ALT-PU-2014-1960-2

Package update mediawiki in branch sisyphus

Version1.23.1-alt1

Published2026-02-04

Max severityMEDIUM

Severity:

Closed issues (4)

MEDIUM4.0

includes/specials/SpecialChangePassword.php in MediaWiki before 1.19.14, 1.20.x and 1.21.x before 1.21.8, and 1.22.x before 1.22.5 does not properly handle a correctly authenticated but unintended login attempt, which makes it easier for remote authenticated users to obtain sensitive information by arranging for a victim to login to the attacker's account, as demonstrated by tracking the victim's activity, related to a "login CSRF" issue.

Published: 2014-04-20Modified: 2025-04-12

CVSS 2.0MEDIUM 4.0

CVSS:2.0/AV:N/AC:L/Au:S/C:P/I:N/A:N

References

MEDIUM4.3

Cross-site scripting (XSS) vulnerability in includes/actions/InfoAction.php in MediaWiki before 1.21.9 and 1.22.x before 1.22.6 allows remote attackers to inject arbitrary web script or HTML via the sort key in an info action.

Published: 2014-04-29Modified: 2025-04-12

CVSS 2.0MEDIUM 4.3

CVSS:2.0/AV:N/AC:M/Au:N/C:N/I:P/A:N

References

LOW2.6

Cross-site scripting (XSS) vulnerability in Special:PasswordReset in MediaWiki before 1.19.16, 1.21.x before 1.21.10, and 1.22.x before 1.22.7, when wgRawHtml is enabled, allows remote attackers to inject arbitrary web script or HTML via an invalid username.

Published: 2014-06-06Modified: 2025-04-12

CVSS 2.0LOW 2.6

CVSS:2.0/AV:N/AC:H/Au:N/C:N/I:P/A:N

References

GHSA-6h86-9r5g-f2h5

NONE

Cross-site scripting vulnerability in includes/actions/InfoAction.php

Published: 2022-05-17Modified: 2024-11-02

References