Nixpkgs Security Tracker

Login with GitHub

Suggestions search

Published
Filter by:
With package: mediawiki

Found 8 matching suggestions

Permalink CVE-2025-67481
updated 2 weeks, 2 days ago by @LeSuisse Activity log
  • Created automatic suggestion 2 weeks, 4 days ago
  • @LeSuisse accepted 2 weeks, 2 days ago
  • @LeSuisse published on GitHub 2 weeks, 2 days ago
mw.message(…).parse() doesn't output safe HTML, but it's being used as if it does

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files resources/src/mediawiki.JqueryMsg/mediawiki.JqueryMsg.Js. This issue affects MediaWiki: from * before 1.39.16, 1.43.6, 1.44.3, 1.45.1.

Affected products

MediaWiki
  • <1.39.16, 1.43.6, 1.44.3, 1.45.1

Matching in nixpkgs

Package maintainers

Permalink CVE-2025-67475
updated 2 weeks, 2 days ago by @LeSuisse Activity log
  • Created automatic suggestion 2 weeks, 4 days ago
  • @LeSuisse accepted 2 weeks, 2 days ago
  • @LeSuisse published on GitHub 2 weeks, 2 days ago
Stored XSS through edit summaries in MW Core

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/CommentFormatter/CommentParser.Php. This issue affects MediaWiki: from * before 1.39.16, 1.43.6, 1.44.3, 1.45.1.

Affected products

MediaWiki
  • <1.39.16, 1.43.6, 1.44.3, 1.45.1

Matching in nixpkgs

Package maintainers

Permalink CVE-2025-67476
updated 2 weeks, 2 days ago by @LeSuisse Activity log
  • Created automatic suggestion 2 weeks, 4 days ago
  • @LeSuisse accepted 2 weeks, 2 days ago
  • @LeSuisse published on GitHub 2 weeks, 2 days ago
Importing leaks IP address of importer via EventStreams

Vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/Import/ImportableOldRevisionImporter.Php. This issue affects MediaWiki: from * before 1.44.3, 1.45.1.

Affected products

MediaWiki
  • <1.44.3, 1.45.1

Matching in nixpkgs

Package maintainers

Permalink CVE-2025-67484
updated 2 weeks, 2 days ago by @LeSuisse Activity log
  • Created automatic suggestion 2 weeks, 4 days ago
  • @LeSuisse accepted 2 weeks, 2 days ago
  • @LeSuisse published on GitHub 2 weeks, 2 days ago
Action API xslt option allows JavaScript execution by administrators who are not interface administrators

Vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/Api/ApiFormatXml.Php. This issue affects MediaWiki: from * before 1.39.16, 1.43.6, 1.44.3, 1.45.1.

Affected products

MediaWiki
  • <1.39.16, 1.43.6, 1.44.3, 1.45.1

Matching in nixpkgs

Package maintainers

Permalink CVE-2025-67483
updated 2 weeks, 2 days ago by @LeSuisse Activity log
  • Created automatic suggestion 2 weeks, 4 days ago
  • @LeSuisse accepted 2 weeks, 2 days ago
  • @LeSuisse published on GitHub 2 weeks, 2 days ago
Theoretical i18n XSS in mediawiki.page.preview.js when a page has multiple protection levels

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files resources/src/mediawiki.Page.Preview.Js. This issue affects MediaWiki: from * before 1.43.6, 1.44.3, 1.45.1.

Affected products

MediaWiki
  • <1.43.6, 1.44.3, 1.45.1

Matching in nixpkgs

Package maintainers

Permalink CVE-2025-67477
updated 2 weeks, 2 days ago by @LeSuisse Activity log
  • Created automatic suggestion 2 weeks, 4 days ago
  • @LeSuisse accepted 2 weeks, 2 days ago
  • @LeSuisse published on GitHub 2 weeks, 2 days ago
Stored XSS through a system message in Special:ApiSandbox

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files resources/src/mediawiki.Special.Apisandbox/ApiSandboxLayout.Js. This issue affects MediaWiki: from * before 1.44.3, 1.45.1.

Affected products

MediaWiki
  • <1.44.3, 1.45.1

Matching in nixpkgs

Package maintainers

Permalink CVE-2025-11261
updated 2 weeks, 2 days ago by @LeSuisse Activity log
  • Created automatic suggestion 2 weeks, 4 days ago
  • @LeSuisse accepted 2 weeks, 2 days ago
  • @LeSuisse published on GitHub 2 weeks, 2 days ago
Stored i18n XSS exposed by security patch for T402077

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files resources/src/mediawiki.Language/mediawiki.Language.Js. This issue affects MediaWiki: from * before 1.39.15, 1.43.5, 1.44.2.

Affected products

MediaWiki
  • <1.39.15, 1.43.5, 1.44.2

Matching in nixpkgs

Package maintainers

Permalink CVE-2025-61644
updated 2 weeks, 2 days ago by @LeSuisse Activity log
  • Created automatic suggestion 2 weeks, 4 days ago
  • @LeSuisse accepted 2 weeks, 2 days ago
  • @LeSuisse published on GitHub 2 weeks, 2 days ago
i18n XSS through Special:Watchlist

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files resources/src/mediawiki.Rcfilters/ui/WatchlistTopSectionWidget.Js. This issue affects MediaWiki: from * before > fb856ce9cf121e046305116852cca4899ecb48ca.

Affected products

MediaWiki
  • <> fb856ce9cf121e046305116852cca4899ecb48ca

Matching in nixpkgs

Package maintainers

Apparently fixed after https://github.com/wikimedia/mediawiki/commit/fb856ce9cf121e046305116852cca4899ecb48ca (MW 1.45.1)