{"id":"MGASA-2021-0568","summary":"Updated mediawiki packages fix security vulnerabilities","details":"Updated mediawiki packages fix security vulnerabilities:\n\n== Security fixes ==\n* (T292763. CVE-2021-44854) REST API incorrectly publicly caches\n  autocomplete search results from private wikis.\n* (T271037, CVE-2021-44856) Title blocked in AbuseFilter can be created via\n  Special:ChangeContentModel.\n* (T297322, CVE-2021-44857) Unauthorized users can use action=mcrundo to\n  replace the content of arbitrary pages.\n* (T297322, CVE-2021-44858) Unauthorized users can view contents of private\n   wikis using various actions.\n* (T297574, CVE-2021-45038) Unauthorized users can access private wiki\n  contents using rollback action\n\n=== Extension security fixes ===\n* (T293589, CVE-2021-44855) Blind Stored XSS in VisualEditor media dialog.\n* (T294686) Special:Nuke doesn't actually delete pages.\n","modified":"2026-02-04T03:49:53.447762Z","published":"2021-12-19T12:26:08Z","related":["CVE-2021-44854","CVE-2021-44855","CVE-2021-44856","CVE-2021-44857","CVE-2021-44858","CVE-2021-45038"],"references":[{"type":"ADVISORY","url":"https://advisories.mageia.org/MGASA-2021-0568.html"},{"type":"REPORT","url":"https://bugs.mageia.org/show_bug.cgi?id=29772"},{"type":"REPORT","url":"https://lists.wikimedia.org/hyperkitty/list/mediawiki-announce@lists.wikimedia.org/thread/QEN3EK4JXAVJMJ5GF3GYOAKNJPEKFQYA/"}],"affected":[{"package":{"name":"mediawiki","ecosystem":"Mageia:8","purl":"pkg:rpm/mageia/mediawiki?arch=source&distro=mageia-8"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1.35.5-1.mga8"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2021-0568.json"}}],"schema_version":"1.7.3","credits":[{"name":"Mageia","contact":["https://wiki.mageia.org/en/Packages_Security_Team"],"type":"COORDINATOR"}]}