AVG-1775 log

Package mediawiki
Status Fixed
Severity Medium
Type multiple issues
Affected 1.35.1-2
Fixed 1.35.2-1
Current 1.35.2-1 [community]
Ticket None
Created Tue Apr 6 08:57:38 2021
Advisory Pending
Issue Severity Remote Type Description
CVE-2021-30458 Medium Yes Cross-site scripting
An issue was discovered in Wikimedia Parsoid before 0.11.1 and 0.12.x before 0.12.2. An attacker can send crafted wikitext that Utils/WTUtils.php will...
CVE-2021-30159 Medium Yes Access restriction bypass
An issue was discovered in MediaWiki before 1.31.12 and 1.32.x through 1.35.x before 1.35.2. Users can bypass intended restrictions on deleting pages in...
CVE-2021-30158 Low Yes Incorrect calculation
An issue was discovered in MediaWiki before 1.31.12 and 1.32.x through 1.35.x before 1.35.2. Blocked users are unable to use Special:ResetTokens. This has...
CVE-2021-30157 Medium Yes Cross-site scripting
An issue was discovered in MediaWiki before 1.31.12 and 1.32.x through 1.35.x before 1.35.2. On ChangesList special pages such as Special:RecentChanges and...
CVE-2021-30155 Medium Yes Access restriction bypass
n issue was discovered in MediaWiki before 1.31.12 and 1.32.x through 1.35.x before 1.35.2. ContentModelChange does not check if a user has correct...
CVE-2021-30154 Medium Yes Cross-site scripting
An issue was discovered in MediaWiki before 1.31.12 and 1.32.x through 1.35.x before 1.35.2. On Special:NewFiles, all the mediastatistics- header-* messages...
CVE-2021-30153 Medium Yes Information disclosure
An issue was discovered in MediaWiki before 1.31.12 and 1.32.x through 1.35.x before 1.35.2. ApiVisualEditor can leak that a "hidden" user exists.
CVE-2021-30152 Medium Yes Access restriction bypass
An issue was discovered in MediaWiki before 1.31.13 and 1.32.x through 1.35.x before 1.35.2. When using the MediaWiki API to "protect" a page, a user is...
CVE-2021-27291 Low Yes Denial of service
In pygments 1.1+, fixed in 2.7.4, the lexers used to parse programming languages rely heavily on regular expressions. Some of the regular expressions have...
CVE-2021-20270 Low Yes Denial of service
A security issue was found in python-pygments version 1.5 up to 2.7.3. When the SMLLexer gets fed the string "exception", it loops indefinitely, leading to...
References
https://lists.wikimedia.org/pipermail/mediawiki-announce/2021-April/000272.html