ALT-PU-2014-1972-1
Closed vulnerabilities
Modified: 2024-11-21
CVE-2014-2665
includes/specials/SpecialChangePassword.php in MediaWiki before 1.19.14, 1.20.x and 1.21.x before 1.21.8, and 1.22.x before 1.22.5 does not properly handle a correctly authenticated but unintended login attempt, which makes it easier for remote authenticated users to obtain sensitive information by arranging for a victim to login to the attacker's account, as demonstrated by tracking the victim's activity, related to a "login CSRF" issue.
- [mediawiki-announce] 20140328 MediaWiki Security and Maintenance Releases: 1.22.5, 1.21.8 and 1.19.14
- [mediawiki-announce] 20140328 MediaWiki Security and Maintenance Releases: 1.22.5, 1.21.8 and 1.19.14
- [oss-security] 20140327 CVE request: MediaWiki 1.22.5 login csrf
- [oss-security] 20140327 CVE request: MediaWiki 1.22.5 login csrf
- [oss-security] 20140401 Re: CVE request: MediaWiki 1.22.5 login csrf
- [oss-security] 20140401 Re: CVE request: MediaWiki 1.22.5 login csrf
- https://bugzilla.wikimedia.org/show_bug.cgi?id=62497
- https://bugzilla.wikimedia.org/show_bug.cgi?id=62497
- https://gerrit.wikimedia.org/r/#/c/121517/1/includes/specials/SpecialChangePassword.php
- https://gerrit.wikimedia.org/r/#/c/121517/1/includes/specials/SpecialChangePassword.php
Modified: 2024-11-21
CVE-2014-2853
Cross-site scripting (XSS) vulnerability in includes/actions/InfoAction.php in MediaWiki before 1.21.9 and 1.22.x before 1.22.6 allows remote attackers to inject arbitrary web script or HTML via the sort key in an info action.
- [MediaWiki-announce] 20140424 MediaWiki Security and Maintenance Releases: 1.22.6 and 1.21.9
- [MediaWiki-announce] 20140424 MediaWiki Security and Maintenance Releases: 1.22.6 and 1.21.9
- 58262
- 58262
- 67068
- 67068
- 1030161
- 1030161
- https://bugzilla.redhat.com/show_bug.cgi?id=1091967
- https://bugzilla.redhat.com/show_bug.cgi?id=1091967
- https://bugzilla.wikimedia.org/show_bug.cgi?id=63251
- https://bugzilla.wikimedia.org/show_bug.cgi?id=63251
- https://github.com/wikimedia/mediawiki-core/commit/0b695ae09aada343ab59be4a3c9963995a1143b6
- https://github.com/wikimedia/mediawiki-core/commit/0b695ae09aada343ab59be4a3c9963995a1143b6
- https://www.mediawiki.org/wiki/Release_notes/1.21#Changes_since_1.21.8
- https://www.mediawiki.org/wiki/Release_notes/1.21#Changes_since_1.21.8
- https://www.mediawiki.org/wiki/Release_notes/1.22#Changes_since_1.22.5
- https://www.mediawiki.org/wiki/Release_notes/1.22#Changes_since_1.22.5
Modified: 2024-11-21
CVE-2014-3966
Cross-site scripting (XSS) vulnerability in Special:PasswordReset in MediaWiki before 1.19.16, 1.21.x before 1.21.10, and 1.22.x before 1.22.7, when wgRawHtml is enabled, allows remote attackers to inject arbitrary web script or HTML via an invalid username.
- [MediaWiki-announce] 20140529 MediaWiki Security and Maintenance Releases: 1.19.16, 1.21.10 and 1.22.7
- [MediaWiki-announce] 20140529 MediaWiki Security and Maintenance Releases: 1.19.16, 1.21.10 and 1.22.7
- 58834
- 58834
- 58896
- 58896
- DSA-2957
- DSA-2957
- [oss-security] 20140604 Re: CVE request: mediawiki invalid usernames on Special:PasswordReset were parsed as wikitext
- [oss-security] 20140604 Re: CVE request: mediawiki invalid usernames on Special:PasswordReset were parsed as wikitext
- 67787
- 67787
- 1030364
- 1030364
- https://bugzilla.wikimedia.org/show_bug.cgi?id=65501
- https://bugzilla.wikimedia.org/show_bug.cgi?id=65501