Updated mediawiki packages fix security vulnerabilities
Publication date: 05 Nov 2025Modification date: 05 Nov 2025
Type: security
Affected Mageia releases : 9
CVE: CVE-2025-3469 , CVE-2025-32696 , CVE-2025-32697 , CVE-2025-32698 , CVE-2025-32699 , CVE-2025-32700 , CVE-2025-32072 , CVE-2025-11173 , CVE-2025-11261 , CVE-2025-61635 , CVE-2025-61638 , CVE-2025-61639 , CVE-2025-61640 , CVE-2025-61641 , CVE-2025-61643 , CVE-2025-61646 , CVE-2025-61653
Description
i18n XSS vulnerability in HTMLMultiSelectField when sections are used.
(CVE-2025-3469)
"reupload-own" restriction can be bypassed by reverting file.
(CVE-2025-32696)
Cascading protection is not preventing file reversions. (CVE-2025-32697)
LogPager.php: Restriction enforcer functions do not correctly enforce
suppression restrictions. (CVE-2025-32698)
Potential javascript injection attack enabled by Unicode normalization
in Action API. (CVE-2025-32699)
AbuseFilter log interfaces expose global private and hidden filters when
central DB is not available. (CVE-2025-32700)
HTML injection in feed output from i18n message. (CVE-2025-32072)
OATHAuth extension: Reauthentication for enabling 2FA can be bypassed by
submitting a form in Special:OATHManage. (CVE-2025-11173)
Stored i18n Cross-site scripting (XSS) vulnerability in
mw.language.listToText. (CVE-2025-11261)
ConfirmEdit extension: Missing rate limiting in ApiFancyCaptchaReload.
(CVE-2025-61635)
Parsoid: Validation bypass for `data-` attributes. (CVE-2025-61638)
Log entries which are hidden from the creation of the entry may be
disclosed to the public recent change entry. (CVE-2025-61639)
Stored i18n Cross-site scripting (XSS) vulnerability in
Special:RecentChangesLinked. (CVE-2025-61640)
DDoS vulnerability in QueryAllPages API in miser mode. The `maxsize`
value is now ignored in that mode. (CVE-2025-61641)
Suppressed recent changes may be disclosed to the public RCFeeds.
(CVE-2025-61643)
Public Watchlist/RecentChanges pages may disclose hidden usernames when
an individual editor makes consecutive revisions on a single page, and
only some are marked as hidden username. (CVE-2025-61646)
TextExtracts extension: Information disclosure vulnerability in the
extracts API action endpoint due to missing read permission check.
(CVE-2025-61653)
VisualEditor extension: Stored i18n Cross-site scripting (XSS)
vulnerability in `lastModifiedAt` system messages. (CVE-2025-61655)
VisualEditor extension: Missing attribute validation for attributes
unwrapped from `data-ve-attributes`. (CVE-2025-61656)
References
- https://bugs.mageia.org/show_bug.cgi?id=34211
- https://lists.debian.org/debian-security-announce/2025/msg00063.html
- https://lists.wikimedia.org/hyperkitty/list/mediawiki-announce@lists.wikimedia.org/thread/CIXFJVC57OFRBCCEIDRLZCLFGMYGEYTT/
- https://lists.debian.org/debian-security-announce/2025/msg00121.html
- https://lists.debian.org/debian-lts-announce/2025/10/msg00034.html
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-3469
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-32696
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-32697
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-32698
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-32699
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-32700
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-32072
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-11173
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-11261
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-61635
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-61638
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-61639
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-61640
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-61641
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-61643
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-61646
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-61653
SRPMS
9/core
- mediawiki-1.35.14-1.1.mga9