Description
Bundled PapaParse copy in VisualEditor has known ReDos (CVE-2020-36649).
An issue was discovered in MediaWiki before 1.35.9. When installing with a
pre-existing data directory that has weak permissions, the SQLite files
are created with file mode 0644, i.e., world readable to local users.
These files include credentials data (CVE-2022-47927).
An issue was discovered in MediaWiki before 1.35.9. SpecialMobileHistory
allows remote attackers to cause a denial of service because database
queries are slow (CVE-2023-22909).
An issue was discovered in MediaWiki before 1.35.9. E-Widgets does widget
replacement in HTML attributes, which can lead to XSS, because widget
authors often do not expect that their widget is executed in an HTML
attribute context (CVE-2023-22911).
An issue was discovered in MediaWiki before 1.35.10. An auto-block can
occur for an untrusted X-Forwarded-For header (CVE-2023-29141).
OATHAuth allows replay attacks when MediaWiki is configured without
ObjectCache; Insecure Default Configuration (T330086).