Detections
Analytics

Debian dla-4355 : mediawiki - security update

medium Nessus Plugin ID 272096

Language:

Synopsis

The remote Debian host is missing one or more security-related updates.

Description

The remote Debian 11 host has packages installed that are affected by multiple vulnerabilities as referenced in the dla-4355 advisory.

 ------------------------------------------------------------------------- Debian LTS Advisory DLA-4355-1 [email protected] https://www.debian.org/lts/security/ Guilhem Moulin October 31, 2025 https://wiki.debian.org/LTS
 -------------------------------------------------------------------------

 Package : mediawiki Version : 1:1.35.13-1+deb11u5 CVE ID : CVE-2025-11173 CVE-2025-11261 CVE-2025-61635 CVE-2025-61638 CVE-2025-61639 CVE-2025-61640 CVE-2025-61641 CVE-2025-61643 CVE-2025-61646 CVE-2025-61653 CVE-2025-61655 CVE-2025-61656

 Multiple security vulnerabilities were found in mediawiki, a website engine for collaborative work, that could lead to information disclosure, denial of service or privilege escalation.

 CVE-2025-11173

 OATHAuth extension: Reauthentication for enabling 2FA can be bypassed by submitting a form in Special:OATHManage.

 CVE-2025-11261

 Stored i18n Cross-site scripting (XSS) vulnerability in mw.language.listToText.

 CVE-2025-61635

 ConfirmEdit extension: Missing rate limiting in ApiFancyCaptchaReload.

 CVE-2025-61638

 Parsoid: Validation bypass for `data-` attributes.

 CVE-2025-61639

 Log entries which are hidden from the creation of the entry may be disclosed to the public recent change entry.

 CVE-2025-61640

 Stored i18n Cross-site scripting (XSS) vulnerability in Special:RecentChangesLinked.

 CVE-2025-61641

 DDoS vulnerability in QueryAllPages API in miser mode. The `maxsize` value is now ignored in that mode.

 CVE-2025-61643

 Suppressed recent changes may be disclosed to the public RCFeeds.

 CVE-2025-61646

 Public Watchlist/RecentChanges pages may disclose hidden usernames when an individual editor makes consecutive revisions on a single page, and only some are marked as hidden username.

 CVE-2025-61653

 TextExtracts extension: Information disclosure vulnerability in the extracts API action endpoint due to missing read permission check.

 CVE-2025-61655

 VisualEditor extension: Stored i18n Cross-site scripting (XSS) vulnerability in `lastModifiedAt` system messages.

 CVE-2025-61656

 VisualEditor extension: Missing attribute validation for attributes unwrapped from `data-ve-attributes`.

 For Debian 11 bullseye, these problems have been fixed in version 1:1.35.13-1+deb11u5.

 We recommend that you upgrade your mediawiki packages.

 For the detailed security status of mediawiki please refer to its security tracker page at:
 https://security-tracker.debian.org/tracker/mediawiki

 Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS Attachment:
 signature.asc Description: PGP signature

Tenable has extracted the preceding description block directly from the Debian security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Upgrade the mediawiki packages.

See Also

https://security-tracker.debian.org/tracker/source-package/mediawiki

https://security-tracker.debian.org/tracker/CVE-2025-11173

https://security-tracker.debian.org/tracker/CVE-2025-11261

https://security-tracker.debian.org/tracker/CVE-2025-61635

https://security-tracker.debian.org/tracker/CVE-2025-61638

https://security-tracker.debian.org/tracker/CVE-2025-61639

https://security-tracker.debian.org/tracker/CVE-2025-61640

https://security-tracker.debian.org/tracker/CVE-2025-61641

https://security-tracker.debian.org/tracker/CVE-2025-61643

https://security-tracker.debian.org/tracker/CVE-2025-61646

https://security-tracker.debian.org/tracker/CVE-2025-61653

https://security-tracker.debian.org/tracker/CVE-2025-61655

https://security-tracker.debian.org/tracker/CVE-2025-61656

https://packages.debian.org/source/bullseye/mediawiki

Plugin Details

Severity: Medium

ID: 272096

File Name: debian_DLA-4355.nasl

Version: 1.1

Type: local

Agent: unix

Published: 10/31/2025

Updated: 10/31/2025

Supported Sensors: Frictionless Assessment Agent, Nessus Agent, Agentless Assessment, Continuous Assessment, Nessus

Risk Information

VPR

Risk Factor: High

Score: 7.4

CVSS v2

Risk Factor: Low

Base Score: 3.5

Temporal Score: 2.6

Vector: CVSS2#AV:N/AC:M/Au:S/C:N/I:P/A:N

CVSS Score Source: CVE-2025-61656

CVSS v3

Risk Factor: Medium

Base Score: 5.4

Temporal Score: 4.7

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: cpe:/o:debian:debian_linux:11.0, p-cpe:/a:debian:debian_linux:mediawiki, p-cpe:/a:debian:debian_linux:mediawiki-classes

Required KB Items: Host/local_checks_enabled, Host/Debian/release, Host/Debian/dpkg-l

Exploit Ease: No known exploits are available

Patch Publication Date: 10/31/2025

Vulnerability Publication Date: 10/31/2025

Reference Information

CVE: CVE-2025-11173, CVE-2025-11261, CVE-2025-61635, CVE-2025-61638, CVE-2025-61639, CVE-2025-61640, CVE-2025-61641, CVE-2025-61643, CVE-2025-61646, CVE-2025-61653, CVE-2025-61655, CVE-2025-61656