{"id":"MGASA-2021-0086","summary":"Updated mediawiki packages fix security vulnerability","details":"In MediaWiki before 1.31.11, the messages userrights-expiry-current and\nuserrights-expiry-none can contain raw HTML. XSS can happen when a user visits\nSpecial:UserRights but does not have rights to change all userrights, and the\ntable on the left side has unchangeable groups in it. The right column with\nthe changeable groups is not affected and is escaped correctly\n(CVE-2020-35475).\n\nMediaWiki before 1.31.11 blocks legitimate attempts to hide log entries in\nsome situations. If one sets MediaWiki:Mainpage to Special:MyLanguage/Main\nPage, visits a log entry on Special:Log, and toggles the \"Change visibility of\nselected log entries\" checkbox (or a tags checkbox) next to it, there is a\nredirection to the main page's action=historysubmit instead of the desired\nbehavior in which a revision-deletion form appears (CVE-2020-35477).\n\nMediaWiki before 1.31.11 allows XSS via BlockLogFormatter.php.\nLanguage::translateBlockExpiry itself does not escape in all code paths. For\nexample, the return of Language::userTimeAndDate is always unsafe for HTML\nin a month value (CVE-2020-35479).\n\nAn issue was discovered in MediaWiki before 1.31.11. Missing users (accounts\nthat don't exist) and hidden users (accounts that have been explicitly hidden\ndue to being abusive, or similar) that the viewer cannot see are handled\ndifferently, exposing sensitive information about the hidden status to\nunprivileged viewers. This exists on various code paths (CVE-2020-35480).\n","modified":"2026-04-16T00:10:37.560686191Z","published":"2021-02-19T10:27:54Z","upstream":["CVE-2020-35475","CVE-2020-35477","CVE-2020-35479","CVE-2020-35480"],"references":[{"type":"ADVISORY","url":"https://advisories.mageia.org/MGASA-2021-0086.html"},{"type":"REPORT","url":"https://bugs.mageia.org/show_bug.cgi?id=27781"},{"type":"WEB","url":"https://lists.wikimedia.org/pipermail/mediawiki-announce/2020-December/000268.html"},{"type":"WEB","url":"https://lists.wikimedia.org/pipermail/mediawiki-announce/2020-December/000269.html"},{"type":"WEB","url":"https://www.debian.org/security/2020/dsa-4816"}],"affected":[{"package":{"name":"mediawiki","ecosystem":"Mageia:7","purl":"pkg:rpm/mageia/mediawiki?arch=source&distro=mageia-7"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1.31.12-1.mga7"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2021-0086.json"}}],"schema_version":"1.7.5","credits":[{"name":"Mageia","contact":["https://wiki.mageia.org/en/Packages_Security_Team"],"type":"COORDINATOR"}]}