MediaWiki 1.23.x < 1.23.16 / 1.27.x < 1.27.2 / 1.28.x < 1.28.1 Multiple Vulnerabilities

The version of MediaWiki installed is 1.23.x prior to 1.23.16, 1.27.x prior to 1.27.2, or 1.28.x prior to 1.28.1, and is affected by multiple vulnerabilities :

• A flaw exists that is due to the program storing sensitive parameter information in ‘api.log’ in plaintext. This may allow a local attacker to gain access to password information. (CVE-2017-0361)
• A flaw exists as HTTP requests to ‘includes/specials/SpecialWatchlist.php’ do not require multiple steps, explicit confirmation, or a unique token when performing certain sensitive actions. By tricking a user into following a specially crafted link, a context-dependent attacker can perform a Cross-Site Request Forgery (CSRF/XSRF) attack causing the victim to mark all pages as visited in a watchlist. (CVE-2017-0362)
• A flaw exists that allows a cross-site scripting (XSS) attack. This flaw exists because the ‘highlightText()’ function in ‘includes/search/SearchHighlighter.php’ does not validate input before returning it to users. This may allow a remote attacker to create a specially crafted request that will execute arbitrary script code in a user’s browser session within the trust relationship between their browser and the server. (CVE-2017-0365)
• A flaw exists that allows a stored XSS attack. This flaw exists because the program does not validate input when handling uploaded SVG files before returning it to users. This may allow a remote attacker to create a specially crafted request that will execute arbitrary script code in a user’s browser session within the trust relationship between their browser and the server. (CVE-2017-0366)
• A flaw exists in the ‘includes/cache/localisation/LocalisationCache.php’ script that is triggered as the ‘LocalisationCache’ will fall back to the insecure temporary directory when determining the location to write the cache, potentially disclosing sensitive information to a local attacker. (CVE-2017-0367)
• A flaw exists in the ‘includes/EditPage.php’ script that is triggered as input passed via the message parser is not properly sanitized when using the rawHTML mode. This may allow a remote attacker to potentially inject arbitrary HTML content. (CVE-2017-0368)
• A flaw exists that may allow an authenticated remote attacker to potentially undelete a page without the appropriate authorizations. (CVE-2017-0369)
• A flaw exists in the ‘includes/parser/Parser.php’ script that is triggered as the spam blacklist features does not properly function on encoded URLs in the file inclusion syntax’s link parameter. This may allow a remote attacker to bypass blacklist protection mechanisms. (CVE-2017-0370)
• A flaw exists that allows a stored XSS attack. This flaw exists because the ‘SyntaxHighlight_GeSHi.class.php’ script does not validate input to the ‘start’ parameter before returning it to users. This may allow a remote attacker to create a specially crafted request that will execute arbitrary script code in a user’s browser session within the trust relationship between their browser and the server. (CVE-2017-0372)