diff options
author | Wen Heping <wen@FreeBSD.org> | 2019-07-05 00:44:48 +0000 |
---|---|---|
committer | Wen Heping <wen@FreeBSD.org> | 2019-07-05 00:44:48 +0000 |
commit | 4e58056368d6f7579c75780e9800ba37b9319187 (patch) | |
tree | 76762ab22765660ace02844d3891cd55f73374fb /security | |
parent | 182fd491e3b8ad5dd6f79b71bd4cf8514312773a (diff) | |
download | ports-4e58056368d6f7579c75780e9800ba37b9319187.tar.gz ports-4e58056368d6f7579c75780e9800ba37b9319187.zip |
Notes
Diffstat (limited to 'security')
-rw-r--r-- | security/vuxml/vuln.xml | 56 |
1 files changed, 56 insertions, 0 deletions
diff --git a/security/vuxml/vuln.xml b/security/vuxml/vuln.xml index 1cf233483fcd..ddb89ae46792 100644 --- a/security/vuxml/vuln.xml +++ b/security/vuxml/vuln.xml @@ -58,6 +58,62 @@ Notes: * Do not forget port variants (linux-f10-libxml2, libxml2, etc.) --> <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1"> + <vuln vid="3c5a4fe0-9ebb-11e9-9169-fcaa147e860e"> + <topic>mediawiki -- multiple vulnerabilities</topic> + <affects> + <package> + <name>mediawiki131</name> + <range><lt>1.31.3</lt></range> + </package> + <package> + <name>mediawiki132</name> + <range><lt>1.32.3</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>Mediawiki reports:</p> + <blockquote cite="https://lists.wikimedia.org/pipermail/mediawiki-announce/2019-June/000230.html"> + <p>Security fixes: + T197279, CVE-2019-12468: Directly POSTing to Special:ChangeEmail would allow + for bypassing reauthentication, allowing for potential account takeover. + T204729, CVE-2019-12473: Passing invalid titles to the API could cause a DoS + by querying the entire `watchlist` table. + T207603, CVE-2019-12471: Loading user JavaScript from a non-existent account + allows anyone to create the account, and XSS the users' loading that script. + T208881: blacklist CSS var(). + T199540, CVE-2019-12472: It is possible to bypass the limits on IP range + blocks (`$wgBlockCIDRLimit`) by using the API. + T212118, CVE-2019-12474: Privileged API responses that include whether a + recent change has been patrolled may be cached publicly. + T209794, CVE-2019-12467: A spammer can use Special:ChangeEmail to send out + spam with no rate limiting or ability to block them. + T25227, CVE-2019-12466: An account can be logged out without using a token(CRRF) + T222036, CVE-2019-12469: Exposed suppressed username or log in Special:EditTags. + T222038, CVE-2019-12470: Exposed suppressed log in RevisionDelete page. + T221739, CVE-2019-11358: Fix potential XSS in jQuery.</p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2019-11358</cvename> + <cvename>CVE-2019-12466</cvename> + <cvename>CVE-2019-12467</cvename> + <cvename>CVE-2019-12468</cvename> + <cvename>CVE-2019-12469</cvename> + <cvename>CVE-2019-12470</cvename> + <cvename>CVE-2019-12471</cvename> + <cvename>CVE-2019-12472</cvename> + <cvename>CVE-2019-12473</cvename> + <cvename>CVE-2019-12474</cvename> + <url>https://lists.wikimedia.org/pipermail/mediawiki-announce/2019-June/000230.html</url> + </references> + <dates> + <discovery>2019-04-23</discovery> + <entry>2019-07-05</entry> + </dates> + </vuln> + <vuln vid="b79ec16b-9da7-11e9-a0ea-a92fe7db4867"> <topic>ettercap -- out-of-bound read vulnerability</topic> <affects> |