XSS when $wgShowExceptionDetails = false and browser sends non-standard url escaping (CVE-2017-8808). Reflected File Download from api.php (CVE-2017-8809). On private wikis, login form shouldnβt distinguish between login failure due to bad username and bad password (CVE-2017-8810). Itβs possible to mangle HTML via raw message parameter expansion (CVE-2017-8811). The id attribute on headlines allow raw > (CVE-2017-8812). Language converter can be tricked into replacing text inside tags by adding a lot of junk after the rule definition (CVE-2017-8814). Language converter: unsafe attribute injection via glossary rules (CVE-2017-8815). composer.json has require-dev versions of PHPUnit with known security issues (CVE-2017-9841). Note that MediaWiki 1.23.x on Mageia 5 is no longer supported. Those using the mediawiki package on Mageia 5 should upgrade to Mageia 6.
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
Mageia | 6 | noarch | mediawiki | <Β 1.27.4-1 | mediawiki-1.27.4-1.mga6 |