AVG-1371 log

Package mediawiki
Status Fixed
Severity Medium
Type multiple issues
Affected 1.35.0-1
Fixed 1.35.1-1
Current 1.37.0-1 [community]
Ticket FS#69132
Created Fri Dec 18 13:31:11 2020
Issue Severity Remote Type Description
CVE-2020-35480 Low Yes Information disclosure
An issue was discovered in MediaWiki before 1.35.1. Missing users (accounts that don't exist) and hidden users (accounts that have been explicitly hidden...
CVE-2020-35479 Medium Yes Cross-site scripting
MediaWiki before 1.35.1 allows XSS via BlockLogFormatter.php. Language::translateBlockExpiry itself does not escape in all code paths. For example, the...
CVE-2020-35478 Medium Yes Cross-site scripting
MediaWiki before 1.35.1 allows XSS via BlockLogFormatter.php. MediaWiki:blanknamespace potentially can be output as raw HTML with SCRIPT tags via...
CVE-2020-35477 Low Yes Information disclosure
MediaWiki before 1.35.1 blocks legitimate attempts to hide log entries in some situations. If one sets MediaWiki:Mainpage to Special:MyLanguage/Main Page,...
CVE-2020-35475 Medium Yes Cross-site scripting
In MediaWiki before 1.35.1, the messages userrights-expiry-current and userrights-expiry-none can contain raw HTML. XSS can happen when a user visits...
CVE-2020-35474 Low Yes Cross-site scripting
In MediaWiki before 1.35.1, the combination of Html::rawElement and Message::text leads to XSS because the definition of...
Date Advisory Package Type
12 Jan 2021 ASA-202101-22 mediawiki multiple issues
References
https://lists.wikimedia.org/pipermail/mediawiki-announce/2020-December/000268.html