FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

mediawiki -- multiple vulnerabilities

Affected packages
mediawiki123 < 1.23.10
mediawiki124 < 1.24.3
mediawiki125 < 1.25.2

Details

VuXML ID 6241b5df-42a1-11e5-93ad-002590263bf5
Discovery 2015-08-10
Entry 2015-08-14
Modified 2015-12-24

MediaWiki reports:

Internal review discovered that Special:DeletedContributions did not properly protect the IP of autoblocked users. This fix makes the functionality of Special:DeletedContributions consistent with Special:Contributions and Special:BlockList.

Internal review discovered that watchlist anti-csrf tokens were not being compared in constant time, which could allow various timing attacks. This could allow an attacker to modify a user's watchlist via csrf

John Menerick reported that MediaWiki's thumb.php failed to sanitize various error messages, resulting in xss.

[source]

References

CVE Name CVE-2013-7444
CVE Name CVE-2015-6727
CVE Name CVE-2015-6728
CVE Name CVE-2015-6729
CVE Name CVE-2015-6730
CVE Name CVE-2015-6731
CVE Name CVE-2015-6733
CVE Name CVE-2015-6734
CVE Name CVE-2015-6735
CVE Name CVE-2015-6736
CVE Name CVE-2015-6737
URL http://www.openwall.com/lists/oss-security/2015/08/27/6
URL https://lists.wikimedia.org/pipermail/mediawiki-announce/2015-August/000179.html
URL https://phabricator.wikimedia.org/T106893
URL https://phabricator.wikimedia.org/T94116
URL https://phabricator.wikimedia.org/T97391

Copyright © 2003-2005 Jacques Vidrine and contributors.
Please see the source of this document for full copyright information.

OSZAR »