CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
EPSS
Percentile
91.6%
Updated mediawiki packages fix security vulnerabilities: Potential XSS in jQuery (CVE-2019-11358). An account can be logged out without using a token (CSRF) (CVE-2019-12466). A spammer can use Special:ChangeEmail to send out spam with no rate limiting or ability to block them (CVE-2019-12467). Directly POSTing to Special:ChangeEmail would allow for bypassing reauthentication, allowing for potential account takeover (CVE-2019-12468). Exposed suppressed username or log in Special:EditTags (CVE-2019-12469). Exposed suppressed log in RevisionDelete page (CVE-2019-12470). Loading user JavaScript from a non-existent account allows anyone to create the account, and XSS the users’ loading that script (CVE-2019-12471). It is possible to bypass the limits on IP range blocks ($wgBlockCIDRLimit
) by using the API (CVE-2019-12472). Passing invalid titles to the API could cause a DoS by querying the entire watchlist
table (CVE-2019-12473). Privileged API responses that include whether a recent change has been patrolled may be cached publicly (CVE-2019-12474). The mediawiki package has been updated to version 1.27.6 (Mageia 6) and 1.31.2 (Mageia 7), fixing these issues and other bugs. See the release announcements for more details.
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
Mageia | 6 | noarch | mediawiki | < 1.27.7-1 | mediawiki-1.27.7-1.mga6 |
Mageia | 7 | noarch | mediawiki | < 1.31.3-1 | mediawiki-1.31.3-1.mga7 |
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
EPSS
Percentile
91.6%