AVG-490

Package mediawiki
Status Fixed
Severity High
Type multiple issues
Affected 1.29.1-1
Fixed 1.29.2-1
Current 1.32.0-1 [community]
Ticket None
Created Wed Nov 15 09:55:49 2017
Issue Severity Remote Type Description
CVE-2017-8815 High Yes Cross-site scripting
The language converter in MediaWiki before 1.27.4, 1.28.x before 1.28.3, and 1.29.x before 1.29.2 allows attribute injection attacks via glossary rules.
CVE-2017-8814 High Yes Cross-site scripting
The language converter in MediaWiki before 1.27.4, 1.28.x before 1.28.3, and 1.29.x before 1.29.2 allows attackers to replace text inside tags via a rule...
CVE-2017-8812 Medium Yes Insufficient validation
MediaWiki before 1.27.4, 1.28.x before 1.28.3, and 1.29.x before 1.29.2 allows remote attackers to inject > (greater than) characters via the id attribute...
CVE-2017-8811 High Yes Cross-site scripting
The implementation of raw message parameter expansion in MediaWiki before 1.27.4, 1.28.x before 1.28.3, and 1.29.x before 1.29.2 allows HTML mangling attacks.
CVE-2017-8810 Low Yes Information disclosure
MediaWiki before 1.27.4, 1.28.x before 1.28.3, and 1.29.x before 1.29.2, when a private wiki is configured, provides different error messages for failed...
CVE-2017-8809 High Yes Url request injection
api.php in MediaWiki before 1.27.4, 1.28.x before 1.28.3, and 1.29.x before 1.29.2 has a Reflected File Download vulnerability.
CVE-2017-8808 High Yes Cross-site scripting
MediaWiki before 1.27.4, 1.28.x before 1.28.3, and 1.29.x before 1.29.2 has XSS when the $wgShowExceptionDetails setting is false and the browser sends...
CVE-2017-0361 High No Information disclosure
MediaWiki before 1.29.2 may leak passwords in plaintext. API parameters may now be marked as "sensitive" to keep their values out of the logs.
Date Advisory Package Description
15 Nov 2017 ASA-201711-20 mediawiki multiple issues
References
https://lists.wikimedia.org/pipermail/mediawiki-announce/2017-November/000216.html
Notes
CVE-2017-0361 wasn't correctly fixed in all branches in the previous security releases.