SB2020100605 - Multiple vulnerabilities in MediaWiki
Published: October 6, 2020
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 4 secuirty vulnerabilities.
1) Cross-site scripting (CVE-ID: CVE-2020-25812)
The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data on "Special:Contributions". A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
2) Information disclosure (CVE-ID: CVE-2020-25869)
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to handling of actor ID does not necessarily use the correct database or correct wiki. A remote attacker can gain unauthorized access to sensitive information on the system.
3) Cross-site scripting (CVE-ID: CVE-2020-26120)
The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data in the MobileFrontend extension. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
4) Input validation error (CVE-ID: CVE-2020-26121)
The vulnerability allows a remote attacker to compromise the system.
The vulnerability exists due to a mishandled distinction between an upload restriction and a create restriction in the FileImporter extension. A remote attacker can force a wiki to have a page with a disallowed title.
Remediation
Install update from vendor's website.
References
- https://gerrit.wikimedia.org/g/mediawiki/core/+/ad4a3ba45fb955aa8c0eb3c83809b16b40a498b9/includes/specials/SpecialContributions.php#592
- https://lists.wikimedia.org/pipermail/mediawiki-l/2020-September/048480.html
- https://lists.wikimedia.org/pipermail/mediawiki-l/2020-September/048488.html
- https://github.com/wikimedia/mediawiki/commit/358c1ec070d4f989e049550d88b629ab166c6f15
- https://phabricator.wikimedia.org/T260485
- https://gerrit.wikimedia.org/r/q/I42e079bc875d17b336ab015f3678eaedc26e10ea
- https://phabricator.wikimedia.org/T262213
- https://commons.wikimedia.org/w/index.php?oldid=454609892#File:Wiki.png
- https://gerrit.wikimedia.org/r/q/Ib852a96afc4dca10516d0510e69c10f9892b351b
- https://phabricator.wikimedia.org/T262628