Zabe

Researcher fromWikimedia Communities
#12672of 53,622
21.3Total CVSS
Vulnerabilities · 4
Medium
4
PT-2022-12584
4.8
2021-12-20
Mediawiki · Mediawiki · CVE-2021-46150
**Name of the Vulnerable Software and Affected Versions** MediaWiki versions prior to 1.35.5 MediaWiki versions 1.36.x prior to 1.36.3 MediaWiki versions 1.37.x prior to 1.37.1 **Description** An issue in MediaWiki allows for XSS due to date mishandling in Special:CheckUserLog, as demonstrated by an XSS payload in MediaWiki:October. **Recommendations** For MediaWiki versions prior to 1.35.5, update to version 1.35.5 or later. For MediaWiki versions 1.36.x prior to 1.36.3, update to version 1.36.3 or later. For MediaWiki versions 1.37.x prior to 1.37.1, update to version 1.37.1 or later.
PT-2021-23480
6.1
2021-10-06
Mediawiki · Mediawiki · CVE-2021-42041
**Name of the Vulnerable Software and Affected Versions** MediaWiki versions prior to 1.36.3 **Description** An issue was discovered in CentralAuth in MediaWiki where the rightsnone MediaWiki message was not being properly sanitized. This allowed for the injection and execution of HTML and JavaScript via the setchange log. **Recommendations** For versions prior to 1.36.3, update to version 1.36.3 or later to resolve the issue. As a temporary workaround, consider restricting access to the setchange log to minimize the risk of exploitation.
PT-2021-23411
6.1
2021-10-01
Mediawiki · Mediawiki · CVE-2021-41798
**Name of the Vulnerable Software and Affected Versions** MediaWiki versions prior to 1.36.2 **Description** The issue allows for XSS due to month-related MediaWiki messages not being escaped before being used on the Special:Search results page. **Recommendations** For versions prior to 1.36.2, update to version 1.36.2 or later to resolve the issue.
PT-2021-21124
4.3
2021-06-12
Mediawiki · Mediawiki · CVE-2021-36127
Name of the Vulnerable Software and Affected Versions: MediaWiki versions through 1.36 Description: An issue was discovered in the CentralAuth extension where the Special:GlobalUserRights page provided different search results for a suppressed MediaWiki user compared to other users, thus easily disclosing suppressed accounts. These accounts are supposed to be completely hidden. Recommendations: For MediaWiki versions through 1.36, update to a version that fixes this issue to prevent the disclosure of suppressed accounts. At the moment, there is no information about a newer version that contains a fix for this vulnerability.