ALT-PU-2024-16886-1

BDU:2024-02778

MEDIUM6.1

Уязвимость файла include/logging/RightsLogFormatter.php программного средства для реализации гипертекстовой среды MediaWiki, позволяющая нарушителю осуществлять межсайтовые сценарные атаки (XSS)

Published: 2024-04-10

CVSS 3.xMEDIUM 6.1

CVSS:3.x/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CVSS 2.0MEDIUM 6.4

CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:P/A:N

References

CVE-2023-51704

BDU:2024-02784

MEDIUM5.4

Уязвимость расширения CampaignEvents программного средства для реализации гипертекстовой среды MediaWiki, позволяющая нарушителю осуществить межсайтовые сценарные атаки

Published: 2024-04-10

CVSS 3.xMEDIUM 5.4

CVSS:3.x/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CVSS 2.0MEDIUM 5.5

CVSS:2.0/AV:N/AC:L/Au:S/C:P/I:P/A:N

References

CVE-2024-23171

BDU:2024-02785

MEDIUM5.4

Уязвимость расширения CheckUser программного средства для реализации гипертекстовой среды MediaWiki, позволяющая нарушителю осуществить межсайтовые сценарные атаки

Published: 2024-04-10

CVSS 3.xMEDIUM 5.4

CVSS:3.x/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CVSS 2.0MEDIUM 5.5

CVSS:2.0/AV:N/AC:L/Au:S/C:P/I:P/A:N

References

CVE-2024-23172

BDU:2024-02786

MEDIUM6.1

Уязвимость расширения Cargo программного средства для реализации гипертекстовой среды MediaWiki, позволяющая нарушителю осуществить межсайтовые сценарные атаки

Published: 2024-04-10

CVSS 3.xMEDIUM 6.1

CVSS:3.x/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CVSS 2.0MEDIUM 6.4

CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:P/A:N

References

CVE-2024-23173

BDU:2024-02787

MEDIUM5.4

Уязвимость расширения PageTriage программного средства для реализации гипертекстовой среды MediaWiki, позволяющая нарушителю осуществить межсайтовые сценарные атаки

Published: 2024-04-10

CVSS 3.xMEDIUM 5.4

CVSS:3.x/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CVSS 2.0MEDIUM 5.5

CVSS:2.0/AV:N/AC:L/Au:S/C:P/I:P/A:N

References

CVE-2024-23174

BDU:2024-02788

MEDIUM6.1

Уязвимость расширения WatchAnalytics программного средства для реализации гипертекстовой среды MediaWiki, позволяющая нарушителю осуществить межсайтовые сценарные атаки

Published: 2024-04-10

CVSS 3.xMEDIUM 6.1

CVSS:3.x/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CVSS 2.0MEDIUM 6.4

CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:P/A:N

References

CVE-2024-23177

BDU:2024-02789

MEDIUM5.4

Уязвимость расширения Phonos программного средства для реализации гипертекстовой среды MediaWiki, позволяющая нарушителю осуществить межсайтовые сценарные атаки

Published: 2024-04-10

CVSS 3.xMEDIUM 5.4

CVSS:3.x/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CVSS 2.0MEDIUM 5.5

CVSS:2.0/AV:N/AC:L/Au:S/C:P/I:P/A:N

References

CVE-2024-23178

BDU:2024-02790

MEDIUM6.1

Уязвимость расширения GlobalBlocking программного средства для реализации гипертекстовой среды MediaWiki, позволяющая нарушителю осуществить межсайтовые сценарные атаки

Published: 2024-04-10

CVSS 3.xMEDIUM 6.1

CVSS:3.x/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CVSS 2.0MEDIUM 6.4

CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:P/A:N

References

CVE-2024-23179

CVE-2023-51704

MEDIUM6.1

An issue was discovered in MediaWiki before 1.35.14, 1.36.x through 1.39.x before 1.39.6, and 1.40.x before 1.40.2. In includes/logging/RightsLogFormatter.php, group-*-member messages can result in XSS on Special:log/rights.

Published: 2023-12-22Modified: 2025-11-04

CVSS 3.xMEDIUM 6.1

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References

CVE-2024-23171

MEDIUM5.4

An issue was discovered in the CampaignEvents extension in MediaWiki before 1.35.14, 1.36.x through 1.39.x before 1.39.6, and 1.40.x before 1.40.2. The Special:EventDetails page allows XSS via the x-xss language setting for internationalization (i18n).

Published: 2024-01-12Modified: 2025-06-20

CVSS 3.xMEDIUM 5.4

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

References

CVE-2024-23172

MEDIUM5.4

An issue was discovered in the CheckUser extension in MediaWiki before 1.35.14, 1.36.x through 1.39.x before 1.39.6, and 1.40.x before 1.40.2. XSS can occur via message definitions. e.g., in SpecialCheckUserLog.

Published: 2024-01-12Modified: 2025-06-04

CVSS 3.xMEDIUM 5.4

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

References

CVE-2024-23173

MEDIUM6.1

An issue was discovered in the Cargo extension in MediaWiki before 1.35.14, 1.36.x through 1.39.x before 1.39.6, and 1.40.x before 1.40.2. The Special:Drilldown page allows XSS via artist, album, and position parameters because of applied filter values in drilldown/CargoAppliedFilter.php.

Published: 2024-01-12Modified: 2025-06-03

CVSS 3.xMEDIUM 6.1

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References

CVE-2024-23174

MEDIUM5.4

An issue was discovered in the PageTriage extension in MediaWiki before 1.35.14, 1.36.x through 1.39.x before 1.39.6, and 1.40.x before 1.40.2. XSS can occur via the rev-deleted-user, pagetriage-tags-quickfilter-label, pagetriage-triage, pagetriage-filter-date-range-format-placeholder, pagetriage-filter-date-range-to, pagetriage-filter-date-range-from, pagetriage-filter-date-range-heading, pagetriage-filter-set-button, or pagetriage-filter-reset-button message.

Published: 2024-01-12Modified: 2025-06-20

CVSS 3.xMEDIUM 5.4

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

References

CVE-2024-23177

MEDIUM6.1

An issue was discovered in the WatchAnalytics extension in MediaWiki before 1.40.2. XSS can occur via the Special:PageStatistics page parameter.

Published: 2024-01-12Modified: 2025-06-03

CVSS 3.xMEDIUM 6.1

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References

CVE-2024-23178

MEDIUM5.4

An issue was discovered in the Phonos extension in MediaWiki before 1.40.2. PhonosButton.js allows i18n-based XSS via the phonos-purge-needed-error message.

Published: 2024-01-12Modified: 2025-06-03

CVSS 3.xMEDIUM 5.4

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

References

CVE-2024-23179

MEDIUM6.1

An issue was discovered in the GlobalBlocking extension in MediaWiki before 1.40.2. For a Special:GlobalBlock?uselang=x-xss URI, i18n-based XSS can occur via the parentheses message. This affects subtitle links in buildSubtitleLinks.

Published: 2024-01-12Modified: 2024-11-21

CVSS 3.xMEDIUM 6.1

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References

CVE-2024-40596

MEDIUM4.3

An issue was discovered in the CheckUser extension for MediaWiki through 1.42.1. The Special:Investigate feature can expose suppressed information for log events. (TimelineService does not support properly suppressing.)

Published: 2024-07-07Modified: 2025-03-18

CVSS 3.xMEDIUM 4.3

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

References

CVE-2024-40598

MEDIUM4.3

An issue was discovered in the CheckUser extension for MediaWiki through 1.42.1. The API can expose suppressed information for log events. (The log_deleted attribute is not applied to entries.)

Published: 2024-07-07Modified: 2025-03-25

CVSS 3.xMEDIUM 4.3

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

References

CVE-2024-40599

MEDIUM4.8

An issue was discovered in the GuMaxDD skin for MediaWiki through 1.42.1. There is stored XSS via MediaWiki:Sidebar top-level menu entries.

Published: 2024-07-07Modified: 2025-03-20

CVSS 3.xMEDIUM 4.8

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

References

CVE-2024-40600

MEDIUM4.8

An issue was discovered in the Metrolook skin for MediaWiki through 1.42.1. There is stored XSS via MediaWiki:Sidebar top-level menu entries.

Published: 2024-07-07Modified: 2024-11-21

CVSS 3.xMEDIUM 4.8

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

References

CVE-2024-40601

MEDIUM6.5

An issue was discovered in the MediaWikiChat extension for MediaWiki through 1.42.1. CSRF can occur in API modules.

Published: 2024-07-07Modified: 2024-11-21

CVSS 3.xMEDIUM 6.5

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

References

CVE-2024-40602

MEDIUM4.8

An issue was discovered in the Tempo skin for MediaWiki through 1.42.1. There is stored XSS via MediaWiki:Sidebar top-level menu entries.

Published: 2024-07-07Modified: 2025-03-14

CVSS 3.xMEDIUM 4.8

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

References

CVE-2024-40603

MEDIUM4.3

An issue was discovered in the ArticleRatings extension for MediaWiki through 1.42.1. Special:ChangeRating allows CSRF to alter data via a GET request.

Published: 2024-07-07Modified: 2025-03-17

CVSS 3.xMEDIUM 4.3

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

References

CVE-2024-40604

MEDIUM4.8

An issue was discovered in the Nimbus skin for MediaWiki through 1.42.1. There is Stored XSS via MediaWiki:Nimbus-sidebar menu and submenu entries.

Published: 2024-07-07Modified: 2025-03-18

CVSS 3.xMEDIUM 4.8

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

References

CVE-2024-40605

MEDIUM4.8

An issue was discovered in the Foreground skin for MediaWiki through 1.42.1. There is stored XSS via MediaWiki:Sidebar top-level menu entries.

Published: 2024-07-07Modified: 2025-03-14

CVSS 3.xMEDIUM 4.8

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

References

Package update mediawiki in branch sisyphus_loongarch64

Closed issues (25)

Уязвимость расширения CampaignEvents программного средства для реализации гипертекстовой среды MediaWiki, позволяющая нарушителю осуществить межсайтовые сценарные атаки

Уязвимость расширения CheckUser программного средства для реализации гипертекстовой среды MediaWiki, позволяющая нарушителю осуществить межсайтовые сценарные атаки

Уязвимость расширения Cargo программного средства для реализации гипертекстовой среды MediaWiki, позволяющая нарушителю осуществить межсайтовые сценарные атаки

Уязвимость расширения PageTriage программного средства для реализации гипертекстовой среды MediaWiki, позволяющая нарушителю осуществить межсайтовые сценарные атаки

Уязвимость расширения WatchAnalytics программного средства для реализации гипертекстовой среды MediaWiki, позволяющая нарушителю осуществить межсайтовые сценарные атаки

Уязвимость расширения Phonos программного средства для реализации гипертекстовой среды MediaWiki, позволяющая нарушителю осуществить межсайтовые сценарные атаки

Уязвимость расширения GlobalBlocking программного средства для реализации гипертекстовой среды MediaWiki, позволяющая нарушителю осуществить межсайтовые сценарные атаки

An issue was discovered in MediaWiki before 1.35.14, 1.36.x through 1.39.x before 1.39.6, and 1.40.x before 1.40.2. In includes/logging/RightsLogFormatter.php, group-*-member messages can result in XSS on Special:log/rights.

An issue was discovered in the CampaignEvents extension in MediaWiki before 1.35.14, 1.36.x through 1.39.x before 1.39.6, and 1.40.x before 1.40.2. The Special:EventDetails page allows XSS via the x-xss language setting for internationalization (i18n).

An issue was discovered in the CheckUser extension in MediaWiki before 1.35.14, 1.36.x through 1.39.x before 1.39.6, and 1.40.x before 1.40.2. XSS can occur via message definitions. e.g., in SpecialCheckUserLog.

An issue was discovered in the Cargo extension in MediaWiki before 1.35.14, 1.36.x through 1.39.x before 1.39.6, and 1.40.x before 1.40.2. The Special:Drilldown page allows XSS via artist, album, and position parameters because of applied filter values in drilldown/CargoAppliedFilter.php.

An issue was discovered in the WatchAnalytics extension in MediaWiki before 1.40.2. XSS can occur via the Special:PageStatistics page parameter.

An issue was discovered in the Phonos extension in MediaWiki before 1.40.2. PhonosButton.js allows i18n-based XSS via the phonos-purge-needed-error message.

An issue was discovered in the GlobalBlocking extension in MediaWiki before 1.40.2. For a Special:GlobalBlock?uselang=x-xss URI, i18n-based XSS can occur via the parentheses message. This affects subtitle links in buildSubtitleLinks.

An issue was discovered in the CheckUser extension for MediaWiki through 1.42.1. The Special:Investigate feature can expose suppressed information for log events. (TimelineService does not support properly suppressing.)

An issue was discovered in the CheckUser extension for MediaWiki through 1.42.1. The API can expose suppressed information for log events. (The log_deleted attribute is not applied to entries.)

An issue was discovered in the GuMaxDD skin for MediaWiki through 1.42.1. There is stored XSS via MediaWiki:Sidebar top-level menu entries.

An issue was discovered in the Metrolook skin for MediaWiki through 1.42.1. There is stored XSS via MediaWiki:Sidebar top-level menu entries.

An issue was discovered in the MediaWikiChat extension for MediaWiki through 1.42.1. CSRF can occur in API modules.

An issue was discovered in the Tempo skin for MediaWiki through 1.42.1. There is stored XSS via MediaWiki:Sidebar top-level menu entries.

An issue was discovered in the ArticleRatings extension for MediaWiki through 1.42.1. Special:ChangeRating allows CSRF to alter data via a GET request.

An issue was discovered in the Nimbus skin for MediaWiki through 1.42.1. There is Stored XSS via MediaWiki:Nimbus-sidebar menu and submenu entries.

An issue was discovered in the Foreground skin for MediaWiki through 1.42.1. There is stored XSS via MediaWiki:Sidebar top-level menu entries.