Detections
Analytics

Debian dla-4428 : mediawiki - security update

medium Nessus Plugin ID 280692

Synopsis

The remote Debian host is missing one or more security-related updates.

Description

The remote Debian 11 host has packages installed that are affected by multiple vulnerabilities as referenced in the dla-4428 advisory.

 ------------------------------------------------------------------------- Debian LTS Advisory DLA-4428-1 [email protected] https://www.debian.org/lts/security/ Guilhem Moulin December 30, 2025 https://wiki.debian.org/LTS
 -------------------------------------------------------------------------

 Package : mediawiki Version : 1:1.35.13-1+deb11u6 CVE ID : CVE-2025-67475 CVE-2025-67478 CVE-2025-67479 CVE-2025-67480 CVE-2025-67481 CVE-2025-67482 CVE-2025-67484

 Multiple security vulnerabilities were found in mediawiki, a website engine for collaborative work, which could lead to information disclosure, denial of service or privilege escalation.

 CVE-2025-67475

 Square brackets in autocomment links were not always escaped.

 CVE-2025-67478

 Commas not separating values in RFC 2822 style headers were not escaped, hence could be interpreted downstream as value separators.

 CVE-2025-67479

 Underscore and wide underscore were not always sanitized in `data-*` attribute names.

 CVE-2025-67480

 ApiQueryRevisionsBase did not check for read permissions for the target page.

 CVE-2025-67481

 Insufficient `style` attribute sanitation in client-side messages (jqueryMsg).

 As such attributes are difficult to sanitize properly (the logic needs to be updated constantly as new CSS features are developed by browser vendors) and their use cases in client-side messages are extremely rare, they are no longer allowed.

 If needed, `class` and `id` are still allowed, so these elements can be targeted by normal stylesheets.

 CVE-2025-67482

 Scribunto extension: Segfault in unpack() with large integers affecting some builds of Lua.

 CVE-2025-67484

 Cross-site scripting (XSS) vulnerability via xslt option for users with the editinterface permission. The xslt option is now disabled by default. If the former unsafe behavior is desired, is can be re-enabled by setting `$wgEnableUnsafeXsltOption` to true.

 For Debian 11 bullseye, these problems have been fixed in version 1:1.35.13-1+deb11u6.

 We recommend that you upgrade your mediawiki packages.

 For the detailed security status of mediawiki please refer to its security tracker page at:
 https://security-tracker.debian.org/tracker/mediawiki

 Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS Attachment:
 signature.asc Description: PGP signature

Tenable has extracted the preceding description block directly from the Debian security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Upgrade the mediawiki packages.

See Also

https://security-tracker.debian.org/tracker/source-package/mediawiki

https://security-tracker.debian.org/tracker/CVE-2025-67475

https://security-tracker.debian.org/tracker/CVE-2025-67478

https://security-tracker.debian.org/tracker/CVE-2025-67479

https://security-tracker.debian.org/tracker/CVE-2025-67480

https://security-tracker.debian.org/tracker/CVE-2025-67481

https://security-tracker.debian.org/tracker/CVE-2025-67482

https://security-tracker.debian.org/tracker/CVE-2025-67484

https://packages.debian.org/source/bullseye/mediawiki

Plugin Details

Severity: Medium

ID: 280692

File Name: debian_DLA-4428.nasl

Version: 1.1

Type: local

Agent: unix

Published: 12/30/2025

Updated: 12/30/2025

Supported Sensors: Frictionless Assessment Agent, Nessus Agent, Agentless Assessment, Continuous Assessment, Nessus

Risk Information

VPR

Risk Factor: Low

Score: 1.4

CVSS v2

Risk Factor: Medium

Base Score: 4.3

Temporal Score: 3.2

Vector: CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N

CVSS Score Source: CVE-2025-67484

CVSS v3

Risk Factor: Medium

Base Score: 5.4

Temporal Score: 4.7

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: cpe:/o:debian:debian_linux:11.0, p-cpe:/a:debian:debian_linux:mediawiki, p-cpe:/a:debian:debian_linux:mediawiki-classes

Required KB Items: Host/local_checks_enabled, Host/Debian/release, Host/Debian/dpkg-l

Exploit Ease: No known exploits are available

Patch Publication Date: 12/30/2025

Vulnerability Publication Date: 12/30/2025

Reference Information

CVE: CVE-2025-67475, CVE-2025-67478, CVE-2025-67479, CVE-2025-67480, CVE-2025-67481, CVE-2025-67482, CVE-2025-67484