Advisories ยป MGASA-2021-0086

Updated mediawiki packages fix security vulnerability

Publication date: 19 Feb 2021
Type: security
Affected Mageia releases : 7
CVE: CVE-2020-35475 , CVE-2020-35477 , CVE-2020-35479 , CVE-2020-35480


In MediaWiki before 1.31.11, the messages userrights-expiry-current and
userrights-expiry-none can contain raw HTML. XSS can happen when a user visits
Special:UserRights but does not have rights to change all userrights, and the
table on the left side has unchangeable groups in it. The right column with
the changeable groups is not affected and is escaped correctly

MediaWiki before 1.31.11 blocks legitimate attempts to hide log entries in
some situations. If one sets MediaWiki:Mainpage to Special:MyLanguage/Main
Page, visits a log entry on Special:Log, and toggles the "Change visibility of
selected log entries" checkbox (or a tags checkbox) next to it, there is a
redirection to the main page's action=historysubmit instead of the desired
behavior in which a revision-deletion form appears (CVE-2020-35477).

MediaWiki before 1.31.11 allows XSS via BlockLogFormatter.php.
Language::translateBlockExpiry itself does not escape in all code paths. For
example, the return of Language::userTimeAndDate is is always unsafe for HTML
in a month value (CVE-2020-35479).

An issue was discovered in MediaWiki before 1.31.11. Missing users (accounts
that don't exist) and hidden users (accounts that have been explicitly hidden
due to being abusive, or similar) that the viewer cannot see are handled
differently, exposing sensitive information about the hidden status to
unprivileged viewers. This exists on various code paths (CVE-2020-35480).