1. Home
  2. Security Advisories
  3. Fedora
  4. FEDORA-2020-a4802c53d9

[FEDORA-2020-a4802c53d9] Fedora 33: php-wikimedia-assert, mediawiki, php-zordius-lightncandy, php-oojs-oojs-ui

Severity High
Affected Packages 4
CVEs 9
Info Packages References Vulnerabilities

https://lists.wikimedia.org/pipermail/mediawiki-
announce/2020-September/000263.html The 1.34.x series is now end-of-life and
the 1.35.x series is a LTS release.

Package Affected Version
pkg:rpm/fedora/php-zordius-lightncandy?distro=fedora-33 < 1.2.5.1.fc33
pkg:rpm/fedora/php-wikimedia-assert?distro=fedora-33 < 0.5.0.1.fc33
pkg:rpm/fedora/php-oojs-oojs-ui?distro=fedora-33 < 0.39.3.1.fc33
pkg:rpm/fedora/mediawiki?distro=fedora-33 < 1.35.0.1.fc33
ID
FEDORA-2020-a4802c53d9
Severity
high
Severity from
CVE-2020-26121
URL
https://bodhi.fedoraproject.org/updates/FEDORA-2020-a4802c53d9
Published
2020-12-14T00:59:10
(3 years ago)
Modified
2020-12-14T00:59:10
(3 years ago)
Rights
Copyright 2020 Red Hat, Inc.
Other Advisories
Source # ID Name URL
Bugzilla 1903778 Bug #1903778 - CVE-2020-25828 mediawiki: non-jqueryMsg version of mw.message().parse() doesn't escape HTML leads to XSS [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1903778
Bugzilla 1903753 Bug #1903753 - CVE-2020-26120 mediawiki: XSS exists in the MobileFrontend extension [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1903753
Bugzilla 1882555 Bug #1882555 - mediawiki-1.35.0 is available https://bugzilla.redhat.com/show_bug.cgi?id=1882555
Bugzilla 1288786 Bug #1288786 - php-zordius-lightncandy-1.2.5 is available https://bugzilla.redhat.com/show_bug.cgi?id=1288786
Bugzilla 1903775 Bug #1903775 - CVE-2020-25814 mediawiki: XSS via javascript:payload [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1903775
Bugzilla 1903760 Bug #1903760 - CVE-2020-25815 mediawiki: LogEventList::getFiltersDesc is insecurely using message text to build options names for HTML multi-select field [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1903760
Bugzilla 1903765 Bug #1903765 - CVE-2020-25813 mediawiki: Special:UserRights exposes the existence of hidden users [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1903765
Bugzilla 1903762 Bug #1903762 - CVE-2020-25827 mediawiki: using OATHAuth on a farm/cluster (such as via CentralAuth), rate limiting of OATH tokens is only done on a single site level [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1903762
Bugzilla 1903771 Bug #1903771 - CVE-2020-25869 mediawiki: handling of actor ID does not necessarily use the correct database or correct wiki leads to information disclosure [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1903771
Bugzilla 1903755 Bug #1903755 - CVE-2020-26121 mediawiki: attacker can import a file even when the target page is protected against page creation [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1903755
Bugzilla 1667755 Bug #1667755 - php-wikimedia-assert-0.5.0 is available https://bugzilla.redhat.com/show_bug.cgi?id=1667755
Bugzilla 1903769 Bug #1903769 - CVE-2020-25812 mediawiki: XSS using raw HTML [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1903769
Type Package URL Namespace Name / Product Version Distribution / Platform Arch Patch / Fix
Affected pkg:rpm/fedora/php-zordius-lightncandy?distro=fedora-33 fedora php-zordius-lightncandy < 1.2.5.1.fc33 fedora-33
Affected pkg:rpm/fedora/php-wikimedia-assert?distro=fedora-33 fedora php-wikimedia-assert < 0.5.0.1.fc33 fedora-33
Affected pkg:rpm/fedora/php-oojs-oojs-ui?distro=fedora-33 fedora php-oojs-oojs-ui < 0.39.3.1.fc33 fedora-33
Affected pkg:rpm/fedora/mediawiki?distro=fedora-33 fedora mediawiki < 1.35.0.1.fc33 fedora-33
# CVE Description CVSS EPSS EPSS Trend (30 days) Affected Products Weaknesses Security Advisories Exploits PoC Pubblication Date Modification Date
# CVE Description CVSS EPSS EPSS Trend (30 days) Affected Products Weaknesses Security Advisories PoC Pubblication Date Modification Date