Nixpkgs security tracker

Untriaged

Permalink CVE-2013-4572

created 2 months ago Activity log

Created suggestion 2 months ago

The CentralNotice extension for MediaWiki before 1.19.9, 1.20.x before 1.20.8, …

The CentralNotice extension for MediaWiki before 1.19.9, 1.20.x before 1.20.8, and 1.21.x before 1.21.3 sets the Cache-Control header to cache session cookies when a user is autocreated, which allows remote attackers to authenticate as the created user.

References

https://bugzilla.wikimedia.org/show_bug.cgi?id=53032 x_transferredx_refsource_MISC
http://lists.fedoraproject.org/pipermail/package-announce/2013-December/123011.… x_transferredx_refsource_MISC
http://lists.fedoraproject.org/pipermail/package-announce/2013-December/122998.… x_transferredx_refsource_MISC
http://lists.wikimedia.org/pipermail/mediawiki-announce/2013-November/000135.ht… x_transferredx_refsource_CONFIRM

Affected products

MediaWiki

==1.20.x before 1.20.8
==1.21.x before 1.21.3
==before 1.19.9

Matching in nixpkgs

pkgs.mediawiki

Collaborative editing software that runs Wikipedia

nixos-unstable 1.45.1
- nixpkgs-unstable 1.45.1
- nixos-unstable-small 1.45.1
nixos-25.11 1.44.3
- nixos-25.11-small 1.44.3
- nixpkgs-25.11-darwin 1.44.3

Package maintainers

@astro Astro <astro@spaceboyz.net>
@gshipunov Grigory Shipunov <blame@oxapentane.com>
@tanneberger Tassilo Tanneberger <revol-xut@protonmail.com>
@SuperSandro2000 Sandro Jäckel <sandro.jaeckel@gmail.com>

Untriaged

Permalink CVE-2013-1816

created 2 months ago Activity log

Created suggestion 2 months ago

MediaWiki before 1.19.4 and 1.20.x before 1.20.3 allows remote attackers …

MediaWiki before 1.19.4 and 1.20.x before 1.20.3 allows remote attackers to cause a denial of service (application crash) by sending a specially crafted request.

References

58306 x_refsource_BIDx_transferredvdb-entry
https://security-tracker.debian.org/tracker/CVE-2013-1816 x_transferredx_refsource_MISC
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-1816 x_transferredx_refsource_MISC
https://exchange.xforce.ibmcloud.com/vulnerabilities/88360 x_transferredx_refsource_MISC
http://security.gentoo.org/glsa/glsa-201310-21.xml x_transferredx_refsource_MISC
http://www.openwall.com/lists/oss-security/2013/03/05/4 x_transferredx_refsource_MISC

Affected products

mediawiki

==1.19.4
==1.20.3

Matching in nixpkgs

pkgs.mediawiki

Collaborative editing software that runs Wikipedia

nixos-unstable 1.45.1
- nixpkgs-unstable 1.45.1
- nixos-unstable-small 1.45.1
nixos-25.11 1.44.3
- nixos-25.11-small 1.44.3
- nixpkgs-25.11-darwin 1.44.3

Package maintainers

@astro Astro <astro@spaceboyz.net>
@gshipunov Grigory Shipunov <blame@oxapentane.com>
@tanneberger Tassilo Tanneberger <revol-xut@protonmail.com>
@SuperSandro2000 Sandro Jäckel <sandro.jaeckel@gmail.com>

Untriaged

Permalink CVE-2013-1817

created 2 months ago Activity log

Created suggestion 2 months ago

MediaWiki before 1.19.4 and 1.20.x before 1.20.3 contains an error …

MediaWiki before 1.19.4 and 1.20.x before 1.20.3 contains an error in the api.php script which allows remote attackers to obtain sensitive information.

References

https://security-tracker.debian.org/tracker/CVE-2013-1817 x_transferredx_refsource_MISC
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-1817 x_transferredx_refsource_MISC
http://www.securityfocus.com/bid/58305 x_transferredx_refsource_MISC
http://security.gentoo.org/glsa/glsa-201310-21.xml x_transferredx_refsource_MISC
http://www.openwall.com/lists/oss-security/2013/03/05/4 x_transferredx_refsource_MISC
https://exchange.xforce.ibmcloud.com/vulnerabilities/88359 x_transferredx_refsource_MISC

Affected products

mediawiki

==1.19.4
==1.20.3

Matching in nixpkgs

pkgs.mediawiki

Collaborative editing software that runs Wikipedia

nixos-unstable 1.45.1
- nixpkgs-unstable 1.45.1
- nixos-unstable-small 1.45.1
nixos-25.11 1.44.3
- nixos-25.11-small 1.44.3
- nixpkgs-25.11-darwin 1.44.3

Package maintainers

@astro Astro <astro@spaceboyz.net>
@gshipunov Grigory Shipunov <blame@oxapentane.com>
@tanneberger Tassilo Tanneberger <revol-xut@protonmail.com>
@SuperSandro2000 Sandro Jäckel <sandro.jaeckel@gmail.com>

Untriaged

Permalink CVE-2013-4303

created 2 months ago Activity log

Created suggestion 2 months ago

includes/libs/IEUrlExtension.php in the MediaWiki API in MediaWiki 1.19.x before 1.19.8, …

includes/libs/IEUrlExtension.php in the MediaWiki API in MediaWiki 1.19.x before 1.19.8, 1.20.x before 1.20.7, and 1.21.x before 1.21.2 does not properly detect extensions when there are an even number of "." (period) characters in a string, which allows remote attackers to conduct cross-site scripting (XSS) attacks via the siprop parameter in a query action to wiki/api.php.

References

http://lists.wikimedia.org/pipermail/mediawiki-announce/2013-September/000133.h… x_transferredx_refsource_MISC
http://seclists.org/oss-sec/2013/q3/553 x_transferredx_refsource_MISC
https://bugzilla.wikimedia.org/show_bug.cgi?id=52746 x_transferredx_refsource_MISC
http://www.securityfocus.com/bid/62194 x_transferredx_refsource_MISC
https://exchange.xforce.ibmcloud.com/vulnerabilities/86897 x_transferredx_refsource_MISC

Affected products

MediaWiki

==and 1.21.x before 1.21.2
==1.19.x before 1.19.8
==1.20.x before 1.20.7

Matching in nixpkgs

pkgs.mediawiki

Collaborative editing software that runs Wikipedia

nixos-unstable 1.45.1
- nixpkgs-unstable 1.45.1
- nixos-unstable-small 1.45.1
nixos-25.11 1.44.3
- nixos-25.11-small 1.44.3
- nixpkgs-25.11-darwin 1.44.3

Package maintainers

@astro Astro <astro@spaceboyz.net>
@gshipunov Grigory Shipunov <blame@oxapentane.com>
@tanneberger Tassilo Tanneberger <revol-xut@protonmail.com>
@SuperSandro2000 Sandro Jäckel <sandro.jaeckel@gmail.com>

Untriaged

Permalink CVE-2013-6455

created 2 months ago Activity log

Created suggestion 2 months ago

The CentralAuth extension for MediaWiki before 1.19.10, 1.2x before 1.21.4, …

The CentralAuth extension for MediaWiki before 1.19.10, 1.2x before 1.21.4, and 1.22.x before 1.22.1 allows remote attackers to obtain usernames via vectors related to writing the names to the DOM of a page.

References

http://lists.wikimedia.org/pipermail/mediawiki-announce/2014-January/000138.html x_transferredx_refsource_MISC

Affected products

MediaWiki

==1.2x before 1.21.4
==before 1.19.10
==1.22.x before 1.22.1

Matching in nixpkgs

pkgs.mediawiki

Collaborative editing software that runs Wikipedia

nixos-unstable 1.45.1
- nixpkgs-unstable 1.45.1
- nixos-unstable-small 1.45.1
nixos-25.11 1.44.3
- nixos-25.11-small 1.44.3
- nixpkgs-25.11-darwin 1.44.3

Package maintainers

@astro Astro <astro@spaceboyz.net>
@gshipunov Grigory Shipunov <blame@oxapentane.com>
@tanneberger Tassilo Tanneberger <revol-xut@protonmail.com>
@SuperSandro2000 Sandro Jäckel <sandro.jaeckel@gmail.com>

Untriaged

Permalink CVE-2013-1951

created 2 months ago Activity log

Created suggestion 2 months ago

A cross-site scripting (XSS) vulnerability in MediaWiki before 1.19.5 and …

A cross-site scripting (XSS) vulnerability in MediaWiki before 1.19.5 and 1.20.x before 1.20.4 and allows remote attackers to inject arbitrary web script or HTML via Lua function names.

References

https://security-tracker.debian.org/tracker/CVE-2013-1951 x_transferredx_refsource_MISC
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-1951 x_transferredx_refsource_MISC
http://security.gentoo.org/glsa/glsa-201310-21.xml x_transferredx_refsource_MISC
https://bugs.gentoo.org/show_bug.cgi?id=CVE-2013-1951 x_transferredx_refsource_MISC
http://lists.fedoraproject.org/pipermail/package-announce/2013-April/104022.html x_transferredx_refsource_MISC
http://lists.fedoraproject.org/pipermail/package-announce/2013-April/104027.html x_transferredx_refsource_MISC
http://www.openwall.com/lists/oss-security/2013/04/16/12 x_transferredx_refsource_MISC
http://www.securityfocus.com/bid/59077 x_transferredx_refsource_MISC
https://phabricator.wikimedia.org/T48084 x_transferredx_refsource_CONFIRM

Affected products

MediaWiki

==before 1.19.5 and 1.20.x before 1.20.4

Matching in nixpkgs

pkgs.mediawiki

Collaborative editing software that runs Wikipedia

nixos-unstable 1.45.1
- nixpkgs-unstable 1.45.1
- nixos-unstable-small 1.45.1
nixos-25.11 1.44.3
- nixos-25.11-small 1.44.3
- nixpkgs-25.11-darwin 1.44.3

Package maintainers

@astro Astro <astro@spaceboyz.net>
@gshipunov Grigory Shipunov <blame@oxapentane.com>
@tanneberger Tassilo Tanneberger <revol-xut@protonmail.com>
@SuperSandro2000 Sandro Jäckel <sandro.jaeckel@gmail.com>

Untriaged

Permalink CVE-2013-6451

created 2 months ago Activity log

Created suggestion 2 months ago

Cross-site scripting (XSS) vulnerability in MediaWiki 1.19.9 before 1.19.10, 1.2x …

Cross-site scripting (XSS) vulnerability in MediaWiki 1.19.9 before 1.19.10, 1.2x before 1.21.4, and 1.22.x before 1.22.1 allows remote attackers to inject arbitrary web script or HTML via unspecified CSS values.

References

http://lists.wikimedia.org/pipermail/mediawiki-announce/2014-January/000138.html x_transferredx_refsource_MISC

Affected products

MediaWiki

==1.2x before 1.21.4
==1.19.9 before 1.19.10
==1.22.x before 1.22.1

Matching in nixpkgs

pkgs.mediawiki

Collaborative editing software that runs Wikipedia

nixos-unstable 1.45.1
- nixpkgs-unstable 1.45.1
- nixos-unstable-small 1.45.1
nixos-25.11 1.44.3
- nixos-25.11-small 1.44.3
- nixpkgs-25.11-darwin 1.44.3

Package maintainers

@astro Astro <astro@spaceboyz.net>
@gshipunov Grigory Shipunov <blame@oxapentane.com>
@tanneberger Tassilo Tanneberger <revol-xut@protonmail.com>
@SuperSandro2000 Sandro Jäckel <sandro.jaeckel@gmail.com>

Untriaged

Permalink CVE-2012-0046

created 2 months ago Activity log

Created suggestion 2 months ago

mediawiki allows deleted text to be exposed

References

https://security-tracker.debian.org/tracker/CVE-2012-0046 x_transferredx_refsource_MISC
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-0046 x_transferredx_refsource_MISC
https://access.redhat.com/security/cve/cve-2012-0046 x_transferredx_refsource_MISC

Affected products

mediawiki

==1.16

Matching in nixpkgs

pkgs.mediawiki

Collaborative editing software that runs Wikipedia

nixos-unstable 1.45.1
- nixpkgs-unstable 1.45.1
- nixos-unstable-small 1.45.1
nixos-25.11 1.44.3
- nixos-25.11-small 1.44.3
- nixpkgs-25.11-darwin 1.44.3

Package maintainers

@astro Astro <astro@spaceboyz.net>
@gshipunov Grigory Shipunov <blame@oxapentane.com>
@tanneberger Tassilo Tanneberger <revol-xut@protonmail.com>
@SuperSandro2000 Sandro Jäckel <sandro.jaeckel@gmail.com>

Untriaged

Permalink CVE-2012-4381

created 2 months ago Activity log

Created suggestion 2 months ago

MediaWiki before 1.18.5, and 1.19.x before 1.19.2 saves passwords in …

MediaWiki before 1.18.5, and 1.19.x before 1.19.2 saves passwords in the local database, (1) which could make it easier for context-dependent attackers to obtain cleartext passwords via a brute-force attack or, (2) when an authentication plugin returns a false in the strict function, could allow remote attackers to use old passwords for non-existing accounts in an external authentication system via unspecified vectors.

References

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=686330 x_transferredx_refsource_MISC
https://lists.wikimedia.org/pipermail/mediawiki-announce/2012-August/000119.html x_transferredx_refsource_MISC
http://www.openwall.com/lists/oss-security/2012/08/31/6 x_transferredx_refsource_MISC
http://www.openwall.com/lists/oss-security/2012/08/31/10 x_transferredx_refsource_MISC
https://bugzilla.redhat.com/show_bug.cgi?id=853442 x_transferredx_refsource_MISC
https://phabricator.wikimedia.org/T41184 x_transferredx_refsource_MISC
http://osvdb.org/show/osvdb/85106 x_transferredx_refsource_MISC

Affected products

MediaWiki

==1.19.x before 1.19.2
==before 1.18.5

Matching in nixpkgs

pkgs.mediawiki

Collaborative editing software that runs Wikipedia

nixos-unstable 1.45.1
- nixpkgs-unstable 1.45.1
- nixos-unstable-small 1.45.1
nixos-25.11 1.44.3
- nixos-25.11-small 1.44.3
- nixpkgs-25.11-darwin 1.44.3

Package maintainers

@astro Astro <astro@spaceboyz.net>
@gshipunov Grigory Shipunov <blame@oxapentane.com>
@tanneberger Tassilo Tanneberger <revol-xut@protonmail.com>
@SuperSandro2000 Sandro Jäckel <sandro.jaeckel@gmail.com>

Untriaged

Permalink CVE-2025-67484

created 2 months, 2 weeks ago Activity log

Created suggestion 2 months, 2 weeks ago

Action API xslt option allows JavaScript execution by administrators who are not interface administrators

Vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/Api/ApiFormatXml.Php. This issue affects MediaWiki: from * before 1.39.16, 1.43.6, 1.44.3, 1.45.1.

References

https://phabricator.wikimedia.org/T401995

Affected products

MediaWiki

<1.39.16, 1.43.6, 1.44.3, 1.45.1

Matching in nixpkgs

pkgs.mediawiki

Collaborative editing software that runs Wikipedia

nixos-unstable 1.44.0
- nixpkgs-unstable 1.45.0
- nixos-unstable-small 1.45.0
nixos-25.11 1.44.2

Package maintainers

@SuperSandro2000 Sandro Jäckel <sandro.jaeckel@gmail.com>
@gshipunov Grigory Shipunov <blame@oxapentane.com>
@astro Astro <astro@spaceboyz.net>
@tanneberger Tassilo Tanneberger <revol-xut@protonmail.com>

Suggestions search

References

Affected products

Matching in nixpkgs

pkgs.mediawiki

Package maintainers

References

Affected products

Matching in nixpkgs

pkgs.mediawiki

Package maintainers

References

Affected products

Matching in nixpkgs

pkgs.mediawiki

Package maintainers

References

Affected products

Matching in nixpkgs

pkgs.mediawiki

Package maintainers

References

Affected products

Matching in nixpkgs

pkgs.mediawiki

Package maintainers

References

Affected products

Matching in nixpkgs

pkgs.mediawiki

Package maintainers

References

Affected products

Matching in nixpkgs

pkgs.mediawiki

Package maintainers

References

Affected products

Matching in nixpkgs

pkgs.mediawiki

Package maintainers

References

Affected products

Matching in nixpkgs

pkgs.mediawiki

Package maintainers

References

Affected products

Matching in nixpkgs

pkgs.mediawiki

Package maintainers