MGASA-2023-0204

See a problem?
Please try reporting it to the source first.

Source

https://advisories.mageia.org/MGASA-2023-0204.html

Import Source

https://advisories.mageia.org/MGASA-2023-0204.json

JSON Data

https://api.test.osv.dev/v1/vulns/MGASA-2023-0204

Related

Published

2023-06-28T05:21:41Z

Modified

2023-06-28T04:05:37Z

Summary

Updated mediawiki packages fix security vulnerability

Details

Bundled PapaParse copy in VisualEditor has known ReDos (CVE-2020-36649).

An issue was discovered in MediaWiki before 1.35.9. When installing with a pre-existing data directory that has weak permissions, the SQLite files are created with file mode 0644, i.e., world readable to local users. These files include credentials data (CVE-2022-47927).

An issue was discovered in MediaWiki before 1.35.9. SpecialMobileHistory allows remote attackers to cause a denial of service because database queries are slow (CVE-2023-22909).

An issue was discovered in MediaWiki before 1.35.9. E-Widgets does widget replacement in HTML attributes, which can lead to XSS, because widget authors often do not expect that their widget is executed in an HTML attribute context (CVE-2023-22911).

An issue was discovered in MediaWiki before 1.35.10. An auto-block can occur for an untrusted X-Forwarded-For header (CVE-2023-29141).

OATHAuth allows replay attacks when MediaWiki is configured without ObjectCache; Insecure Default Configuration (T330086).

References

Credits

- Mageia - COORDINATOR
- - https://wiki.mageia.org/en/Packages_Security_Team

MGASA-2023-0204

Affected packages