Monthly Archive: April 2018

On F5 BIG-IP 13.0.0, 12.0.0-12.1.3.1, 11.6.0-11.6.2, 11.4.1-11.5.5, or 11.2.1, malformed SPDY or HTTP/2 requests may result in a disruption of service to TMM. Data plane is only exposed when a SPDY or HTTP/2 profile...

Responses to SOCKS proxy requests made through F5 BIG-IP version 13.0.0, 12.0.0-12.1.3.1, 11.6.1-11.6.2, or 11.5.1-11.5.5 may cause a disruption of services provided by TMM. The data plane is impacted and exposed only when a...

X509 certificate verification was not correctly implemented in the IP Intelligence Subscription and IP Intelligence feed-list features, and thus the remote server’s identity is not properly validated in F5 BIG-IP 12.0.0-12.1.2, 11.6.0-11.6.2, or 11.5.0-11.5.5....

Parameters injection in the SyntaxHighlight extension of Mediawiki before 1.23.16, 1.27.3 and 1.28.2 might result in multiple vulnerabilities. Date published : 2018-04-13 https://phabricator.wikimedia.org/T158689 https://security-tracker.debian.org/tracker/CVE-2017-0372

Mediawiki before 1.28.1 / 1.27.2 / 1.23.16 contains a flaw were Spam blacklist is ineffective on encoded URLs inside file inclusion syntax’s link parameter. Date published : 2018-04-13 https://phabricator.wikimedia.org/T48143 https://security-tracker.debian.org/tracker/CVE-2017-0370

Mediawiki before 1.28.1 / 1.27.2 / 1.23.16 contains a flaw, allowing a sysops to undelete pages, although the page is protected against it. Date published : 2018-04-13 https://phabricator.wikimedia.org/T108138 https://security-tracker.debian.org/tracker/CVE-2017-0369

Mediawiki before 1.28.1 / 1.27.2 / 1.23.16 contains a flaw making rawHTML mode apply to system messages. Date published : 2018-04-13 https://phabricator.wikimedia.org/T156184 https://security-tracker.debian.org/tracker/CVE-2017-0368

Mediawiki before 1.28.1 / 1.27.2 contains an unsafe use of temporary directory, where having LocalisationCache directory default to system tmp directory is insecure. Date published : 2018-04-13 https://phabricator.wikimedia.org/T161453 https://security-tracker.debian.org/tracker/CVE-2017-0367

Mediawiki before 1.28.1 / 1.27.2 / 1.23.16 contains a flaw allowing to evade SVG filter using default attribute values in DTD declaration. Date published : 2018-04-13 https://phabricator.wikimedia.org/T151735 https://security-tracker.debian.org/tracker/CVE-2017-0366

Mediawiki before 1.28.1 / 1.27.2 / 1.23.16 contains a XSS vulnerability in SearchHighlighter::highlightText() with non-default configurations. Date published : 2018-04-13 https://phabricator.wikimedia.org/T144845 https://security-tracker.debian.org/tracker/CVE-2017-0365

Mediawiki before 1.28.1 / 1.27.2 / 1.23.16 contains a flaw where Special:Search allows redirects to any interwiki link. Date published : 2018-04-13 https://phabricator.wikimedia.org/T122209 https://security-tracker.debian.org/tracker/CVE-2017-0364

Mediawiki before 1.28.1 / 1.27.2 / 1.23.16 has a flaw where Special:UserLogin?returnto=interwiki:foo will redirect to external sites. Date published : 2018-04-13 https://phabricator.wikimedia.org/T109140 https://security-tracker.debian.org/tracker/CVE-2017-0363

Mediawiki before 1.28.1 / 1.27.2 / 1.23.16 contains a flaw where the "Mark all pages visited" on the watchlist does not require a CSRF token. Date published : 2018-04-13 https://phabricator.wikimedia.org/T150044 https://security-tracker.debian.org/tracker/CVE-2017-0362

Mediawiki before 1.28.1 / 1.27.2 / 1.23.16 contains an information disclosure flaw, where the api.log might contain passwords in plaintext. Date published : 2018-04-13 https://phabricator.wikimedia.org/T125177 https://security-tracker.debian.org/tracker/CVE-2017-0361