CVE-2019-12470

Wikimedia MediaWiki through 1.32.1 has Incorrect Access Control. Suppressed log in RevisionDelete page is exposed. Fixed in 1.32.2, 1.31.2, 1.30.2 and 1.27.6...

CVE-2019-12474

Wikimedia MediaWiki 1.23.0 through 1.32.1 has an information leak. Privileged API responses that include whether a recent change has been patrolled may be cached publicly. Fixed in 1.32.2, 1.31.2, 1.30.2 and 1.27.6...

CVE-2019-12474

Wikimedia MediaWiki 1.23.0 through 1.32.1 has an information leak. Privileged API responses that include whether a recent change has been patrolled may be cached publicly. Fixed in 1.32.2, 1.31.2, 1.30.2 and 1.27.6...

CVE-2019-12472

MediaWiki 1.18.0–1.32.1 contains an Incorrect Access Control vulnerability that allows bypassing IP range block limits ($wgBlockCIDRLimit) via the API. This can enable abuse of block controls that should restrict large CIDR blocks. The issue is fixed in versions 1.32.2, 1.31.2, 1.30.2, and 1.27.6...

CVE-2019-12472

An Incorrect Access Control vulnerability was found in Wikimedia MediaWiki 1.18.0 through 1.32.1. It is possible to bypass the limits on IP range blocks $wgBlockCIDRLimit by using the API. Fixed in 1.32.2, 1.31.2, 1.30.2 and 1.27.6...

CVE-2019-12472

An Incorrect Access Control vulnerability was found in Wikimedia MediaWiki 1.18.0 through 1.32.1. It is possible to bypass the limits on IP range blocks $wgBlockCIDRLimit by using the API. Fixed in 1.32.2, 1.31.2, 1.30.2 and 1.27.6...

CVE-2019-12471

MediaWiki CVE-2019-12471: A cross-site scripting flaw exists in MediaWiki 1.30.0–1.32.1 when loading user JavaScript from a non-existent account, allowing XSS on users who load that script. Affected: 1.30.0–1.32.1. Fixed in 1.32.2, 1.31.2, 1.30.2 and 1.27.6. Upgrade to a fixed release to mitigate.

CVE-2019-12471

Wikimedia MediaWiki 1.30.0 through 1.32.1 has XSS. Loading user JavaScript from a non-existent account allows anyone to create the account, and perform XSS on users loading that script. Fixed in 1.32.2, 1.31.2, 1.30.2 and 1.27.6...

CVE-2019-12471

Wikimedia MediaWiki 1.30.0 through 1.32.1 has XSS. Loading user JavaScript from a non-existent account allows anyone to create the account, and perform XSS on users loading that script. Fixed in 1.32.2, 1.31.2, 1.30.2 and 1.27.6...

CVE-2019-12473

MediaWiki CVE-2019-12473 affects 1.27.0–1.32.1; passing invalid titles to the API could trigger a DoS by querying the entire watchlist table. Fixed in 1.32.2, 1.31.2, 1.30.2 and 1.27.6.

CVE-2019-12466

Wikimedia MediaWiki through 1.32.1 allows CSRF...

CVE-2019-12466

MediaWiki before 1.32.2 is affected by CVE-2019-12466: a cross‑site request forgery in the logout feature that can occur without a token. The initial description states CSRF in MediaWiki 1.32.1 and prior. Connected advisories confirm fixes in newer releases (e.g., Mageia lists 1.32.2-alt1; Debian...

CVE-2019-12466

Wikimedia MediaWiki through 1.32.1 allows CSRF...

CVE-2019-12468

An Incorrect Access Control vulnerability was found in Wikimedia MediaWiki 1.27.0 through 1.32.1. Directly POSTing to Special:ChangeEmail would allow for bypassing re-authentication, allowing for potential account takeover...

CVE-2019-12468

An Incorrect Access Control vulnerability was found in Wikimedia MediaWiki 1.27.0 through 1.32.1. Directly POSTing to Special:ChangeEmail would allow for bypassing re-authentication, allowing for potential account takeover...

Improper access control

An Incorrect Access Control vulnerability was found in Wikimedia MediaWiki 1.27.0 through 1.32.1. Directly POSTing to Special:ChangeEmail would allow for bypassing re-authentication, allowing for potential account takeover...

CVE-2019-12468

An Incorrect Access Control vulnerability was found in Wikimedia MediaWiki 1.27.0 through 1.32.1. Directly POSTing to Special:ChangeEmail would allow for bypassing re-authentication, allowing for potential account takeover...

CVE-2019-12468

An Incorrect Access Control vulnerability was found in Wikimedia MediaWiki 1.27.0 through 1.32.1. Directly POSTing to Special:ChangeEmail would allow for bypassing re-authentication, allowing for potential account takeover...

CVE-2019-12468

CVE-2019-12468 affects MediaWiki 1.27.0–1.32.1. The issue is an Incorrect Access Control vulnerability where directly POSTing to Special:ChangeEmail bypasses re-authentication, enabling potential account takeover. Connected advisories confirm the flaw and describe remediation in vendor packages: ...

CVE-2019-12468

An Incorrect Access Control vulnerability was found in Wikimedia MediaWiki 1.27.0 through 1.32.1. Directly POSTing to Special:ChangeEmail would allow for bypassing re-authentication, allowing for potential account takeover...