{"id":"MGASA-2025-0260","summary":"Updated mediawiki packages fix security vulnerabilities","details":"i18n XSS vulnerability in HTMLMultiSelectField when sections are used.\n(CVE-2025-3469)\n\"reupload-own\" restriction can be bypassed by reverting file.\n(CVE-2025-32696)\nCascading protection is not preventing file reversions. (CVE-2025-32697)\nLogPager.php: Restriction enforcer functions do not correctly enforce\nsuppression restrictions. (CVE-2025-32698)\nPotential javascript injection attack enabled by Unicode normalization\nin Action API. (CVE-2025-32699)\nAbuseFilter log interfaces expose global private and hidden filters when\ncentral DB is not available. (CVE-2025-32700)\nHTML injection in feed output from i18n message. (CVE-2025-32072)\nOATHAuth extension: Reauthentication for enabling 2FA can be bypassed by\nsubmitting a form in Special:OATHManage. (CVE-2025-11173)\nStored i18n Cross-site scripting (XSS) vulnerability in\nmw.language.listToText. (CVE-2025-11261)\nConfirmEdit extension: Missing rate limiting in ApiFancyCaptchaReload.\n(CVE-2025-61635)\nParsoid: Validation bypass for `data-` attributes. (CVE-2025-61638)\nLog entries which are hidden from the creation of the entry may be\ndisclosed to the public recent change entry. (CVE-2025-61639)\nStored i18n Cross-site scripting (XSS) vulnerability in\nSpecial:RecentChangesLinked. (CVE-2025-61640)\nDDoS vulnerability in QueryAllPages API in miser mode.  The `maxsize`\nvalue is now ignored in that mode. (CVE-2025-61641)\nSuppressed recent changes may be disclosed to the public RCFeeds.\n(CVE-2025-61643)\nPublic Watchlist/RecentChanges pages may disclose hidden usernames when\nan individual editor makes consecutive revisions on a single page, and\nonly some are marked as hidden username. (CVE-2025-61646)\nTextExtracts extension: Information disclosure vulnerability in the\nextracts API action endpoint due to missing read permission check.\n(CVE-2025-61653)\nVisualEditor extension: Stored i18n Cross-site scripting (XSS)\nvulnerability in `lastModifiedAt` system messages. (CVE-2025-61655)\nVisualEditor extension: Missing attribute validation for attributes\nunwrapped from `data-ve-attributes`. (CVE-2025-61656)\n","modified":"2026-03-25T17:59:26.518656Z","published":"2025-11-05T22:49:51Z","related":["CVE-2025-11173","CVE-2025-11261","CVE-2025-32072","CVE-2025-32696","CVE-2025-32697","CVE-2025-32698","CVE-2025-32699","CVE-2025-32700","CVE-2025-3469","CVE-2025-61635","CVE-2025-61638","CVE-2025-61639","CVE-2025-61640","CVE-2025-61641","CVE-2025-61643","CVE-2025-61646","CVE-2025-61653","CVE-2025-61655"],"references":[{"type":"ADVISORY","url":"https://advisories.mageia.org/MGASA-2025-0260.html"},{"type":"REPORT","url":"https://bugs.mageia.org/show_bug.cgi?id=34211"},{"type":"REPORT","url":"https://lists.debian.org/debian-security-announce/2025/msg00063.html"},{"type":"REPORT","url":"https://lists.wikimedia.org/hyperkitty/list/mediawiki-announce@lists.wikimedia.org/thread/CIXFJVC57OFRBCCEIDRLZCLFGMYGEYTT/"},{"type":"REPORT","url":"https://lists.debian.org/debian-security-announce/2025/msg00121.html"},{"type":"REPORT","url":"https://lists.debian.org/debian-lts-announce/2025/10/msg00034.html"}],"affected":[{"package":{"name":"mediawiki","ecosystem":"Mageia:9","purl":"pkg:rpm/mageia/mediawiki?arch=source&distro=mageia-9"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1.35.14-1.1.mga9"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2025-0260.json"}}],"schema_version":"1.7.5","credits":[{"name":"Mageia","contact":["https://wiki.mageia.org/en/Packages_Security_Team"],"type":"COORDINATOR"}]}