Projects / MediaWiki / Releases / Minor security fixes

RSS All releases tagged Minor security fixes

Release Notes: A cross-site scripting (XSS) vulnerability was fixed. Fatal errors with unusual file repository configurations, such as ForeignAPIRepo were fixed. The "change password" link on Special:Preferences was changed to have the correct returnto parameter.

  •  15 Dec 2008 13:44

Release Notes: XSS and CSRF vulnerabilities were fixed.

  •  05 Mar 2008 04:50

Release Notes: Possible cross-site information leaks using the callback parameter for JSON-formatted results in the API are prevented by dropping user credentials.

  •  24 Jan 2008 22:36

Release Notes: This release fixes a potential XSS issue affecting api.php on Microsoft Internet Explorer only.

  •  20 Feb 2007 22:52

Release Notes: An XSS injection vulnerability based on Microsoft Internet Explorer's UTF-7 charset autodetection was located in the AJAX support module, affecting MSIE users on MediaWiki 1.6.x and up when the optional setting $wgUseAjax is enabled. Minor compatibility fixes for IIS and PostgreSQL are also included.

  •  09 Jan 2007 00:59

Release Notes: An XSS injection vulnerability was located in the Ajax support module, affecting MediaWiki 1.6.x and up when the optional $wgUseAjax setting is enabled. There is no danger in the default configuration, with $wgUseAjax off. If you are using an extension based on the optional Ajax module, either disable it or upgrade to a version containing the fix: 1.8.3, 1.7.2, 1.6.9, or 1.9.0rc2 release candidate.

  •  06 Jun 2006 02:50

Release Notes: An HTML/JavaScript-injection vulnerability in the edit form has been closed. This vulnerability was new in 1.6.0. Version 1.5.x or earlier are not affected. Extensions, comments, and <nowiki> sections are now handled in a one-pass way, which is more reliable and safer. Under earlier versions, certain extensions could be abused to inject HTML/JavaScript into the page. Additional precautions are made against offsite form submissions when the restricted raw HTML mode is enabled.

  •  26 Mar 2006 17:18

Release Notes: A bug in decoding of certain encoded links could allow injection of raw HTML into page output, which could potentially lead to XSS attacks.

  •  19 Jan 2006 02:05

Release Notes: A bug in edit comment formatting that could send PHP into an infinite loop if certain malformed links were included was fixed. In most installations, this would cause the script to fail after PHP's 30-second failsafe timeout. Some improvements were made to the installer, which should make installation possible on a system with a broken MySQL "root" account.

  •  06 Jan 2006 03:33

Release Notes: Detection for uploads of Windows Metafile (.wmf) images was added to help protect against a client-side vulnerability in unpatched Microsoft Windows operating systems. Additionally, a removeUnusedAccounts.php maintenance script was added. This replaces an older Perl script which had not been updated for the new schema in 1.5.


Project Spotlight


A compression library for lzip files


Project Spotlight


An interactive Web spreadsheet allowing concurrent table editing.