Mediawiki
by MediaWiki
Source repositories
CVEs (262)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2021-30157 | 0.00 | — | 0.01 | Apr 6, 2021 | An issue was discovered in MediaWiki before 1.31.12 and 1.32.x through 1.35.x before 1.35.2. On ChangesList special pages such as Special:RecentChanges and Special:Watchlist, some of the rcfilters-filter-* label messages are output in HTML unescaped, leading to XSS. | |||
| CVE-2021-30158 | 0.00 | — | 0.02 | Apr 6, 2021 | An issue was discovered in MediaWiki before 1.31.12 and 1.32.x through 1.35.x before 1.35.2. Blocked users are unable to use Special:ResetTokens. This has security relevance because a blocked user might have accidentally shared a token, or might know that a token has been… | |||
| CVE-2020-35479 | 0.00 | — | 0.01 | Dec 18, 2020 | MediaWiki before 1.35.1 allows XSS via BlockLogFormatter.php. Language::translateBlockExpiry itself does not escape in all code paths. For example, the return of Language::userTimeAndDate is is always unsafe for HTML in a month value. This affects MediaWiki 1.12.0 and later. | |||
| CVE-2020-35477 | 0.00 | — | 0.02 | Dec 18, 2020 | MediaWiki before 1.35.1 blocks legitimate attempts to hide log entries in some situations. If one sets MediaWiki:Mainpage to Special:MyLanguage/Main Page, visits a log entry on Special:Log, and toggles the "Change visibility of selected log entries" checkbox (or a tags checkbox)… | |||
| CVE-2020-35474 | 0.00 | — | 0.01 | Dec 18, 2020 | In MediaWiki before 1.35.1, the combination of Html::rawElement and Message::text leads to XSS because the definition of MediaWiki:recentchanges-legend-watchlistexpiry can be changed onwiki so that the output is raw HTML. | |||
| CVE-2012-4381 | 0.00 | — | 0.04 | Feb 8, 2020 | MediaWiki before 1.18.5, and 1.19.x before 1.19.2 saves passwords in the local database, (1) which could make it easier for context-dependent attackers to obtain cleartext passwords via a brute-force attack or, (2) when an authentication plugin returns a false in the strict… | |||
| CVE-2013-6451 | 0.00 | — | 0.01 | Jan 28, 2020 | Cross-site scripting (XSS) vulnerability in MediaWiki 1.19.9 before 1.19.10, 1.2x before 1.21.4, and 1.22.x before 1.22.1 allows remote attackers to inject arbitrary web script or HTML via unspecified CSS values. | |||
| CVE-2013-4303 | 0.00 | — | 0.02 | Dec 11, 2019 | includes/libs/IEUrlExtension.php in the MediaWiki API in MediaWiki 1.19.x before 1.19.8, 1.20.x before 1.20.7, and 1.21.x before 1.21.2 does not properly detect extensions when there are an even number of "." (period) characters in a string, which allows remote attackers to… | |||
| CVE-2013-1817 | 0.00 | — | 0.03 | Nov 20, 2019 | MediaWiki before 1.19.4 and 1.20.x before 1.20.3 contains an error in the api.php script which allows remote attackers to obtain sensitive information. | |||
| CVE-2013-1816 | 0.00 | — | 0.03 | Nov 20, 2019 | MediaWiki before 1.19.4 and 1.20.x before 1.20.3 allows remote attackers to cause a denial of service (application crash) by sending a specially crafted request. | |||
| CVE-2013-1951 | 0.00 | — | 0.02 | Oct 31, 2019 | A cross-site scripting (XSS) vulnerability in MediaWiki before 1.19.5 and 1.20.x before 1.20.4 and allows remote attackers to inject arbitrary web script or HTML via Lua function names. | |||
| CVE-2012-0046 | 0.00 | — | 0.01 | Oct 29, 2019 | mediawiki allows deleted text to be exposed | |||
| CVE-2015-8005 | 0.00 | — | 0.01 | Nov 9, 2015 | MediaWiki before 1.23.11, 1.24.x before 1.24.4, and 1.25.x before 1.25.3 uses the thumbnail ImageMagick command line argument, which allows remote attackers to obtain the installation path by reading the metadata of a PNG thumbnail file. | |||
| CVE-2015-8004 | 0.00 | — | 0.02 | Nov 9, 2015 | MediaWiki before 1.23.11, 1.24.x before 1.24.4, and 1.25.x before 1.25.3 does not properly restrict access to revisions, which allows remote authenticated users with the viewsuppressed user right to remove revision suppressions via a crafted revisiondelete action, which returns… | |||
| CVE-2015-8003 | 0.00 | — | 0.02 | Nov 9, 2015 | MediaWiki before 1.23.11, 1.24.x before 1.24.4, and 1.25.x before 1.25.3 does not throttle file uploads, which allows remote authenticated users to have unspecified impact via multiple file uploads. | |||
| CVE-2015-8002 | 0.00 | — | 0.02 | Nov 9, 2015 | The chunked upload API (ApiUpload) in MediaWiki before 1.23.11, 1.24.x before 1.24.4, and 1.25.x before 1.25.3 allows remote authenticated users to cause a denial of service (disk consumption) via a file upload using one byte chunks. | |||
| CVE-2015-8001 | 0.00 | — | 0.02 | Nov 9, 2015 | The chunked upload API (ApiUpload) in MediaWiki before 1.23.11, 1.24.x before 1.24.4, and 1.25.x before 1.25.3 does not restrict the uploaded data to the claimed file size, which allows remote authenticated users to cause a denial of service via a chunk that exceeds the file… | |||
| CVE-2015-6734 | 0.00 | — | 0.02 | Sep 1, 2015 | Cross-site scripting (XSS) vulnerability in contrib/cssgen.php in the GeSHi, as used in the SyntaxHighlight_GeSHi extension and MediaWiki before 1.23.10, 1.24.x before 1.24.3, and 1.25.x before 1.25.2, allows remote attackers to inject arbitrary web script or HTML via… | |||
| CVE-2015-6733 | 0.00 | — | 0.03 | Sep 1, 2015 | GeSHi, as used in the SyntaxHighlight_GeSHi extension and MediaWiki before 1.23.10, 1.24.x before 1.24.3, and 1.25.x before 1.25.2, allows remote attackers to cause a denial of service (resource consumption) via unspecified vectors. | |||
| CVE-2015-6730 | 0.00 | — | 0.02 | Sep 1, 2015 | Cross-site scripting (XSS) vulnerability in thumb.php in MediaWiki before 1.23.10, 1.24.x before 1.24.3, and 1.25.x before 1.25.2 allows remote attackers to inject arbitrary web script or HTML via the f parameter, which is not properly handled in an error page, related to… |
- CVE-2021-30157Apr 6, 2021risk 0.00cvss —epss 0.01
An issue was discovered in MediaWiki before 1.31.12 and 1.32.x through 1.35.x before 1.35.2. On ChangesList special pages such as Special:RecentChanges and Special:Watchlist, some of the rcfilters-filter-* label messages are output in HTML unescaped, leading to XSS.
- CVE-2021-30158Apr 6, 2021risk 0.00cvss —epss 0.02
An issue was discovered in MediaWiki before 1.31.12 and 1.32.x through 1.35.x before 1.35.2. Blocked users are unable to use Special:ResetTokens. This has security relevance because a blocked user might have accidentally shared a token, or might know that a token has been…
- CVE-2020-35479Dec 18, 2020risk 0.00cvss —epss 0.01
MediaWiki before 1.35.1 allows XSS via BlockLogFormatter.php. Language::translateBlockExpiry itself does not escape in all code paths. For example, the return of Language::userTimeAndDate is is always unsafe for HTML in a month value. This affects MediaWiki 1.12.0 and later.
- CVE-2020-35477Dec 18, 2020risk 0.00cvss —epss 0.02
MediaWiki before 1.35.1 blocks legitimate attempts to hide log entries in some situations. If one sets MediaWiki:Mainpage to Special:MyLanguage/Main Page, visits a log entry on Special:Log, and toggles the "Change visibility of selected log entries" checkbox (or a tags checkbox)…
- CVE-2020-35474Dec 18, 2020risk 0.00cvss —epss 0.01
In MediaWiki before 1.35.1, the combination of Html::rawElement and Message::text leads to XSS because the definition of MediaWiki:recentchanges-legend-watchlistexpiry can be changed onwiki so that the output is raw HTML.
- CVE-2012-4381Feb 8, 2020risk 0.00cvss —epss 0.04
MediaWiki before 1.18.5, and 1.19.x before 1.19.2 saves passwords in the local database, (1) which could make it easier for context-dependent attackers to obtain cleartext passwords via a brute-force attack or, (2) when an authentication plugin returns a false in the strict…
- CVE-2013-6451Jan 28, 2020risk 0.00cvss —epss 0.01
Cross-site scripting (XSS) vulnerability in MediaWiki 1.19.9 before 1.19.10, 1.2x before 1.21.4, and 1.22.x before 1.22.1 allows remote attackers to inject arbitrary web script or HTML via unspecified CSS values.
- CVE-2013-4303Dec 11, 2019risk 0.00cvss —epss 0.02
includes/libs/IEUrlExtension.php in the MediaWiki API in MediaWiki 1.19.x before 1.19.8, 1.20.x before 1.20.7, and 1.21.x before 1.21.2 does not properly detect extensions when there are an even number of "." (period) characters in a string, which allows remote attackers to…
- CVE-2013-1817Nov 20, 2019risk 0.00cvss —epss 0.03
MediaWiki before 1.19.4 and 1.20.x before 1.20.3 contains an error in the api.php script which allows remote attackers to obtain sensitive information.
- CVE-2013-1816Nov 20, 2019risk 0.00cvss —epss 0.03
MediaWiki before 1.19.4 and 1.20.x before 1.20.3 allows remote attackers to cause a denial of service (application crash) by sending a specially crafted request.
- CVE-2013-1951Oct 31, 2019risk 0.00cvss —epss 0.02
A cross-site scripting (XSS) vulnerability in MediaWiki before 1.19.5 and 1.20.x before 1.20.4 and allows remote attackers to inject arbitrary web script or HTML via Lua function names.
- CVE-2012-0046Oct 29, 2019risk 0.00cvss —epss 0.01
mediawiki allows deleted text to be exposed
- CVE-2015-8005Nov 9, 2015risk 0.00cvss —epss 0.01
MediaWiki before 1.23.11, 1.24.x before 1.24.4, and 1.25.x before 1.25.3 uses the thumbnail ImageMagick command line argument, which allows remote attackers to obtain the installation path by reading the metadata of a PNG thumbnail file.
- CVE-2015-8004Nov 9, 2015risk 0.00cvss —epss 0.02
MediaWiki before 1.23.11, 1.24.x before 1.24.4, and 1.25.x before 1.25.3 does not properly restrict access to revisions, which allows remote authenticated users with the viewsuppressed user right to remove revision suppressions via a crafted revisiondelete action, which returns…
- CVE-2015-8003Nov 9, 2015risk 0.00cvss —epss 0.02
MediaWiki before 1.23.11, 1.24.x before 1.24.4, and 1.25.x before 1.25.3 does not throttle file uploads, which allows remote authenticated users to have unspecified impact via multiple file uploads.
- CVE-2015-8002Nov 9, 2015risk 0.00cvss —epss 0.02
The chunked upload API (ApiUpload) in MediaWiki before 1.23.11, 1.24.x before 1.24.4, and 1.25.x before 1.25.3 allows remote authenticated users to cause a denial of service (disk consumption) via a file upload using one byte chunks.
- CVE-2015-8001Nov 9, 2015risk 0.00cvss —epss 0.02
The chunked upload API (ApiUpload) in MediaWiki before 1.23.11, 1.24.x before 1.24.4, and 1.25.x before 1.25.3 does not restrict the uploaded data to the claimed file size, which allows remote authenticated users to cause a denial of service via a chunk that exceeds the file…
- CVE-2015-6734Sep 1, 2015risk 0.00cvss —epss 0.02
Cross-site scripting (XSS) vulnerability in contrib/cssgen.php in the GeSHi, as used in the SyntaxHighlight_GeSHi extension and MediaWiki before 1.23.10, 1.24.x before 1.24.3, and 1.25.x before 1.25.2, allows remote attackers to inject arbitrary web script or HTML via…
- CVE-2015-6733Sep 1, 2015risk 0.00cvss —epss 0.03
GeSHi, as used in the SyntaxHighlight_GeSHi extension and MediaWiki before 1.23.10, 1.24.x before 1.24.3, and 1.25.x before 1.25.2, allows remote attackers to cause a denial of service (resource consumption) via unspecified vectors.
- CVE-2015-6730Sep 1, 2015risk 0.00cvss —epss 0.02
Cross-site scripting (XSS) vulnerability in thumb.php in MediaWiki before 1.23.10, 1.24.x before 1.24.3, and 1.25.x before 1.25.2 allows remote attackers to inject arbitrary web script or HTML via the f parameter, which is not properly handled in an error page, related to…
Page 7 of 14