Vendor CVEs
MediaWiki
All CVEs
381 total · sorted by risk| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2021-44856 | 0.00 | — | 0.00 | Dec 26, 2022 | An issue was discovered in MediaWiki before 1.35.5, 1.36.x before 1.36.3, and 1.37.x before 1.37.1. A title blocked by AbuseFilter can be created via Special:ChangeContentModel due to the mishandling of the EditFilterMergedContent hook return value. | |||
| CVE-2021-44855 | 0.00 | — | 0.01 | Dec 26, 2022 | An issue was discovered in MediaWiki before 1.35.5, 1.36.x before 1.36.3, and 1.37.x before 1.37.1. There is Blind Stored XSS via a URL to the Upload Image feature. | |||
| CVE-2022-41765 | 0.00 | — | 0.01 | Dec 26, 2022 | An issue was discovered in MediaWiki before 1.35.8, 1.36.x and 1.37.x before 1.37.5, and 1.38.x before 1.38.3. HTMLUserTextField exposes the existence of hidden users. | |||
| CVE-2022-42985 | 0.00 | — | 0.00 | Nov 17, 2022 | The ScratchLogin extension through 1.1 for MediaWiki does not escape verification failure messages, which allows users with administrator privileges to perform cross-site scripting (XSS). | |||
| CVE-2022-28204 | 0.00 | — | 0.01 | Sep 19, 2022 | A denial-of-service issue was discovered in MediaWiki 1.37.x before 1.37.2. Rendering of w/index.php?title=Special%3AWhatLinksHere&target=Property%3AP31&namespace=1&invert=1 can take more than thirty seconds. There is a DDoS risk. | |||
| CVE-2022-28201 | 0.00 | — | 0.00 | Sep 19, 2022 | An issue was discovered in MediaWiki before 1.35.6, 1.36.x before 1.36.4, and 1.37.x before 1.37.2. Users with the editinterface permission can trigger infinite recursion, because a bare local interwiki is mishandled for the mainpage message. | |||
| CVE-2022-28203 | 0.00 | — | 0.01 | Sep 19, 2022 | A denial-of-service issue was discovered in MediaWiki before 1.35.6, 1.36.x before 1.36.4, and 1.37.x before 1.37.2. When many files exist, requesting Special:NewFiles with actor as a condition can result in a very long running query. | |||
| CVE-2022-39194 | 0.00 | — | 0.01 | Sep 2, 2022 | An issue was discovered in the MediaWiki through 1.38.2. The community configuration pages for the GrowthExperiments extension could cause a site to become unavailable due to insufficient validation when certain actions (including page moves) were performed. | |||
| CVE-2022-34911 | 0.00 | — | 0.01 | Jul 2, 2022 | An issue was discovered in MediaWiki before 1.35.7, 1.36.x and 1.37.x before 1.37.3, and 1.38.x before 1.38.1. XSS can occur in configurations that allow a JavaScript payload in a username. After account creation, when it sets the page title to "Welcome" followed by the… | |||
| CVE-2022-34912 | 0.00 | — | 0.01 | Jul 2, 2022 | An issue was discovered in MediaWiki before 1.37.3 and 1.38.x before 1.38.1. The contributions-title, used on Special:Contributions, is used as page title without escaping. Hence, in a non-default configuration where a username contains HTML entities, it won't be escaped. | |||
| CVE-2022-34750 | 0.00 | — | 0.01 | Jun 28, 2022 | An issue was discovered in MediaWiki through 1.38.1. The lemma length of a Wikibase lexeme is currently capped at a thousand characters. Unfortunately, this length is not validated, allowing much larger lexemes to be created, which introduces various denial-of-service attack… | |||
| CVE-2022-29969 | 0.00 | — | 0.01 | May 2, 2022 | The RSS extension before 2022-04-29 for MediaWiki allows XSS via an rss element (if the feed is in $wgRSSUrlWhitelist and $wgRSSAllowLinkTag is true). | |||
| CVE-2022-28323 | 0.00 | — | 0.01 | Apr 30, 2022 | An issue was discovered in MediaWiki through 1.37.2. The SecurePoll extension allows a leak because sorting by timestamp is supported, | |||
| CVE-2022-29903 | 0.00 | — | 0.00 | Apr 29, 2022 | The Private Domains extension for MediaWiki through 1.37.2 (before 1ad65d4c1c199b375ea80988d99ab51ae068f766) allows CSRF for editing pages that store the extension's configuration. The attacker must trigger a POST request to Special:PrivateDomains. | |||
| CVE-2022-29905 | 0.00 | — | 0.00 | Apr 29, 2022 | The FanBoxes extension for MediaWiki through 1.37.2 (before 027ffb0b9d6fe0d823810cf03f5b562a212162d4) allows Special:UserBoxes CSRF. | |||
| CVE-2022-29906 | 0.00 | — | 0.01 | Apr 29, 2022 | The admin API module in the QuizGame extension for MediaWiki through 1.37.2 (before 665e33a68f6fa1167df99c0aa18ed0157cdf9f66) omits a check for the quizadmin user. | |||
| CVE-2022-29907 | 0.00 | — | 0.01 | Apr 29, 2022 | The Nimbus skin for MediaWiki through 1.37.2 (before 6f9c8fb868345701d9544a54d9752515aace39df) allows XSS in Advertise link messages. | |||
| CVE-2022-29547 | 0.00 | — | 0.01 | Apr 21, 2022 | The CreateRedirect extension before 2022-04-14 for MediaWiki does not properly check whether the user has permissions to edit the target page. This could lead to an unauthorised (or blocked) user being able to edit a page. | |||
| CVE-2022-28206 | 0.00 | — | 0.01 | Mar 30, 2022 | An issue was discovered in MediaWiki through 1.37.1. ImportPlanValidator.php in the FileImporter extension mishandles the check for edit rights. | |||
| CVE-2022-28209 | 0.00 | — | 0.01 | Mar 30, 2022 | An issue was discovered in Mediawiki through 1.37.1. The check for the override-antispoof permission in the AntiSpoof extension is incorrect. | |||
| CVE-2022-28205 | 0.00 | — | 0.01 | Mar 30, 2022 | An issue was discovered in MediaWiki through 1.37.1. The CentralAuth extension mishandles a ttl issue for groups expiring in the future. | |||
| CVE-2022-28202 | 0.00 | — | 0.01 | Mar 30, 2022 | An XSS issue was discovered in MediaWiki before 1.35.6, 1.36.x before 1.36.4, and 1.37.x before 1.37.2. The widthheight, widthheightpage, and nbytes properties of messages are not escaped when used in galleries or Special:RevisionDelete. | |||
| CVE-2017-0371 | 0.00 | — | 0.02 | Feb 18, 2022 | MediaWiki before 1.23.16, 1.24.x through 1.27.x before 1.27.2, and 1.28.x before 1.28.1 allows remote attackers to discover the IP addresses of Wiki visitors via a style="background-image: attr(title url);" attack within a DIV element that has an attacker-controlled URL in the… | |||
| CVE-2021-46147 | 0.00 | — | 0.01 | Jan 7, 2022 | An issue was discovered in MediaWiki before 1.35.5, 1.36.x before 1.36.3, and 1.37.x before 1.37.1. MassEditRegex allows CSRF. | |||
| CVE-2021-46148 | 0.00 | — | 0.01 | Jan 7, 2022 | An issue was discovered in MediaWiki before 1.35.5, 1.36.x before 1.36.3, and 1.37.x before 1.37.1. Some unprivileged users can view confidential information (e.g., IP addresses and User-Agent headers for election traffic) on a testwiki SecurePoll instance. | |||
| CVE-2021-46150 | 0.00 | — | 0.01 | Jan 7, 2022 | An issue was discovered in MediaWiki before 1.35.5, 1.36.x before 1.36.3, and 1.37.x before 1.37.1. Special:CheckUserLog allows CheckUser XSS because of date mishandling, as demonstrated by an XSS payload in MediaWiki:October. | |||
| CVE-2021-46146 | 0.00 | — | 0.01 | Jan 7, 2022 | An issue was discovered in MediaWiki before 1.35.5, 1.36.x before 1.36.3, and 1.37.x before 1.37.1. The WikibaseMediaInfo component is vulnerable to XSS via the caption fields for a given media file. | |||
| CVE-2021-45471 | 0.00 | — | 0.01 | Dec 24, 2021 | In MediaWiki through 1.37, blocked IP addresses are allowed to edit EntitySchema items. | |||
| CVE-2021-45472 | 0.00 | — | 0.01 | Dec 24, 2021 | In MediaWiki through 1.37, XSS can occur in Wikibase because an external identifier property can have a URL format that includes a $1 formatter substitution marker, and the javascript: URL scheme (among others) can be used. | |||
| CVE-2021-45474 | 0.00 | — | 0.01 | Dec 24, 2021 | In MediaWiki through 1.37, the Special:ImportFile URI (aka FileImporter) allows XSS, as demonstrated by the clientUrl parameter. | |||
| CVE-2021-44858 | 0.00 | — | 0.01 | Dec 20, 2021 | An issue was discovered in MediaWiki before 1.35.5, 1.36.x before 1.36.3, and 1.37.x before 1.37.1. It is possible to use action=edit&undo= followed by action=mcrundo and action=mcrrestore to view private pages on a private wiki that has at least one page set in $wgWhitelistRead. | |||
| CVE-2021-45038 | 0.00 | — | 0.01 | Dec 17, 2021 | An issue was discovered in MediaWiki before 1.35.5, 1.36.x before 1.36.3, and 1.37.x before 1.37.1. By using an action=rollback query, attackers can view private wiki contents. | |||
| CVE-2021-44857 | 0.00 | — | 0.01 | Dec 17, 2021 | An issue was discovered in MediaWiki before 1.35.5, 1.36.x before 1.36.3, and 1.37.x before 1.37.1. It is possible to use action=mcrundo followed by action=mcrrestore to replace the content of any arbitrary page (that the user doesn't have edit rights for). This applies to any… | |||
| CVE-2021-41801 | 0.00 | — | 0.01 | Oct 11, 2021 | The ReplaceText extension through 1.41 for MediaWiki has Incorrect Access Control. When a user is blocked after submitting a replace job, the job is still run, even if it may be run at a later time (due to the job queue backlog) | |||
| CVE-2021-41799 | 0.00 | — | 0.02 | Oct 11, 2021 | MediaWiki before 1.36.2 allows a denial of service (resource consumption because of lengthy query processing time). ApiQueryBacklinks (action=query&list=backlinks) can cause a full table scan. | |||
| CVE-2021-41798 | 0.00 | — | 0.01 | Oct 11, 2021 | MediaWiki before 1.36.2 allows XSS. Month related MediaWiki messages are not escaped before being used on the Special:Search results page. | |||
| CVE-2021-42045 | 0.00 | — | 0.01 | Oct 6, 2021 | An issue was discovered in SecurePoll in the Growth extension in MediaWiki through 1.36.2. Simple polls allow users to create alerts by changing their User-Agent HTTP header and submitting a vote. | |||
| CVE-2021-42046 | 0.00 | — | 0.01 | Oct 6, 2021 | An issue was discovered in the GlobalWatchlist extension in MediaWiki through 1.36.2. The rev-deleted-user and ntimes messages were not properly escaped and allowed for users to inject HTML and JavaScript. | |||
| CVE-2021-42047 | 0.00 | — | 0.01 | Oct 6, 2021 | An issue was discovered in the Growth extension in MediaWiki through 1.36.2. On any Wiki with the Mentor Dashboard feature enabled, users can login with a mentor account and trigger an XSS payload (such as alert) via Growthexperiments-mentor-dashboard-mentee-overview-no-js-fallba… | |||
| CVE-2021-42048 | 0.00 | — | 0.01 | Oct 6, 2021 | An issue was discovered in the Growth extension in MediaWiki through 1.36.2. Any admin can add arbitrary JavaScript code to the Newcomer home page footer, which can be executed by viewers with zero edits. | |||
| CVE-2021-42043 | 0.00 | — | 0.01 | Oct 6, 2021 | An issue was discovered in Special:MediaSearch in the MediaSearch extension in MediaWiki through 1.36.2. The suggestion text (a parameter to mediasearch-did-you-mean) was not being properly sanitized and allowed for the injection and execution of HTML and JavaScript via the… | |||
| CVE-2021-31556 | 0.00 | — | 0.02 | Aug 12, 2021 | An issue was discovered in the Oauth extension for MediaWiki through 1.35.2. MWOAuthConsumerSubmitControl.php does not ensure that the length of an RSA key will fit in a MySQL blob. | |||
| CVE-2021-36129 | 0.00 | — | 0.01 | Jul 2, 2021 | An issue was discovered in the Translate extension in MediaWiki through 1.36. The Aggregategroups Action API module does not validate the parameter for aggregategroup when action=remove is set, thus allowing users with the translate-manage right to silently delete various… | |||
| CVE-2021-36130 | 0.00 | — | 0.01 | Jul 2, 2021 | An XSS issue was discovered in the SocialProfile extension in MediaWiki through 1.36. Within several gift-related special pages, a privileged user with the awardmanage right could inject arbitrary HTML and JavaScript within various gift-related data fields. The attack could… | |||
| CVE-2021-36131 | 0.00 | — | 0.00 | Jul 2, 2021 | An XSS issue was discovered in the SportsTeams extension in MediaWiki through 1.36. Within several special pages, a privileged user could inject arbitrary HTML and JavaScript within various data fields. The attack could easily propagate across many pages for many users. | |||
| CVE-2021-36132 | 0.00 | — | 0.01 | Jul 2, 2021 | An issue was discovered in the FileImporter extension in MediaWiki through 1.36. For certain relaxed configurations of the $wgFileImporterRequiredRight variable, it might not validate all appropriate user rights, thus allowing a user with insufficient rights to perform… | |||
| CVE-2021-35197 | 0.00 | — | 0.02 | Jul 2, 2021 | In MediaWiki before 1.31.15, 1.32.x through 1.35.x before 1.35.3, and 1.36.x before 1.36.1, bots have certain unintended API access. When a bot account has a "sitewide block" applied, it is able to still "purge" pages through the MediaWiki Action API (which a "sitewide block"… | |||
| CVE-2021-29483 | 0.00 | — | 0.01 | Apr 28, 2021 | ManageWiki is an extension to the MediaWiki project. The 'wikiconfig' API leaked the value of private configuration variables set through the ManageWiki variable to all users. This has been patched by https://github.com/miraheze/ManageWiki/compare/99f3b2c8af18...befb83c66f5b.patc… | |||
| CVE-2021-31550 | 0.00 | — | 0.00 | Apr 22, 2021 | An issue was discovered in the CommentBox extension for MediaWiki through 1.35.2. Via crafted configuration variables, a malicious actor could introduce XSS payloads into various layers. | |||
| CVE-2021-31551 | 0.00 | — | 0.01 | Apr 22, 2021 | An issue was discovered in the PageForms extension for MediaWiki through 1.35.2. Crafted payloads for Token-related query parameters allowed for XSS on certain PageForms-managed MediaWiki pages. |
- CVE-2021-44856Dec 26, 2022risk 0.00cvss —epss 0.00
An issue was discovered in MediaWiki before 1.35.5, 1.36.x before 1.36.3, and 1.37.x before 1.37.1. A title blocked by AbuseFilter can be created via Special:ChangeContentModel due to the mishandling of the EditFilterMergedContent hook return value.
- CVE-2021-44855Dec 26, 2022risk 0.00cvss —epss 0.01
An issue was discovered in MediaWiki before 1.35.5, 1.36.x before 1.36.3, and 1.37.x before 1.37.1. There is Blind Stored XSS via a URL to the Upload Image feature.
- CVE-2022-41765Dec 26, 2022risk 0.00cvss —epss 0.01
An issue was discovered in MediaWiki before 1.35.8, 1.36.x and 1.37.x before 1.37.5, and 1.38.x before 1.38.3. HTMLUserTextField exposes the existence of hidden users.
- CVE-2022-42985Nov 17, 2022risk 0.00cvss —epss 0.00
The ScratchLogin extension through 1.1 for MediaWiki does not escape verification failure messages, which allows users with administrator privileges to perform cross-site scripting (XSS).
- CVE-2022-28204Sep 19, 2022risk 0.00cvss —epss 0.01
A denial-of-service issue was discovered in MediaWiki 1.37.x before 1.37.2. Rendering of w/index.php?title=Special%3AWhatLinksHere&target=Property%3AP31&namespace=1&invert=1 can take more than thirty seconds. There is a DDoS risk.
- CVE-2022-28201Sep 19, 2022risk 0.00cvss —epss 0.00
An issue was discovered in MediaWiki before 1.35.6, 1.36.x before 1.36.4, and 1.37.x before 1.37.2. Users with the editinterface permission can trigger infinite recursion, because a bare local interwiki is mishandled for the mainpage message.
- CVE-2022-28203Sep 19, 2022risk 0.00cvss —epss 0.01
A denial-of-service issue was discovered in MediaWiki before 1.35.6, 1.36.x before 1.36.4, and 1.37.x before 1.37.2. When many files exist, requesting Special:NewFiles with actor as a condition can result in a very long running query.
- CVE-2022-39194Sep 2, 2022risk 0.00cvss —epss 0.01
An issue was discovered in the MediaWiki through 1.38.2. The community configuration pages for the GrowthExperiments extension could cause a site to become unavailable due to insufficient validation when certain actions (including page moves) were performed.
- CVE-2022-34911Jul 2, 2022risk 0.00cvss —epss 0.01
An issue was discovered in MediaWiki before 1.35.7, 1.36.x and 1.37.x before 1.37.3, and 1.38.x before 1.38.1. XSS can occur in configurations that allow a JavaScript payload in a username. After account creation, when it sets the page title to "Welcome" followed by the…
- CVE-2022-34912Jul 2, 2022risk 0.00cvss —epss 0.01
An issue was discovered in MediaWiki before 1.37.3 and 1.38.x before 1.38.1. The contributions-title, used on Special:Contributions, is used as page title without escaping. Hence, in a non-default configuration where a username contains HTML entities, it won't be escaped.
- CVE-2022-34750Jun 28, 2022risk 0.00cvss —epss 0.01
An issue was discovered in MediaWiki through 1.38.1. The lemma length of a Wikibase lexeme is currently capped at a thousand characters. Unfortunately, this length is not validated, allowing much larger lexemes to be created, which introduces various denial-of-service attack…
- CVE-2022-29969May 2, 2022risk 0.00cvss —epss 0.01
The RSS extension before 2022-04-29 for MediaWiki allows XSS via an rss element (if the feed is in $wgRSSUrlWhitelist and $wgRSSAllowLinkTag is true).
- CVE-2022-28323Apr 30, 2022risk 0.00cvss —epss 0.01
An issue was discovered in MediaWiki through 1.37.2. The SecurePoll extension allows a leak because sorting by timestamp is supported,
- CVE-2022-29903Apr 29, 2022risk 0.00cvss —epss 0.00
The Private Domains extension for MediaWiki through 1.37.2 (before 1ad65d4c1c199b375ea80988d99ab51ae068f766) allows CSRF for editing pages that store the extension's configuration. The attacker must trigger a POST request to Special:PrivateDomains.
- CVE-2022-29905Apr 29, 2022risk 0.00cvss —epss 0.00
The FanBoxes extension for MediaWiki through 1.37.2 (before 027ffb0b9d6fe0d823810cf03f5b562a212162d4) allows Special:UserBoxes CSRF.
- CVE-2022-29906Apr 29, 2022risk 0.00cvss —epss 0.01
The admin API module in the QuizGame extension for MediaWiki through 1.37.2 (before 665e33a68f6fa1167df99c0aa18ed0157cdf9f66) omits a check for the quizadmin user.
- CVE-2022-29907Apr 29, 2022risk 0.00cvss —epss 0.01
The Nimbus skin for MediaWiki through 1.37.2 (before 6f9c8fb868345701d9544a54d9752515aace39df) allows XSS in Advertise link messages.
- CVE-2022-29547Apr 21, 2022risk 0.00cvss —epss 0.01
The CreateRedirect extension before 2022-04-14 for MediaWiki does not properly check whether the user has permissions to edit the target page. This could lead to an unauthorised (or blocked) user being able to edit a page.
- CVE-2022-28206Mar 30, 2022risk 0.00cvss —epss 0.01
An issue was discovered in MediaWiki through 1.37.1. ImportPlanValidator.php in the FileImporter extension mishandles the check for edit rights.
- CVE-2022-28209Mar 30, 2022risk 0.00cvss —epss 0.01
An issue was discovered in Mediawiki through 1.37.1. The check for the override-antispoof permission in the AntiSpoof extension is incorrect.
- CVE-2022-28205Mar 30, 2022risk 0.00cvss —epss 0.01
An issue was discovered in MediaWiki through 1.37.1. The CentralAuth extension mishandles a ttl issue for groups expiring in the future.
- CVE-2022-28202Mar 30, 2022risk 0.00cvss —epss 0.01
An XSS issue was discovered in MediaWiki before 1.35.6, 1.36.x before 1.36.4, and 1.37.x before 1.37.2. The widthheight, widthheightpage, and nbytes properties of messages are not escaped when used in galleries or Special:RevisionDelete.
- CVE-2017-0371Feb 18, 2022risk 0.00cvss —epss 0.02
MediaWiki before 1.23.16, 1.24.x through 1.27.x before 1.27.2, and 1.28.x before 1.28.1 allows remote attackers to discover the IP addresses of Wiki visitors via a style="background-image: attr(title url);" attack within a DIV element that has an attacker-controlled URL in the…
- CVE-2021-46147Jan 7, 2022risk 0.00cvss —epss 0.01
An issue was discovered in MediaWiki before 1.35.5, 1.36.x before 1.36.3, and 1.37.x before 1.37.1. MassEditRegex allows CSRF.
- CVE-2021-46148Jan 7, 2022risk 0.00cvss —epss 0.01
An issue was discovered in MediaWiki before 1.35.5, 1.36.x before 1.36.3, and 1.37.x before 1.37.1. Some unprivileged users can view confidential information (e.g., IP addresses and User-Agent headers for election traffic) on a testwiki SecurePoll instance.
- CVE-2021-46150Jan 7, 2022risk 0.00cvss —epss 0.01
An issue was discovered in MediaWiki before 1.35.5, 1.36.x before 1.36.3, and 1.37.x before 1.37.1. Special:CheckUserLog allows CheckUser XSS because of date mishandling, as demonstrated by an XSS payload in MediaWiki:October.
- CVE-2021-46146Jan 7, 2022risk 0.00cvss —epss 0.01
An issue was discovered in MediaWiki before 1.35.5, 1.36.x before 1.36.3, and 1.37.x before 1.37.1. The WikibaseMediaInfo component is vulnerable to XSS via the caption fields for a given media file.
- CVE-2021-45471Dec 24, 2021risk 0.00cvss —epss 0.01
In MediaWiki through 1.37, blocked IP addresses are allowed to edit EntitySchema items.
- CVE-2021-45472Dec 24, 2021risk 0.00cvss —epss 0.01
In MediaWiki through 1.37, XSS can occur in Wikibase because an external identifier property can have a URL format that includes a $1 formatter substitution marker, and the javascript: URL scheme (among others) can be used.
- CVE-2021-45474Dec 24, 2021risk 0.00cvss —epss 0.01
In MediaWiki through 1.37, the Special:ImportFile URI (aka FileImporter) allows XSS, as demonstrated by the clientUrl parameter.
- CVE-2021-44858Dec 20, 2021risk 0.00cvss —epss 0.01
An issue was discovered in MediaWiki before 1.35.5, 1.36.x before 1.36.3, and 1.37.x before 1.37.1. It is possible to use action=edit&undo= followed by action=mcrundo and action=mcrrestore to view private pages on a private wiki that has at least one page set in $wgWhitelistRead.
- CVE-2021-45038Dec 17, 2021risk 0.00cvss —epss 0.01
An issue was discovered in MediaWiki before 1.35.5, 1.36.x before 1.36.3, and 1.37.x before 1.37.1. By using an action=rollback query, attackers can view private wiki contents.
- CVE-2021-44857Dec 17, 2021risk 0.00cvss —epss 0.01
An issue was discovered in MediaWiki before 1.35.5, 1.36.x before 1.36.3, and 1.37.x before 1.37.1. It is possible to use action=mcrundo followed by action=mcrrestore to replace the content of any arbitrary page (that the user doesn't have edit rights for). This applies to any…
- CVE-2021-41801Oct 11, 2021risk 0.00cvss —epss 0.01
The ReplaceText extension through 1.41 for MediaWiki has Incorrect Access Control. When a user is blocked after submitting a replace job, the job is still run, even if it may be run at a later time (due to the job queue backlog)
- CVE-2021-41799Oct 11, 2021risk 0.00cvss —epss 0.02
MediaWiki before 1.36.2 allows a denial of service (resource consumption because of lengthy query processing time). ApiQueryBacklinks (action=query&list=backlinks) can cause a full table scan.
- CVE-2021-41798Oct 11, 2021risk 0.00cvss —epss 0.01
MediaWiki before 1.36.2 allows XSS. Month related MediaWiki messages are not escaped before being used on the Special:Search results page.
- CVE-2021-42045Oct 6, 2021risk 0.00cvss —epss 0.01
An issue was discovered in SecurePoll in the Growth extension in MediaWiki through 1.36.2. Simple polls allow users to create alerts by changing their User-Agent HTTP header and submitting a vote.
- CVE-2021-42046Oct 6, 2021risk 0.00cvss —epss 0.01
An issue was discovered in the GlobalWatchlist extension in MediaWiki through 1.36.2. The rev-deleted-user and ntimes messages were not properly escaped and allowed for users to inject HTML and JavaScript.
- CVE-2021-42047Oct 6, 2021risk 0.00cvss —epss 0.01
An issue was discovered in the Growth extension in MediaWiki through 1.36.2. On any Wiki with the Mentor Dashboard feature enabled, users can login with a mentor account and trigger an XSS payload (such as alert) via Growthexperiments-mentor-dashboard-mentee-overview-no-js-fallba…
- CVE-2021-42048Oct 6, 2021risk 0.00cvss —epss 0.01
An issue was discovered in the Growth extension in MediaWiki through 1.36.2. Any admin can add arbitrary JavaScript code to the Newcomer home page footer, which can be executed by viewers with zero edits.
- CVE-2021-42043Oct 6, 2021risk 0.00cvss —epss 0.01
An issue was discovered in Special:MediaSearch in the MediaSearch extension in MediaWiki through 1.36.2. The suggestion text (a parameter to mediasearch-did-you-mean) was not being properly sanitized and allowed for the injection and execution of HTML and JavaScript via the…
- CVE-2021-31556Aug 12, 2021risk 0.00cvss —epss 0.02
An issue was discovered in the Oauth extension for MediaWiki through 1.35.2. MWOAuthConsumerSubmitControl.php does not ensure that the length of an RSA key will fit in a MySQL blob.
- CVE-2021-36129Jul 2, 2021risk 0.00cvss —epss 0.01
An issue was discovered in the Translate extension in MediaWiki through 1.36. The Aggregategroups Action API module does not validate the parameter for aggregategroup when action=remove is set, thus allowing users with the translate-manage right to silently delete various…
- CVE-2021-36130Jul 2, 2021risk 0.00cvss —epss 0.01
An XSS issue was discovered in the SocialProfile extension in MediaWiki through 1.36. Within several gift-related special pages, a privileged user with the awardmanage right could inject arbitrary HTML and JavaScript within various gift-related data fields. The attack could…
- CVE-2021-36131Jul 2, 2021risk 0.00cvss —epss 0.00
An XSS issue was discovered in the SportsTeams extension in MediaWiki through 1.36. Within several special pages, a privileged user could inject arbitrary HTML and JavaScript within various data fields. The attack could easily propagate across many pages for many users.
- CVE-2021-36132Jul 2, 2021risk 0.00cvss —epss 0.01
An issue was discovered in the FileImporter extension in MediaWiki through 1.36. For certain relaxed configurations of the $wgFileImporterRequiredRight variable, it might not validate all appropriate user rights, thus allowing a user with insufficient rights to perform…
- CVE-2021-35197Jul 2, 2021risk 0.00cvss —epss 0.02
In MediaWiki before 1.31.15, 1.32.x through 1.35.x before 1.35.3, and 1.36.x before 1.36.1, bots have certain unintended API access. When a bot account has a "sitewide block" applied, it is able to still "purge" pages through the MediaWiki Action API (which a "sitewide block"…
- CVE-2021-29483Apr 28, 2021risk 0.00cvss —epss 0.01
ManageWiki is an extension to the MediaWiki project. The 'wikiconfig' API leaked the value of private configuration variables set through the ManageWiki variable to all users. This has been patched by https://github.com/miraheze/ManageWiki/compare/99f3b2c8af18...befb83c66f5b.patc…
- CVE-2021-31550Apr 22, 2021risk 0.00cvss —epss 0.00
An issue was discovered in the CommentBox extension for MediaWiki through 1.35.2. Via crafted configuration variables, a malicious actor could introduce XSS payloads into various layers.
- CVE-2021-31551Apr 22, 2021risk 0.00cvss —epss 0.01
An issue was discovered in the PageForms extension for MediaWiki through 1.35.2. Crafted payloads for Token-related query parameters allowed for XSS on certain PageForms-managed MediaWiki pages.
Page 4 of 8