{"id":"MGASA-2017-0110","summary":"Updated mediawiki packages fix security vulnerability","details":"API parameters may now be marked as \"sensitive\" to keep their values out\nof the logs (CVE-2017-0361).\n\n\"Mark all pages visited\" on the watchlist now requires a CSRF token\n(CVE-2017-0362).\n\nSpecial:UserLogin and Special:Search allow redirect to interwiki links\n(CVE-2017-0363, CVE-2017-0364).\n\nXSS in SearchHighlighter::highlightText() when\n$wgAdvancedSearchHighlighting is true (CVE-2017-0365).\n\nSVG filter evasion using default attribute values in DTD declaration\n(CVE-2017-0366).\n\nEscape content model/format url parameter in message (CVE-2017-0368).\n\nSysops can undelete pages, although the page is protected against it\n(CVE-2017-0369).\n\nSpam blacklist ineffective on encoded URLs inside file inclusion syntax's\nlink parameter (CVE-2017-0370).\n","modified":"2026-04-16T06:24:27.948149359Z","published":"2017-04-16T06:29:12Z","upstream":["CVE-2017-0361","CVE-2017-0362","CVE-2017-0363","CVE-2017-0364","CVE-2017-0365","CVE-2017-0366","CVE-2017-0368","CVE-2017-0369","CVE-2017-0370"],"references":[{"type":"ADVISORY","url":"https://advisories.mageia.org/MGASA-2017-0110.html"},{"type":"REPORT","url":"https://bugs.mageia.org/show_bug.cgi?id=20654"},{"type":"WEB","url":"https://lists.wikimedia.org/pipermail/mediawiki-announce/2017-April/000207.html"}],"affected":[{"package":{"name":"mediawiki","ecosystem":"Mageia:5","purl":"pkg:rpm/mageia/mediawiki?arch=source&distro=mageia-5"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1.23.16-1.mga5"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2017-0110.json"}}],"schema_version":"1.7.5","credits":[{"name":"Mageia","contact":["https://wiki.mageia.org/en/Packages_Security_Team"],"type":"COORDINATOR"}]}