Debian Mediawiki vulnerabilities

CVE-2013-6472 [MEDIUM] CVE-2013-6472: mediawiki - MediaWiki before 1.19.10, 1.2x before 1.21.4, and 1.22.x before 1.22.1 allows re... MediaWiki before 1.19.10, 1.2x before 1.21.4, and 1.22.x before 1.22.1 allows remote attackers to obtain information about deleted page via the (1) log API, (2) enhanced RecentChanges, and (3) user watchlists. Scope: local bookworm: resolved (fixed in 1:1.19.10+dfsg-1) bullseye: resolved (fixed in 1:1.19.10+dfsg-1) forky: resolved (fixed in 1:1.19.10+dfsg-1) sid:

CVE-2013-6452 [MEDIUM] CVE-2013-6452: mediawiki - Cross-site scripting (XSS) vulnerability in MediaWiki before 1.19.10, 1.2x befor... Cross-site scripting (XSS) vulnerability in MediaWiki before 1.19.10, 1.2x before 1.21.4, and 1.22.x before 1.22.1 allows remote attackers to inject arbitrary web script or HTML via crafted XSL in an SVG file. Scope: local bookworm: resolved (fixed in 1:1.19.10+dfsg-1) bullseye: resolved (fixed in 1:1.19.10+dfsg-1) forky: resolved (fixed in 1:1.19.10+dfsg-1) sid:

CVE-2013-4568 [MEDIUM] CVE-2013-4568: mediawiki - Incomplete blacklist vulnerability in Sanitizer::checkCss in MediaWiki before 1.... Incomplete blacklist vulnerability in Sanitizer::checkCss in MediaWiki before 1.19.9, 1.20.x before 1.20.8, and 1.21.x before 1.21.3 allows remote attackers to conduct cross-site scripting (XSS) attacks via certain non-ASCII characters in CSS, as demonstrated using variations of "expression" containing (1) full width characters or (2) IPA extensions, which are con

CVE-2013-2114 [MEDIUM] CVE-2013-2114: mediawiki - Unrestricted file upload vulnerability in the chunk upload API in MediaWiki 1.19... Unrestricted file upload vulnerability in the chunk upload API in MediaWiki 1.19 through 1.19.6 and 1.20.x before 1.20.6 allows remote attackers to execute arbitrary code by uploading a file with an executable extension. Scope: local bookworm: resolved (fixed in 1:1.19.7+dfsg-1) bullseye: resolved (fixed in 1:1.19.7+dfsg-1) forky: resolved (fixed in 1:1.19.7+dfsg-

CVE-2013-2031 [MEDIUM] CVE-2013-2031: mediawiki - MediaWiki before 1.19.6 and 1.20.x before 1.20.5 allows remote attackers to cond... MediaWiki before 1.19.6 and 1.20.x before 1.20.5 allows remote attackers to conduct cross-site scripting (XSS) attacks, as demonstrated by a CDATA section containing valid UTF-7 encoded sequences in a SVG file, which is then incorrectly interpreted as UTF-8 by Chrome and Firefox. Scope: local bookworm: resolved (fixed in 1:1.19.6-1) bullseye: resolved (fixed in 1:

CVE-2013-1951 [MEDIUM] CVE-2013-1951: mediawiki - A cross-site scripting (XSS) vulnerability in MediaWiki before 1.19.5 and 1.20.x... A cross-site scripting (XSS) vulnerability in MediaWiki before 1.19.5 and 1.20.x before 1.20.4 and allows remote attackers to inject arbitrary web script or HTML via Lua function names. Scope: local bookworm: resolved (fixed in 1:1.19.5-1) bullseye: resolved (fixed in 1:1.19.5-1) forky: resolved (fixed in 1:1.19.5-1) sid: resolved (fixed in 1:1.19.5-1) trixie: res

CVE-2013-6454 [MEDIUM] CVE-2013-6454: mediawiki - Cross-site scripting (XSS) vulnerability in MediaWiki before 1.19.10, 1.2x befor... Cross-site scripting (XSS) vulnerability in MediaWiki before 1.19.10, 1.2x before 1.21.4, and 1.22.x before 1.22.1 allows remote attackers to inject arbitrary web script or HTML via a -o-link attribute. Scope: local bookworm: resolved (fixed in 1:1.19.10+dfsg-1) bullseye: resolved (fixed in 1:1.19.10+dfsg-1) forky: resolved (fixed in 1:1.19.10+dfsg-1) sid: resolve

CVE-2013-7444 [MEDIUM] CVE-2013-7444: mediawiki - The Special:Contributions page in MediaWiki before 1.22.0 allows remote attacker... The Special:Contributions page in MediaWiki before 1.22.0 allows remote attackers to determine if an IP is autoblocked via the "Change block" text. Scope: local bookworm: resolved (fixed in 1:1.25.5-1) bullseye: resolved (fixed in 1:1.25.5-1) forky: resolved (fixed in 1:1.25.5-1) sid: resolved (fixed in 1:1.25.5-1) trixie: resolved (fixed in 1:1.25.5-1)

CVE-2013-6451 [MEDIUM] CVE-2013-6451: mediawiki - Cross-site scripting (XSS) vulnerability in MediaWiki 1.19.9 before 1.19.10, 1.2... Cross-site scripting (XSS) vulnerability in MediaWiki 1.19.9 before 1.19.10, 1.2x before 1.21.4, and 1.22.x before 1.22.1 allows remote attackers to inject arbitrary web script or HTML via unspecified CSS values. Scope: local bookworm: resolved (fixed in 1:1.19.10+dfsg-1) bullseye: resolved (fixed in 1:1.19.10+dfsg-1) forky: resolved (fixed in 1:1.19.10+dfsg-1) si

CVE-2013-4567 [MEDIUM] CVE-2013-4567: mediawiki - Incomplete blacklist vulnerability in Sanitizer::checkCss in MediaWiki before 1.... Incomplete blacklist vulnerability in Sanitizer::checkCss in MediaWiki before 1.19.9, 1.20.x before 1.20.8, and 1.21.x before 1.21.3 allows remote attackers to conduct cross-site scripting (XSS) attacks via a \b (backspace) character in CSS. Scope: local bookworm: resolved (fixed in 1:1.19.8+dfsg-2.2) bullseye: resolved (fixed in 1:1.19.8+dfsg-2.2) forky: resolved

CVE-2013-1818 [MEDIUM] CVE-2013-1818: mediawiki - maintenance/mwdoc-filter.php in MediaWiki before 1.20.3 allows remote attackers ... maintenance/mwdoc-filter.php in MediaWiki before 1.20.3 allows remote attackers to read arbitrary files via unspecified vectors. Scope: local bookworm: resolved bullseye: resolved forky: resolved sid: resolved trixie: resolved

CVE-2013-2032 [MEDIUM] CVE-2013-2032: mediawiki - MediaWiki before 1.19.6 and 1.20.x before 1.20.5 does not allow extensions to pr... MediaWiki before 1.19.6 and 1.20.x before 1.20.5 does not allow extensions to prevent password changes without using both Special:PasswordReset and Special:ChangePassword, which allows remote attackers to bypass the intended restrictions of an extension that only implements one of these blocks. Scope: local bookworm: resolved (fixed in 1:1.19.6-1) bullseye: resolv

CVE-2013-4303 [MEDIUM] CVE-2013-4303: mediawiki - includes/libs/IEUrlExtension.php in the MediaWiki API in MediaWiki 1.19.x before... includes/libs/IEUrlExtension.php in the MediaWiki API in MediaWiki 1.19.x before 1.19.8, 1.20.x before 1.20.7, and 1.21.x before 1.21.2 does not properly detect extensions when there are an even number of "." (period) characters in a string, which allows remote attackers to conduct cross-site scripting (XSS) attacks via the siprop parameter in a query action to wi

CVE-2013-4301 [MEDIUM] CVE-2013-4301: mediawiki - includes/resourceloader/ResourceLoaderContext.php in MediaWiki 1.19.x before 1.1... includes/resourceloader/ResourceLoaderContext.php in MediaWiki 1.19.x before 1.19.8, 1.20.x before 1.20.7, and 1.21.x before 1.21.2 allows remote attackers to obtain sensitive information via a "<" (open angle bracket) character in the lang parameter to w/load.php, which reveals the installation path in an error message. Scope: local bookworm: resolved (fixed in 1

CVE-2012-4380 [HIGH] CVE-2012-4380: mediawiki - MediaWiki before 1.18.5, and 1.19.x before 1.19.2 allows remote attackers to byp... MediaWiki before 1.18.5, and 1.19.x before 1.19.2 allows remote attackers to bypass GlobalBlocking extension IP address blocking and create an account via unspecified vectors. Scope: local bookworm: resolved (fixed in 1:1.19.2-1) bullseye: resolved (fixed in 1:1.19.2-1) forky: resolved (fixed in 1:1.19.2-1) sid: resolved (fixed in 1:1.19.2-1) trixie: resolved (fixed

CVE-2012-4381 [HIGH] CVE-2012-4381: mediawiki - MediaWiki before 1.18.5, and 1.19.x before 1.19.2 saves passwords in the local d... MediaWiki before 1.18.5, and 1.19.x before 1.19.2 saves passwords in the local database, (1) which could make it easier for context-dependent attackers to obtain cleartext passwords via a brute-force attack or, (2) when an authentication plugin returns a false in the strict function, could allow remote attackers to use old passwords for non-existing accounts in an e

CVE-2012-5391 [MEDIUM] CVE-2012-5391: mediawiki - Session fixation vulnerability in Special:UserLogin in MediaWiki before 1.18.6, ... Session fixation vulnerability in Special:UserLogin in MediaWiki before 1.18.6, 1.19.x before 1.19.3, and 1.20.x before 1.20.1 allows remote attackers to hijack web sessions via the session_id. Scope: local bookworm: resolved (fixed in 1:1.19.3-1) bullseye: resolved (fixed in 1:1.19.3-1) forky: resolved (fixed in 1:1.19.3-1) sid: resolved (fixed in 1:1.19.3-1) tri

CVE-2012-4379 [MEDIUM] CVE-2012-4379: mediawiki - MediaWiki before 1.18.5, and 1.19.x before 1.19.2 does not send a restrictive X-... MediaWiki before 1.18.5, and 1.19.x before 1.19.2 does not send a restrictive X-Frame-Options HTTP header, which allows remote attackers to conduct clickjacking attacks via an embedded API response in an IFRAME element. Scope: local bookworm: resolved (fixed in 1:1.19.2-1) bullseye: resolved (fixed in 1:1.19.2-1) forky: resolved (fixed in 1:1.19.2-1) sid: resolved

CVE-2012-4377 [MEDIUM] CVE-2012-4377: mediawiki - Cross-site scripting (XSS) vulnerability in MediaWiki before 1.18.5 and 1.19.x b... Cross-site scripting (XSS) vulnerability in MediaWiki before 1.18.5 and 1.19.x before 1.19.2 allows remote attackers to inject arbitrary web script or HTML via a File: link to a nonexistent image. Scope: local bookworm: resolved (fixed in 1:1.19.2-1) bullseye: resolved (fixed in 1:1.19.2-1) forky: resolved (fixed in 1:1.19.2-1) sid: resolved (fixed in 1:1.19.2-1)

CVE-2012-4382 [MEDIUM] CVE-2012-4382: mediawiki - MediaWiki before 1.18.5, and 1.19.x before 1.19.2 does not properly protect user... MediaWiki before 1.18.5, and 1.19.x before 1.19.2 does not properly protect user block metadata, which allows remote administrators to read a user block reason via a reblock attempt. Scope: local bookworm: resolved (fixed in 1:1.19.2-1) bullseye: resolved (fixed in 1:1.19.2-1) forky: resolved (fixed in 1:1.19.2-1) sid: resolved (fixed in 1:1.19.2-1) trixie: resolv