6.8 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
0.006 Low
EPSS
Percentile
78.6%
MediaWiki reports:
(T117899) SECURITY: $wgArticlePath can no longer be set to relative
paths that do not begin with a slash. This enabled trivial XSS
attacks. Configuration values such as “http://my.wiki.com/wiki/$1”
are fine, as are “/wiki/$1”. A value such as “$1” or “wiki/$1” is
not and will now throw an error.
(T119309) SECURITY: Use hash_compare() for edit token comparison.
(T118032) SECURITY: Don’t allow cURL to interpret POST parameters
starting with ‘@’ as file uploads.
(T115522) SECURITY: Passwords generated by User::randomPassword()
can no longer be shorter than $wgMinimalPasswordLength.
(T97897) SECURITY: Improve IP parsing and trimming. Previous
behavior could result in improper blocks being issued.
(T109724) SECURITY: Special:MyPage, Special:MyTalk,
Special:MyContributions and related pages no longer use HTTP
redirects and are now redirected by MediaWiki.
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
FreeBSD | any | noarch | mediawiki123 | < 1.23.12 | UNKNOWN |
FreeBSD | any | noarch | mediawiki124 | < 1.24.5 | UNKNOWN |
FreeBSD | any | noarch | mediawiki125 | < 1.25.4 | UNKNOWN |
FreeBSD | any | noarch | mediawiki126 | < 1.26.1 | UNKNOWN |
www.openwall.com/lists/oss-security/2015/12/23/7
lists.wikimedia.org/pipermail/mediawiki-announce/2015-December/000186.html
phabricator.wikimedia.org/T109724
phabricator.wikimedia.org/T115522
phabricator.wikimedia.org/T117899
phabricator.wikimedia.org/T118032
phabricator.wikimedia.org/T119309
phabricator.wikimedia.org/T97897
6.8 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
0.006 Low
EPSS
Percentile
78.6%