CVEs referencing
https://lists.debian.org/debian-lts-announce/2022/09/msg00027.html
An issue was discovered in MediaWiki before 1.35.6, 1.36.x before 1.36.4, and 1.37.x before 1.37.2. Users with the editinterface permission can trigger infinite recursion, because a bare local interwiki is mishandled for the mainpage message.
Max Base Score
4.4
Published
2022-09-19
Updated
2022-11-03
EPSS
0.04%
An XSS issue was discovered in MediaWiki before 1.35.6, 1.36.x before 1.36.4, and 1.37.x before 1.37.2. The widthheight, widthheightpage, and nbytes properties of messages are not escaped when used in galleries or Special:RevisionDelete.
Max Base Score
6.1
Published
2022-03-30
Updated
2023-05-21
EPSS
0.29%
A denial-of-service issue was discovered in MediaWiki before 1.35.6, 1.36.x before 1.36.4, and 1.37.x before 1.37.2. When many files exist, requesting Special:NewFiles with actor as a condition can result in a very long running query.
Max Base Score
7.5
Published
2022-09-19
Updated
2022-11-03
EPSS
0.08%
An issue was discovered in MediaWiki before 1.35.7, 1.36.x and 1.37.x before 1.37.3, and 1.38.x before 1.38.1. XSS can occur in configurations that allow a JavaScript payload in a username. After account creation, when it sets the page title to "Welcome" followed by the username, the username is not escaped: SpecialCreateAccount::successfulAction() calls ::showSuccessPage() with a message as second parameter, and OutputPage::setPageTitle() uses text().
Max Base Score
6.1
Published
2022-07-02
Updated
2023-05-21
EPSS
0.17%
An issue was discovered in MediaWiki before 1.37.3 and 1.38.x before 1.38.1. The contributions-title, used on Special:Contributions, is used as page title without escaping. Hence, in a non-default configuration where a username contains HTML entities, it won't be escaped.
Max Base Score
6.1
Published
2022-07-02
Updated
2023-05-21
EPSS
0.11%