DSA-4036-1 mediawiki -- mediawikiID: oval:org.secpod.oval:def:53185 | Date: (C)2019-04-04 (M)2022-08-31 |
Class: PATCH | Family: unix |
Multiple security vulnerabilities have been discovered in MediaWiki, a website engine for collaborative work: CVE-2017-8808 Cross-site-scripting with non-standard URL escaping and $wgShowExceptionDetails disabled. CVE-2017-8809 Reflected file download in API. CVE-2017-8810 On private wikis the login form didn"t distinguish between login failure due to bad username and bad password. CVE-2017-8811 It was possible to mangle HTML via raw message parameter expansion. CVE-2017-8812 id attributes in headlines allowed raw ">". CVE-2017-8814 Language converter could be tricked into replacing text inside tags. CVE-2017-8815 Unsafe attribute injection via glossary rules in language converter.