FreeBSD0A50BB48-625F-11EC-A1FB-080027CB2F6Fmediawiki -- multiple vulnerabilities
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
0.002 Low
EPSS
Percentile
56.9%
Mediawiki reports:
(T292763. CVE-2021-44854) REST API incorrectly publicly caches
autocomplete search results from private wikis.
(T271037, CVE-2021-44856) Title blocked in AbuseFilter can be created via
Special:ChangeContentModel.
(T297322, CVE-2021-44857) Unauthorized users can use action=mcrundo to
replace the content of arbitrary pages.
(T297322, CVE-2021-44858) Unauthorized users can view contents of private
wikis using various actions.
(T297574, CVE-2021-45038) Unauthorized users can access private wiki
contents using rollback action
(T293589, CVE-2021-44855) Blind Stored XSS in VisualEditor media dialog.
(T294686) Special:Nuke doesn’t actually delete pages.
| OS | Version | Architecture | Package | Version | Filename |
|---|---|---|---|---|---|
| FreeBSD | any | noarch | mediawiki135 | < 1.35.5 | UNKNOWN |
| FreeBSD | any | noarch | mediawiki136 | < 1.36.3 | UNKNOWN |
| FreeBSD | any | noarch | mediawiki137 | < 1.37.1 | UNKNOWN |
Related
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
0.002 Low
EPSS
Percentile
56.9%