CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS
Percentile
80.3%
Severity: High
Date : 2017-11-15
CVE-ID : CVE-2017-0361 CVE-2017-8808 CVE-2017-8809 CVE-2017-8810
CVE-2017-8811 CVE-2017-8812 CVE-2017-8814 CVE-2017-8815
Package : mediawiki
Type : multiple issues
Remote : Yes
Link : https://security.archlinux.org/AVG-490
The package mediawiki before version 1.29.2-1 is vulnerable to multiple
issues including cross-site scripting, information disclosure, url
request injection and insufficient validation.
Upgrade to 1.29.2-1.
The problems have been fixed upstream in version 1.29.2.
None.
MediaWiki before 1.29.2 may leak passwords in plaintext. API parameters
may now be marked as “sensitive” to keep their values out of the logs.
MediaWiki before 1.27.4, 1.28.x before 1.28.3, and 1.29.x before 1.29.2
has XSS when the $wgShowExceptionDetails setting is false and the
browser sends non-standard URL escaping.
api.php in MediaWiki before 1.27.4, 1.28.x before 1.28.3, and 1.29.x
before 1.29.2 has a Reflected File Download vulnerability.
MediaWiki before 1.27.4, 1.28.x before 1.28.3, and 1.29.x before
1.29.2, when a private wiki is configured, provides different error
messages for failed login attempts depending on whether the username
exists, which allows remote attackers to enumerate account names and
conduct brute-force attacks via a series of requests.
The implementation of raw message parameter expansion in MediaWiki
before 1.27.4, 1.28.x before 1.28.3, and 1.29.x before 1.29.2 allows
HTML mangling attacks.
MediaWiki before 1.27.4, 1.28.x before 1.28.3, and 1.29.x before 1.29.2
allows remote attackers to inject > (greater than) characters via the
id attribute of a headline.
The language converter in MediaWiki before 1.27.4, 1.28.x before
1.28.3, and 1.29.x before 1.29.2 allows attackers to replace text
inside tags via a rule definition followed by “a lot of junk.”
The language converter in MediaWiki before 1.27.4, 1.28.x before
1.28.3, and 1.29.x before 1.29.2 allows attribute injection attacks via
glossary rules.
A remote attacker is able to perform a cross-side scripting attack by
injecting javascript into the site, disclose information or perform a
reflected file download attack.
https://lists.wikimedia.org/pipermail/mediawiki-announce/2017-November/000216.html
https://lists.wikimedia.org/pipermail/mediawiki-announce/2017-April/000207.html
https://phabricator.wikimedia.org/T125177
https://phabricator.wikimedia.org/T180488
https://github.com/wikimedia/mediawiki/commit/8b0220e81ba462d21d8e1facbe6aed047f7418a2
https://github.com/wikimedia/mediawiki/commit/59ce3456a8007d76875fe8fb21eff4a90b214034
https://phabricator.wikimedia.org/T178451
https://github.com/wikimedia/mediawiki/commit/1713ddeff12b263fb7634796dc029d3fe26ade41
https://phabricator.wikimedia.org/T128209
https://github.com/wikimedia/mediawiki/commit/9bf2c01ea238d0e71c56bad7341c89345855bd5d
https://phabricator.wikimedia.org/T134100
https://github.com/wikimedia/mediawiki/commit/e7ea90509c73c60b665b8f63e3bb95b1adfec78c
https://phabricator.wikimedia.org/T176247
https://github.com/wikimedia/mediawiki/commit/410c00a9ae92411d3d1568e84c4aa2579a577635
https://phabricator.wikimedia.org/T125163
https://github.com/wikimedia/mediawiki/commit/31041e4557c2f4b96ef0a16e44bf6be5566a9ffb
https://phabricator.wikimedia.org/T124404
https://github.com/wikimedia/mediawiki/commit/fbe78cfa094645b907d0fd2885c5797321f794eb
https://phabricator.wikimedia.org/T119158
https://github.com/wikimedia/mediawiki/commit/f21f3942eb10d7e688eb25261ac3a9478268cbd3
https://security.archlinux.org/CVE-2017-0361
https://security.archlinux.org/CVE-2017-8808
https://security.archlinux.org/CVE-2017-8809
https://security.archlinux.org/CVE-2017-8810
https://security.archlinux.org/CVE-2017-8811
https://security.archlinux.org/CVE-2017-8812
https://security.archlinux.org/CVE-2017-8814
https://security.archlinux.org/CVE-2017-8815
github.com/wikimedia/mediawiki/commit/1713ddeff12b263fb7634796dc029d3fe26ade41
github.com/wikimedia/mediawiki/commit/31041e4557c2f4b96ef0a16e44bf6be5566a9ffb
github.com/wikimedia/mediawiki/commit/410c00a9ae92411d3d1568e84c4aa2579a577635
github.com/wikimedia/mediawiki/commit/59ce3456a8007d76875fe8fb21eff4a90b214034
github.com/wikimedia/mediawiki/commit/8b0220e81ba462d21d8e1facbe6aed047f7418a2
github.com/wikimedia/mediawiki/commit/9bf2c01ea238d0e71c56bad7341c89345855bd5d
github.com/wikimedia/mediawiki/commit/e7ea90509c73c60b665b8f63e3bb95b1adfec78c
github.com/wikimedia/mediawiki/commit/f21f3942eb10d7e688eb25261ac3a9478268cbd3
github.com/wikimedia/mediawiki/commit/fbe78cfa094645b907d0fd2885c5797321f794eb
lists.wikimedia.org/pipermail/mediawiki-announce/2017-April/000207.html
lists.wikimedia.org/pipermail/mediawiki-announce/2017-November/000216.html
phabricator.wikimedia.org/T119158
phabricator.wikimedia.org/T124404
phabricator.wikimedia.org/T125163
phabricator.wikimedia.org/T125177
phabricator.wikimedia.org/T128209
phabricator.wikimedia.org/T134100
phabricator.wikimedia.org/T176247
phabricator.wikimedia.org/T178451
phabricator.wikimedia.org/T180488
security.archlinux.org/AVG-490
security.archlinux.org/CVE-2017-0361
security.archlinux.org/CVE-2017-8808
security.archlinux.org/CVE-2017-8809
security.archlinux.org/CVE-2017-8810
security.archlinux.org/CVE-2017-8811
security.archlinux.org/CVE-2017-8812
security.archlinux.org/CVE-2017-8814
security.archlinux.org/CVE-2017-8815
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS
Percentile
80.3%