| Status | Subtype | Assigned | Task | ||
|---|---|---|---|---|---|
| Resolved | Reedy | T270458 Release MediaWiki 1.31.13/1.35.2 | |||
| Resolved | Reedy | T270465 Obtain CVEs for 1.31.13/1.35.2 security releases |
Event Timeline
Comment Actions
> [Suggested description] > An issue was discovered in MediaWiki before 1.31.13 and 1.32.x through 1.35.x before 1.35.2. > When using the MediaWiki API to "protect" a page, a user is currently > able to protect to a higher level than they currently have permissions > for. > > ------------------------------------------ > > [Vulnerability Type] > Incorrect Access Control > > ------------------------------------------ > > [Vendor of Product] > Wikimedia Foundation > > ------------------------------------------ > > [Affected Product Code Base] > MediaWiki - Fixed >= 1.31.13, >= 1.35.2 > > ------------------------------------------ > > [Affected Component] > includes/api/ApiProtect.php > > ------------------------------------------ > > [Attack Type] > Remote > > ------------------------------------------ > > [Reference] > https://phabricator.wikimedia.org/T270713 > > ------------------------------------------ > > [Discoverer] > Tobi_406 Use CVE-2021-30152. > [Suggested description] > An issue was discovered in the VisualEditor extension through 2021-04-06 for MediaWiki through 1.35.x. > When using VisualEditor to edit a MediaWiki user page belonging to an existing, but > hidden, user, VisualEditor will disclose that the > user exists. (It shouldn't because they are hidden.) > > ------------------------------------------ > > [Vulnerability Type] > Incorrect Access Control > > ------------------------------------------ > > [Vendor of Product] > Wikimedia Foundation > > ------------------------------------------ > > [Affected Product Code Base] > MediaWiki VisualEditor extension - extension is not versioned (will be applicable git hashes after patches are made public) > > ------------------------------------------ > > [Affected Component] > VisualEditor ApiVisualEditor module > > ------------------------------------------ > > [Attack Type] > Remote > > ------------------------------------------ > > [Impact Information Disclosure] > true > > ------------------------------------------ > > [Reference] > https://phabricator.wikimedia.org/T270453 > > ------------------------------------------ > > [Has vendor confirmed or acknowledged the vulnerability?] > true > > ------------------------------------------ > > [Discoverer] > DannyS712 Use CVE-2021-30153. > [Suggested description] > An issue was discovered in MediaWiki before 1.31.12 and 1.32.x through 1.35.x before 1.35.2. > On Special:NewFiles, all the mediastatistics-header-* messages are > output in HTML unescaped, leading to XSS. > > ------------------------------------------ > > [Vulnerability Type] > Cross Site Scripting (XSS) > > ------------------------------------------ > > [Vendor of Product] > Wikimedia Foundation > > ------------------------------------------ > > [Affected Product Code Base] > MediaWiki - Fixed MediaWiki >= 1.31.12, 1.35.2 > > ------------------------------------------ > > [Affected Component] > includes/specials/SpecialNewimages.php, includes/specials/SpecialNewFiles.php > > ------------------------------------------ > > [Attack Type] > Remote > > ------------------------------------------ > > [Reference] > https://phabricator.wikimedia.org/T278014 > > ------------------------------------------ > > [Discoverer] > Grunny Use CVE-2021-30154. > [Suggested description] > An issue was discovered in MediaWiki before 1.31.12 and 1.32.x through 1.35.x before 1.35.2. > ContentModelChange does not check if a user has correct > permissions to create and set the content model of a nonexistent page. > > ------------------------------------------ > > [Vulnerability Type] > Incorrect Access Control > > ------------------------------------------ > > [Vendor of Product] > Wikimedia Foundation > > ------------------------------------------ > > [Affected Product Code Base] > MediaWiki - Fixed MediaWiki >= 1.31.12, 1.35.2 > > ------------------------------------------ > > [Affected Component] > includes/content/ContentModelChange.php > > ------------------------------------------ > > [Attack Type] > Remote > > ------------------------------------------ > > [Reference] > https://phabricator.wikimedia.org/T270988 > > ------------------------------------------ > > [Has vendor confirmed or acknowledged the vulnerability?] > true > > ------------------------------------------ > > [Discoverer] > Xzonn Use CVE-2021-30155. > [Suggested description] > An issue was discovered in MediaWiki before 1.31.12 and 1.32.x through 1.35.x before 1.35.2. > Special:Contributions can leak that a "hidden" user exists. > > ------------------------------------------ > > [Vulnerability Type] > Incorrect Access Control > > ------------------------------------------ > > [Vendor of Product] > Wikimedia Foundation > > ------------------------------------------ > > [Affected Product Code Base] > MediaWiki - Fixed MediaWiki >= 1.31.12, 1.35.2 > > ------------------------------------------ > > [Affected Component] > includes/specials/SpecialContributions.php > > ------------------------------------------ > > [Attack Type] > Remote > > ------------------------------------------ > > [Impact Information Disclosure] > true > > ------------------------------------------ > > [Reference] > https://phabricator.wikimedia.org/T276306 > > ------------------------------------------ > > [Has vendor confirmed or acknowledged the vulnerability?] > true > > ------------------------------------------ > > [Discoverer] > Majavah Use CVE-2021-30156. > [Suggested description] > An issue was discovered in MediaWiki before 1.31.12 and 1.32.x through 1.35.x before 1.35.2. > On ChangesList special pages such as Special:RecentChanges and > Special:Watchlist, some of the rcfilters-filter-* label messages are > output in HTML unescaped, leading to XSS. > > ------------------------------------------ > > [Vulnerability Type] > Cross Site Scripting (XSS) > > ------------------------------------------ > > [Vendor of Product] > Wikimedia Foundation > > ------------------------------------------ > > [Affected Product Code Base] > MediaWiki - Fixed MediaWiki >= 1.31.12, 1.35.2 > > ------------------------------------------ > > [Affected Component] > resources/src/mediawiki.rcfilters/ui/TagItemWidget.js > > ------------------------------------------ > > [Attack Type] > Remote > > ------------------------------------------ > > [Reference] > https://phabricator.wikimedia.org/T278058 > > ------------------------------------------ > > [Has vendor confirmed or acknowledged the vulnerability?] > true > > ------------------------------------------ > > [Discoverer] > Grunny Use CVE-2021-30157. > [Suggested description] > An issue was discovered in MediaWiki before 1.31.12 and 1.32.x through 1.35.x before 1.35.2. > Blocked users are unable to use Special:ResetTokens. > This has security relevance because a blocked user might have accidentally shared a token, or might know that a token has > been compromised, and yet is not able to block any potential future use of the token by an unauthorized party. > > ------------------------------------------ > > [Vulnerability Type] > Incorrect Access Control > > ------------------------------------------ > > [Vendor of Product] > Wikimedia Foundation > > ------------------------------------------ > > [Affected Product Code Base] > MediaWiki - Fixed MediaWiki >= 1.31.12, 1.35.2 > > ------------------------------------------ > > [Attack Type] > Remote > > ------------------------------------------ > > [Impact Denial of Service] > true > > ------------------------------------------ > > [Reference] > https://phabricator.wikimedia.org/T277009 > > ------------------------------------------ > > [Has vendor confirmed or acknowledged the vulnerability?] > true > > ------------------------------------------ > > [Discoverer] > IN Use CVE-2021-30158. > [Suggested description] > An issue was discovered in MediaWiki before 1.31.12 and 1.32.x through 1.35.x before 1.35.2. > Users can bypass intended restrictions on deleting pages in certain situations. > MovePage::isValidMoveTarget() uses FOR UPDATE, but it's only called if > Title::getArticleID() returns non-zero with no special flags. Next, > MovePage::moveToInternal() will delete the page if > getArticleID(READ_LATEST) is non-zero. Therefore, if the > page is missing in the replica DB, isValidMove() will return true, and > then moveToInternal() will unconditionally delete the page if it can be > found in the master. > > ------------------------------------------ > > [Vulnerability Type] > Incorrect Access Control > > ------------------------------------------ > > [Vendor of Product] > Wikimedia Foundation > > ------------------------------------------ > > [Affected Product Code Base] > MediaWiki - Fixed MediaWiki >= 1.31.12, 1.35.2 > > ------------------------------------------ > > [Attack Type] > Remote > > ------------------------------------------ > > [Reference] > https://phabricator.wikimedia.org/T272386 > > ------------------------------------------ > > [Has vendor confirmed or acknowledged the vulnerability?] > true > > ------------------------------------------ > > [Discoverer] > PrimeHunter Use CVE-2021-30159.