VDB

MAGEIA-2019-279

MAGEIA-2019-279 PUBLISHED

Updated mediawiki packages fix security vulnerabilities: Potential XSS in jQuery (CVE-2019-11358). An account can be logged out without using a token (CSRF) (CVE-2019-12466). A spammer can use Special:ChangeEmail to send out spam with no rate limiting or ability to block them (CVE-2019-12467). Directly POSTing to Special:ChangeEmail would allow for bypassing reauthentication, allowing for potential account takeover (CVE-2019-12468). Exposed suppressed username or log in Special:EditTags (CVE-2019-12469). Exposed suppressed log in RevisionDelete page (CVE-2019-12470). Loading user JavaScript from a non-existent account allows anyone to create the account, and XSS the users' loading that script (CVE-2019-12471). It is possible to bypass the limits on IP range blocks (`$wgBlockCIDRLimit`) by using the API (CVE-2019-12472). Passing invalid titles to the API could cause a DoS by querying the entire `watchlist` table (CVE-2019-12473). Privileged API responses that include whether a recent change has been patrolled may be cached publicly (CVE-2019-12474). The mediawiki package has been updated to version 1.27.6 (Mageia 6) and 1.31.2 (Mageia 7), fixing these issues and other bugs. See the release announcements for more details.

Affected Products

VendorProductVersions
Mageiamediawiki0, 1.31.3-1.mga7
Mageiamediawiki0, 1.27.7-1.mga6

Timeline

  • Sep 15, 2019 CVE Updated
  • Sep 15, 2019 CVE Published
Open in Interactive Console →
$ Console Community · 100/wk Open console ›