx8-35jh

Affected version: >=1.27.0,<1.27.6|>=1.30.0,<1.30.2|>=1.31.0,<1.31.2

Reported by:
GitHub, FriendsOfPHP/security-advisories
[HIGH] Potential enwiki DOS due to slow WatchedItemStore::countVisitingWatchersMultiple

PKSA-kt9r-ys7h-z4q8 CVE-2019-12473 GHSA-33xw-x3pr-rvqj

Affected version: >=1.27.0,<1.27.6|>=1.30.0,<1.30.2|>=1.31.0,<1.31.2

Reported by:
GitHub, FriendsOfPHP/security-advisories
[MEDIUM] BotPassword can bypass CentralAuth's account lock

PKSA-rr5m-4z44-9fg2 CVE-2018-0505 GHSA-5c6w-f4w2-2grp

Affected version: >=1.27.0,<1.27.5|>=1.29.0,<1.29.3|>=1.30.0,<1.30.1|>=1.31.0,<1.31.1

Reported by:
GitHub, FriendsOfPHP/security-advisories
[MEDIUM] $wgRateLimits (rate limit / ping limiter) entry for 'user' overrides that for 'newbie'

PKSA-zbzt-cmt6-4sc8 CVE-2018-0503 GHSA-mhfv-9h99-jwg7

Affected version: >=1.27.0,<1.27.5|>=1.29.0,<1.29.3|>=1.30.0,<1.30.1|>=1.31.0,<1.31.1

Reported by:
GitHub, FriendsOfPHP/security-advisories
[MEDIUM] When a log event is (partially) hidden Special:Redirect/logid can link to the incorrect log and reveal hidden information

PKSA-63nj-9fx8-gscb CVE-2018-0504 GHSA-hr8v-f4g2-p66f

Affected version: >=1.27.0,<1.27.5|>=1.29.0,<1.29.3|>=1.30.0,<1.30.1|>=1.31.0,<1.31.1

Reported by:
GitHub, FriendsOfPHP/security-advisories

mediawiki/core Security Advisories for 1.30.0-rc.0 (16)

[HIGH] MediaWiki Denial of Service vulnerability

[CRITICAL] X-Forwarded-For header allows brute-forcing autoblocked IP addresses

[MEDIUM] MediaWiki allows a denial of service

[MEDIUM] img_auth.php may leak private extension images into the public cache

[MEDIUM] Exposed suppressed log in RevisionDelete page

[HIGH] API responses for unpatrolled or (not) autopatrolled recent changes require privileges but may be cached publicly

[HIGH] Forbid blocking IP ranges as big as /1 and /2, as done on ruwikiquote using the API

[MEDIUM] Exposed suppressed username or log in Special:EditTags

[CRITICAL] Direct POST to Special:ChangeEmail will bypass reauth check

[MEDIUM] Need to make a limit of count of attempts to change email address

[HIGH] Use token when logging out

[MEDIUM] Loading JS from user space where the username is not a registered account is dangerous and should be banned

[HIGH] Potential enwiki DOS due to slow WatchedItemStore::countVisitingWatchersMultiple

[MEDIUM] BotPassword can bypass CentralAuth's account lock

[MEDIUM] $wgRateLimits (rate limit / ping limiter) entry for 'user' overrides that for 'newbie'

[MEDIUM] When a log event is (partially) hidden Special:Redirect/logid can link to the incorrect log and reveal hidden information