Arch LinuxASA-201608-19mediawiki: multiple issues
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
0.003 Low
EPSS
Percentile
66.1%
- CVE-2016-6331 (permission bypass)
Check read permission when loading page content in ApiParse. Prevents
leaking page contents for extensions that deny read rights to certain
pages via a userCan hook, but still allow the user to have read rights
in general.
- CVE-2016-6332 (permission bypass)
Make $wgBlockDisablesLogin also restrict logged in permissions. Does
both Title and user related methods, so it catches things that only call
$wgUser->isAllowed( ‘read’ ), as well as giving a nicer error message
for things that use $title->userCan(). Otherwise, the user can still do
stuff and read pages if they have an ongoing session.
- CVE-2016-6333 (cross-site scripting)
Escape ‘<’ and ‘]]>’ in inline <style> blocks. This is to prevent
people from closing the <style> tag, and then doing arbitrary js-y
things. In particular, this is needed for when previewing user css
pages. This does not escape ‘>’ since its used as the child selector in
css, and generally speaking, ‘>’ is safe inside the contents of
elements.
- CVE-2016-6334 (cross-site scripting)
rawurldecode was being run on unclosed internal links which could allow
an attacker to insert arbitrary html into the page.
- CVE-2016-6335 (information disclosure)
API: Generate head items in the context of the given title.
$context->getOutput() returns an OutputPage tied to the main
RequestContext at the root of the chain, not to the modified context
we’re actually using.
- CVE-2016-6336 (permission bypass)
Do not allow undeleting a revision deleted file if it is the top file.
This prevents admins being able to view suppressed files, by simply
deleting them, and then undeleting only the file revision that they want
to view.
- CVE-2016-6337 (permission bypass)
Move ‘UserGetRights’ call before application of
Session::getAllowedUserRights(). This prevents hook functions from
accidentally adding rights that should be denied based on the session
grants. If some extension really needs to be able to override session
grants, add a new hook where the old call was, with documentation
explicitly warning about the security implications.
References
lists.wikimedia.org/pipermail/mediawiki-announce/2016-August/000195.html
www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6331
www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6332
www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6333
www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6334
www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6335
www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6336
www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6337
Related
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
0.003 Low
EPSS
Percentile
66.1%