Dylsss

Name of the Vulnerable Software and Affected Versions: Mediawiki - Wikibase Media Info Extension versions 1.39 through 1.43 Description: The issue is related to Improper Input Validation, which allows Cross-Site Scripting (XSS). This exposes systems to XSS risk. Recommendations: For versions 1.39 through 1.43, update to a version that fixes the Improper Input Validation issue to prevent Cross-Site Scripting (XSS) attacks. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** MediaWiki versions through 1.37.1 **Description** An issue was discovered in the ImportPlanValidator.php file of the FileImporter extension, where it mishandles the check for edit rights. **Recommendations** For MediaWiki versions through 1.37.1, consider disabling the FileImporter extension until a patch is available. Restrict access to the ImportPlanValidator.php file to minimize the risk of exploitation.

Name of the Vulnerable Software and Affected Versions: MediaWiki versions 1.37 and earlier Description: The issue allows XSS in Wikibase item descriptions, which is triggered when visiting an action=info URL, also known as a page-information sidebar. Recommendations: For MediaWiki versions 1.37 and earlier, update to a version that contains a fix for this issue. As a temporary workaround, consider restricting access to the action=info URL until a patch is available. Avoid using the Wikibase item descriptions feature in the affected versions until the issue is resolved.

Name of the Vulnerable Software and Affected Versions: MediaWiki versions through 1.37 Description: The issue concerns a problem where the Special:ImportFile URI, also known as FileImporter, in MediaWiki allows for cross-site scripting (XSS) attacks. This is demonstrated through the `clientUrl` parameter. Recommendations: For MediaWiki versions through 1.37, as a temporary workaround, consider restricting access to the Special:ImportFile URI until a patch is available. Avoid using the `clientUrl` parameter in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: MediaWiki versions 1.37 and earlier Description: The issue allows for XSS to occur in Wikibase due to an external identifier property having a URL format that includes a $1 formatter substitution marker. This can be exploited using the javascript: URL scheme among others. Recommendations: For MediaWiki versions 1.37 and earlier, update to a version that contains a fix for this issue. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: MediaWiki versions prior to 1.38 Description: The issue allows blocked IP addresses to edit EntitySchema items. This is a problem in MediaWiki where blocked users can still make changes to certain items. Recommendations: For MediaWiki versions prior to 1.38, update to version 1.38 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** MediaWiki versions prior to 1.35.5 MediaWiki versions 1.36.x prior to 1.36.3 MediaWiki versions 1.37.x prior to 1.37.1 **Description** An issue was discovered in the REST API of MediaWiki, which publicly caches results from private wikis, potentially leading to information disclosure. This could allow a remote attacker to gain unauthorized access to protected information. **Recommendations** For MediaWiki versions prior to 1.35.5, update to version 1.35.5 or later. For MediaWiki versions 1.36.x prior to 1.36.3, update to version 1.36.3 or later. For MediaWiki versions 1.37.x prior to 1.37.1, update to version 1.37.1 or later. As a temporary workaround, consider disabling the REST API until a patch is available. Restrict access to private wikis to minimize the risk of exploitation.

Name of the Vulnerable Software and Affected Versions: MediaWiki versions prior to 1.35.5 MediaWiki versions 1.36.x prior to 1.36.3 MediaWiki versions 1.37.x prior to 1.37.1 Description: An issue allows viewing private pages on a private wiki with at least one page set in `$wgWhitelistRead` by using specific actions in sequence, such as `action=edit&undo=` followed by `action=mcrundo` and `action=mcrrestore`. Recommendations: For MediaWiki versions prior to 1.35.5, update to version 1.35.5 or later. For MediaWiki versions 1.36.x prior to 1.36.3, update to version 1.36.3 or later. For MediaWiki versions 1.37.x prior to 1.37.1, update to version 1.37.1 or later. As a temporary workaround, consider restricting access to the `action=mcrundo` and `action=mcrrestore` endpoints to minimize the risk of exploitation.

Name of the Vulnerable Software and Affected Versions: MediaWiki versions prior to 1.35.5 MediaWiki versions 1.36.x prior to 1.36.3 MediaWiki versions 1.37.x prior to 1.37.1 Description: An issue was discovered in MediaWiki. By using an `action=rollback` query, attackers can view private wiki contents. Recommendations: For MediaWiki versions prior to 1.35.5, update to version 1.35.5 or later. For MediaWiki versions 1.36.x prior to 1.36.3, update to version 1.36.3 or later. For MediaWiki versions 1.37.x prior to 1.37.1, update to version 1.37.1 or later. As a temporary workaround, consider restricting access to the `action=rollback` query until a patch is available.

Name of the Vulnerable Software and Affected Versions: MediaWiki versions prior to 1.35.5 MediaWiki versions 1.36.x prior to 1.36.3 MediaWiki versions 1.37.x prior to 1.37.1 Description: An issue allows replacing the content of any arbitrary page using `action=mcrundo` followed by `action=mcrrestore`, even if the user does not have edit rights for that page. This issue affects any public wiki or a private wiki with at least one page set in `$wgWhitelistRead`. Recommendations: For MediaWiki versions prior to 1.35.5, update to version 1.35.5 or later. For MediaWiki versions 1.36.x prior to 1.36.3, update to version 1.36.3 or later. For MediaWiki versions 1.37.x prior to 1.37.1, update to version 1.37.1 or later. As a temporary workaround, consider restricting access to the `action=mcrundo` and `action=mcrrestore` actions until a patch is applied.