MGASA-2017-0429

See a problem?
Please try reporting it to the source first.
Source
https://advisories.mageia.org/MGASA-2017-0429.html
Import Source
https://advisories.mageia.org/MGASA-2017-0429.json
JSON Data
https://api.test.osv.dev/v1/vulns/MGASA-2017-0429
Related
Published
2017-11-29T18:52:42Z
Modified
2017-11-29T18:22:54Z
Summary
Updated mediawiki packages fix security vulnerabilities
Details

XSS when $wgShowExceptionDetails = false and browser sends non-standard url escaping (CVE-2017-8808).

Reflected File Download from api.php (CVE-2017-8809).

On private wikis, login form shouldn't distinguish between login failure due to bad username and bad password (CVE-2017-8810).

It's possible to mangle HTML via raw message parameter expansion (CVE-2017-8811).

The id attribute on headlines allow raw > (CVE-2017-8812).

Language converter can be tricked into replacing text inside tags by adding a lot of junk after the rule definition (CVE-2017-8814).

Language converter: unsafe attribute injection via glossary rules (CVE-2017-8815).

composer.json has require-dev versions of PHPUnit with known security issues (CVE-2017-9841).

Note that MediaWiki 1.23.x on Mageia 5 is no longer supported. Those using the mediawiki package on Mageia 5 should upgrade to Mageia 6.

References
Credits

Affected packages

Mageia:6 / mediawiki

Package

Name
mediawiki
Purl
pkg:rpm/mageia/mediawiki?distro=mageia-6

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.27.4-1.mga6

Ecosystem specific 

{
    "section": "core"
}