Vendor CVEs
MediaWiki
All CVEs
381 total · sorted by risk| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2021-31553 | 0.00 | — | 0.01 | Apr 22, 2021 | An issue was discovered in the CheckUser extension for MediaWiki through 1.35.2. MediaWiki usernames with trailing whitespace could be stored in the cu_log database table such that denial of service occurred for certain CheckUser extension pages and functionality. For example,… | |||
| CVE-2021-31555 | 0.00 | — | 0.01 | Apr 22, 2021 | An issue was discovered in the Oauth extension for MediaWiki through 1.35.2. It did not validate the oarc_version (aka oauth_registered_consumer.oarc_version) parameter's length. | |||
| CVE-2021-30159 | 0.00 | — | 0.02 | Apr 9, 2021 | An issue was discovered in MediaWiki before 1.31.12 and 1.32.x through 1.35.x before 1.35.2. Users can bypass intended restrictions on deleting pages in certain "fast double move" situations. MovePage::isValidMoveTarget() uses FOR UPDATE, but it's only called if… | |||
| CVE-2021-30156 | 0.00 | — | 0.01 | Apr 9, 2021 | An issue was discovered in MediaWiki before 1.31.12 and 1.32.x through 1.35.x before 1.35.2. Special:Contributions can leak that a "hidden" user exists. | |||
| CVE-2021-30155 | 0.00 | — | 0.01 | Apr 9, 2021 | An issue was discovered in MediaWiki before 1.31.12 and 1.32.x through 1.35.x before 1.35.2. ContentModelChange does not check if a user has correct permissions to create and set the content model of a nonexistent page. | |||
| CVE-2021-30152 | 0.00 | — | 0.01 | Apr 9, 2021 | An issue was discovered in MediaWiki before 1.31.13 and 1.32.x through 1.35.x before 1.35.2. When using the MediaWiki API to "protect" a page, a user is currently able to protect to a higher level than they currently have permissions for. | |||
| CVE-2021-30154 | 0.00 | — | 0.01 | Apr 6, 2021 | An issue was discovered in MediaWiki before 1.31.12 and 1.32.x through 1.35.x before 1.35.2. On Special:NewFiles, all the mediastatistics-header-* messages are output in HTML unescaped, leading to XSS. | |||
| CVE-2021-30157 | 0.00 | — | 0.01 | Apr 6, 2021 | An issue was discovered in MediaWiki before 1.31.12 and 1.32.x through 1.35.x before 1.35.2. On ChangesList special pages such as Special:RecentChanges and Special:Watchlist, some of the rcfilters-filter-* label messages are output in HTML unescaped, leading to XSS. | |||
| CVE-2021-30158 | 0.00 | — | 0.02 | Apr 6, 2021 | An issue was discovered in MediaWiki before 1.31.12 and 1.32.x through 1.35.x before 1.35.2. Blocked users are unable to use Special:ResetTokens. This has security relevance because a blocked user might have accidentally shared a token, or might know that a token has been… | |||
| CVE-2020-29004 | 0.00 | — | 0.01 | Jan 29, 2021 | The API in the Push extension for MediaWiki through 1.35 did not require an edit token in ApiPushBase.php and therefore facilitated a CSRF attack. | |||
| CVE-2020-29005 | 0.00 | — | 0.01 | Jan 29, 2021 | The API in the Push extension for MediaWiki through 1.35 used cleartext for ApiPush credentials, allowing for potential information disclosure. | |||
| CVE-2020-35622 | 0.00 | — | 0.01 | Dec 21, 2020 | An issue was discovered in the GlobalUsage extension for MediaWiki through 1.35.1. SpecialGlobalUsage.php calls WikiMap::makeForeignLink unsafely. The $page variable within the formatItem function was not being properly escaped, allowing for XSS under certain conditions. | |||
| CVE-2020-35623 | 0.00 | — | 0.01 | Dec 21, 2020 | An issue was discovered in the CasAuth extension for MediaWiki through 1.35.1. Due to improper username validation, it allowed user impersonation with trivial manipulations of certain characters within a given username. An ordinary user may be able to login as a "bureaucrat… | |||
| CVE-2020-35624 | 0.00 | — | 0.01 | Dec 21, 2020 | An issue was discovered in the SecurePoll extension for MediaWiki through 1.35.1. The non-admin vote list contains a full vote timestamp, which may provide unintended clues about how a voting process unfolded. | |||
| CVE-2020-35625 | 0.00 | — | 0.01 | Dec 21, 2020 | An issue was discovered in the Widgets extension for MediaWiki through 1.35.1. Any user with the ability to edit pages within the Widgets namespace could call any static function within any class (defined within PHP or MediaWiki) via a crafted HTML comment, related to a Smarty… | |||
| CVE-2020-35626 | 0.00 | — | 0.01 | Dec 21, 2020 | An issue was discovered in the PushToWatch extension for MediaWiki through 1.35.1. The primary form did not implement an anti-CSRF token and therefore was completely vulnerable to CSRF attacks against onSkinAddFooterLinks in PushToWatch.php. | |||
| CVE-2020-35479 | 0.00 | — | 0.01 | Dec 18, 2020 | MediaWiki before 1.35.1 allows XSS via BlockLogFormatter.php. Language::translateBlockExpiry itself does not escape in all code paths. For example, the return of Language::userTimeAndDate is is always unsafe for HTML in a month value. This affects MediaWiki 1.12.0 and later. | |||
| CVE-2020-35477 | 0.00 | — | 0.02 | Dec 18, 2020 | MediaWiki before 1.35.1 blocks legitimate attempts to hide log entries in some situations. If one sets MediaWiki:Mainpage to Special:MyLanguage/Main Page, visits a log entry on Special:Log, and toggles the "Change visibility of selected log entries" checkbox (or a tags checkbox)… | |||
| CVE-2020-35474 | 0.00 | — | 0.01 | Dec 18, 2020 | In MediaWiki before 1.35.1, the combination of Html::rawElement and Message::text leads to XSS because the definition of MediaWiki:recentchanges-legend-watchlistexpiry can be changed onwiki so that the output is raw HTML. | |||
| CVE-2020-29002 | 0.00 | — | 0.01 | Nov 24, 2020 | includes/CologneBlueTemplate.php in the CologneBlue skin for MediaWiki through 1.35 allows XSS via a qbfind message supplied by an administrator. | |||
| CVE-2020-29003 | 0.00 | — | 0.01 | Nov 24, 2020 | The PollNY extension for MediaWiki through 1.35 allows XSS via an answer option for a poll question, entered during Special:CreatePoll or Special:UpdatePoll. | |||
| CVE-2020-27957 | 0.00 | — | 0.01 | Oct 28, 2020 | The RandomGameUnit extension for MediaWiki through 1.35 was not properly escaping various title-related data. When certain varieties of games were created within MediaWiki, their names or titles could be manipulated to generate stored XSS within the RandomGameUnit extension. | |||
| CVE-2020-27621 | 0.00 | — | 0.01 | Oct 22, 2020 | The FileImporter extension in MediaWiki through 1.35.0 was not properly attributing various user actions to a specific user's IP address. Instead, for various actions, it would report the IP address of an internal Wikimedia Foundation server by omitting X-Forwarded-For data.… | |||
| CVE-2020-26121 | 0.00 | — | 0.01 | Sep 27, 2020 | An issue was discovered in the FileImporter extension for MediaWiki before 1.34.4. An attacker can import a file even when the target page is protected against "page creation" and the attacker should not be able to create it. This occurs because of a mishandled distinction… | |||
| CVE-2020-26120 | 0.00 | — | 0.01 | Sep 27, 2020 | XSS exists in the MobileFrontend extension for MediaWiki before 1.34.4 because section.line is mishandled during regex section line replacement from PageGateway. Using crafted HTML, an attacker can elicit an XSS attack via jQuery's parseHTML method, which can cause image… | |||
| CVE-2019-16529 | 0.00 | — | 0.01 | Mar 19, 2020 | An issue was discovered in the CheckUser extension through 1.35.0 for MediaWiki. Oversighted edit summaries are still visible in CheckUser results in violation of MediaWiki's permissions model. | |||
| CVE-2019-15124 | 0.00 | — | 0.01 | Mar 19, 2020 | In the MobileFrontend extension for MediaWiki, XSS exists within the edit summary field of the watchlist feed. This affects REL1_31, REL1_32, and REL1_33. | |||
| CVE-2020-10534 | 0.00 | — | 0.01 | Mar 12, 2020 | In the GlobalBlocking extension before 2020-03-10 for MediaWiki through 1.34.0, an issue related to IP range evaluation resulted in blocked users re-gaining escalated privileges. This is related to the case in which an IP address is contained in two ranges, one of which is… | |||
| CVE-2012-4381 | 0.00 | — | 0.04 | Feb 8, 2020 | MediaWiki before 1.18.5, and 1.19.x before 1.19.2 saves passwords in the local database, (1) which could make it easier for context-dependent attackers to obtain cleartext passwords via a brute-force attack or, (2) when an authentication plugin returns a false in the strict… | |||
| CVE-2013-6451 | 0.00 | — | 0.01 | Jan 28, 2020 | Cross-site scripting (XSS) vulnerability in MediaWiki 1.19.9 before 1.19.10, 1.2x before 1.21.4, and 1.22.x before 1.22.1 allows remote attackers to inject arbitrary web script or HTML via unspecified CSS values. | |||
| CVE-2014-9481 | 0.00 | — | 0.01 | Jan 27, 2020 | The Scribunto extension for MediaWiki allows remote attackers to obtain the rollback token and possibly other sensitive information via a crafted module, related to unstripping special page HTML. | |||
| CVE-2020-6163 | 0.00 | — | 0.01 | Jan 8, 2020 | The WikibaseMediaInfo extension 1.35 for MediaWiki allows XSS because of improper template syntax within the PropertySuggestionsWidget template (in the templates/search/PropertySuggestionsWidget.mustache+dom file). | |||
| CVE-2019-19910 | 0.00 | — | 0.01 | Dec 19, 2019 | The MinervaNeue Skin in MediaWiki from 2019-11-05 to 2019-12-13 (1.35 and/or 1.34) mishandles certain HTML attributes, as demonstrated by IMG onmouseover= (impact is XSS) and IMG src=http (impact is disclosing the client's IP address). This can occur within a talk page topical… | |||
| CVE-2013-4303 | 0.00 | — | 0.02 | Dec 11, 2019 | includes/libs/IEUrlExtension.php in the MediaWiki API in MediaWiki 1.19.x before 1.19.8, 1.20.x before 1.20.7, and 1.21.x before 1.21.2 does not properly detect extensions when there are an even number of "." (period) characters in a string, which allows remote attackers to… | |||
| CVE-2019-19708 | 0.00 | — | 0.01 | Dec 11, 2019 | The VisualEditor extension through 1.34 for MediaWiki allows XSS via pasted content containing an element with a data-ve-clipboard-key attribute. | |||
| CVE-2013-1817 | 0.00 | — | 0.03 | Nov 20, 2019 | MediaWiki before 1.19.4 and 1.20.x before 1.20.3 contains an error in the api.php script which allows remote attackers to obtain sensitive information. | |||
| CVE-2013-1816 | 0.00 | — | 0.03 | Nov 20, 2019 | MediaWiki before 1.19.4 and 1.20.x before 1.20.3 allows remote attackers to cause a denial of service (application crash) by sending a specially crafted request. | |||
| CVE-2013-1951 | 0.00 | — | 0.02 | Oct 31, 2019 | A cross-site scripting (XSS) vulnerability in MediaWiki before 1.19.5 and 1.20.x before 1.20.4 and allows remote attackers to inject arbitrary web script or HTML via Lua function names. | |||
| CVE-2019-18611 | 0.00 | — | 0.01 | Oct 29, 2019 | An issue was discovered in the CheckUser extension through 1.34 for MediaWiki. Certain sensitive information within oversighted edit summaries made available via the MediaWiki API was potentially visible to users with various levels of access to this extension. Said users should… | |||
| CVE-2012-0046 | 0.00 | — | 0.01 | Oct 29, 2019 | mediawiki allows deleted text to be exposed | |||
| CVE-2019-14807 | 0.00 | — | 0.01 | Aug 9, 2019 | In the MobileFrontend extension 1.31 through 1.33 for MediaWiki, XSS exists within the edit summary field in includes/specials/MobileSpecialPageFeed.php. | |||
| CVE-2015-8005 | 0.00 | — | 0.01 | Nov 9, 2015 | MediaWiki before 1.23.11, 1.24.x before 1.24.4, and 1.25.x before 1.25.3 uses the thumbnail ImageMagick command line argument, which allows remote attackers to obtain the installation path by reading the metadata of a PNG thumbnail file. | |||
| CVE-2015-8004 | 0.00 | — | 0.02 | Nov 9, 2015 | MediaWiki before 1.23.11, 1.24.x before 1.24.4, and 1.25.x before 1.25.3 does not properly restrict access to revisions, which allows remote authenticated users with the viewsuppressed user right to remove revision suppressions via a crafted revisiondelete action, which returns… | |||
| CVE-2015-8003 | 0.00 | — | 0.02 | Nov 9, 2015 | MediaWiki before 1.23.11, 1.24.x before 1.24.4, and 1.25.x before 1.25.3 does not throttle file uploads, which allows remote authenticated users to have unspecified impact via multiple file uploads. | |||
| CVE-2015-8002 | 0.00 | — | 0.02 | Nov 9, 2015 | The chunked upload API (ApiUpload) in MediaWiki before 1.23.11, 1.24.x before 1.24.4, and 1.25.x before 1.25.3 allows remote authenticated users to cause a denial of service (disk consumption) via a file upload using one byte chunks. | |||
| CVE-2015-8001 | 0.00 | — | 0.02 | Nov 9, 2015 | The chunked upload API (ApiUpload) in MediaWiki before 1.23.11, 1.24.x before 1.24.4, and 1.25.x before 1.25.3 does not restrict the uploaded data to the claimed file size, which allows remote authenticated users to cause a denial of service via a chunk that exceeds the file… | |||
| CVE-2015-6737 | 0.00 | — | 0.02 | Sep 1, 2015 | Cross-site scripting (XSS) vulnerability in the Widgets extension for MediaWiki allows remote attackers to inject arbitrary web script or HTML via vectors involving base64 encoded content. | |||
| CVE-2015-6736 | 0.00 | — | 0.03 | Sep 1, 2015 | The Quiz extension for MediaWiki allows remote attackers to cause a denial of service via regex metacharacters in a regular expression. | |||
| CVE-2015-6735 | 0.00 | — | 0.03 | Sep 1, 2015 | The reset functionality in the TimedMediaHandler extension for MediaWiki does not create a new transcode, which allows remote attackers to cause a denial of service (transcode deletion) by resetting a transcode. | |||
| CVE-2015-6734 | 0.00 | — | 0.02 | Sep 1, 2015 | Cross-site scripting (XSS) vulnerability in contrib/cssgen.php in the GeSHi, as used in the SyntaxHighlight_GeSHi extension and MediaWiki before 1.23.10, 1.24.x before 1.24.3, and 1.25.x before 1.25.2, allows remote attackers to inject arbitrary web script or HTML via… |
- CVE-2021-31553Apr 22, 2021risk 0.00cvss —epss 0.01
An issue was discovered in the CheckUser extension for MediaWiki through 1.35.2. MediaWiki usernames with trailing whitespace could be stored in the cu_log database table such that denial of service occurred for certain CheckUser extension pages and functionality. For example,…
- CVE-2021-31555Apr 22, 2021risk 0.00cvss —epss 0.01
An issue was discovered in the Oauth extension for MediaWiki through 1.35.2. It did not validate the oarc_version (aka oauth_registered_consumer.oarc_version) parameter's length.
- CVE-2021-30159Apr 9, 2021risk 0.00cvss —epss 0.02
An issue was discovered in MediaWiki before 1.31.12 and 1.32.x through 1.35.x before 1.35.2. Users can bypass intended restrictions on deleting pages in certain "fast double move" situations. MovePage::isValidMoveTarget() uses FOR UPDATE, but it's only called if…
- CVE-2021-30156Apr 9, 2021risk 0.00cvss —epss 0.01
An issue was discovered in MediaWiki before 1.31.12 and 1.32.x through 1.35.x before 1.35.2. Special:Contributions can leak that a "hidden" user exists.
- CVE-2021-30155Apr 9, 2021risk 0.00cvss —epss 0.01
An issue was discovered in MediaWiki before 1.31.12 and 1.32.x through 1.35.x before 1.35.2. ContentModelChange does not check if a user has correct permissions to create and set the content model of a nonexistent page.
- CVE-2021-30152Apr 9, 2021risk 0.00cvss —epss 0.01
An issue was discovered in MediaWiki before 1.31.13 and 1.32.x through 1.35.x before 1.35.2. When using the MediaWiki API to "protect" a page, a user is currently able to protect to a higher level than they currently have permissions for.
- CVE-2021-30154Apr 6, 2021risk 0.00cvss —epss 0.01
An issue was discovered in MediaWiki before 1.31.12 and 1.32.x through 1.35.x before 1.35.2. On Special:NewFiles, all the mediastatistics-header-* messages are output in HTML unescaped, leading to XSS.
- CVE-2021-30157Apr 6, 2021risk 0.00cvss —epss 0.01
An issue was discovered in MediaWiki before 1.31.12 and 1.32.x through 1.35.x before 1.35.2. On ChangesList special pages such as Special:RecentChanges and Special:Watchlist, some of the rcfilters-filter-* label messages are output in HTML unescaped, leading to XSS.
- CVE-2021-30158Apr 6, 2021risk 0.00cvss —epss 0.02
An issue was discovered in MediaWiki before 1.31.12 and 1.32.x through 1.35.x before 1.35.2. Blocked users are unable to use Special:ResetTokens. This has security relevance because a blocked user might have accidentally shared a token, or might know that a token has been…
- CVE-2020-29004Jan 29, 2021risk 0.00cvss —epss 0.01
The API in the Push extension for MediaWiki through 1.35 did not require an edit token in ApiPushBase.php and therefore facilitated a CSRF attack.
- CVE-2020-29005Jan 29, 2021risk 0.00cvss —epss 0.01
The API in the Push extension for MediaWiki through 1.35 used cleartext for ApiPush credentials, allowing for potential information disclosure.
- CVE-2020-35622Dec 21, 2020risk 0.00cvss —epss 0.01
An issue was discovered in the GlobalUsage extension for MediaWiki through 1.35.1. SpecialGlobalUsage.php calls WikiMap::makeForeignLink unsafely. The $page variable within the formatItem function was not being properly escaped, allowing for XSS under certain conditions.
- CVE-2020-35623Dec 21, 2020risk 0.00cvss —epss 0.01
An issue was discovered in the CasAuth extension for MediaWiki through 1.35.1. Due to improper username validation, it allowed user impersonation with trivial manipulations of certain characters within a given username. An ordinary user may be able to login as a "bureaucrat…
- CVE-2020-35624Dec 21, 2020risk 0.00cvss —epss 0.01
An issue was discovered in the SecurePoll extension for MediaWiki through 1.35.1. The non-admin vote list contains a full vote timestamp, which may provide unintended clues about how a voting process unfolded.
- CVE-2020-35625Dec 21, 2020risk 0.00cvss —epss 0.01
An issue was discovered in the Widgets extension for MediaWiki through 1.35.1. Any user with the ability to edit pages within the Widgets namespace could call any static function within any class (defined within PHP or MediaWiki) via a crafted HTML comment, related to a Smarty…
- CVE-2020-35626Dec 21, 2020risk 0.00cvss —epss 0.01
An issue was discovered in the PushToWatch extension for MediaWiki through 1.35.1. The primary form did not implement an anti-CSRF token and therefore was completely vulnerable to CSRF attacks against onSkinAddFooterLinks in PushToWatch.php.
- CVE-2020-35479Dec 18, 2020risk 0.00cvss —epss 0.01
MediaWiki before 1.35.1 allows XSS via BlockLogFormatter.php. Language::translateBlockExpiry itself does not escape in all code paths. For example, the return of Language::userTimeAndDate is is always unsafe for HTML in a month value. This affects MediaWiki 1.12.0 and later.
- CVE-2020-35477Dec 18, 2020risk 0.00cvss —epss 0.02
MediaWiki before 1.35.1 blocks legitimate attempts to hide log entries in some situations. If one sets MediaWiki:Mainpage to Special:MyLanguage/Main Page, visits a log entry on Special:Log, and toggles the "Change visibility of selected log entries" checkbox (or a tags checkbox)…
- CVE-2020-35474Dec 18, 2020risk 0.00cvss —epss 0.01
In MediaWiki before 1.35.1, the combination of Html::rawElement and Message::text leads to XSS because the definition of MediaWiki:recentchanges-legend-watchlistexpiry can be changed onwiki so that the output is raw HTML.
- CVE-2020-29002Nov 24, 2020risk 0.00cvss —epss 0.01
includes/CologneBlueTemplate.php in the CologneBlue skin for MediaWiki through 1.35 allows XSS via a qbfind message supplied by an administrator.
- CVE-2020-29003Nov 24, 2020risk 0.00cvss —epss 0.01
The PollNY extension for MediaWiki through 1.35 allows XSS via an answer option for a poll question, entered during Special:CreatePoll or Special:UpdatePoll.
- CVE-2020-27957Oct 28, 2020risk 0.00cvss —epss 0.01
The RandomGameUnit extension for MediaWiki through 1.35 was not properly escaping various title-related data. When certain varieties of games were created within MediaWiki, their names or titles could be manipulated to generate stored XSS within the RandomGameUnit extension.
- CVE-2020-27621Oct 22, 2020risk 0.00cvss —epss 0.01
The FileImporter extension in MediaWiki through 1.35.0 was not properly attributing various user actions to a specific user's IP address. Instead, for various actions, it would report the IP address of an internal Wikimedia Foundation server by omitting X-Forwarded-For data.…
- CVE-2020-26121Sep 27, 2020risk 0.00cvss —epss 0.01
An issue was discovered in the FileImporter extension for MediaWiki before 1.34.4. An attacker can import a file even when the target page is protected against "page creation" and the attacker should not be able to create it. This occurs because of a mishandled distinction…
- CVE-2020-26120Sep 27, 2020risk 0.00cvss —epss 0.01
XSS exists in the MobileFrontend extension for MediaWiki before 1.34.4 because section.line is mishandled during regex section line replacement from PageGateway. Using crafted HTML, an attacker can elicit an XSS attack via jQuery's parseHTML method, which can cause image…
- CVE-2019-16529Mar 19, 2020risk 0.00cvss —epss 0.01
An issue was discovered in the CheckUser extension through 1.35.0 for MediaWiki. Oversighted edit summaries are still visible in CheckUser results in violation of MediaWiki's permissions model.
- CVE-2019-15124Mar 19, 2020risk 0.00cvss —epss 0.01
In the MobileFrontend extension for MediaWiki, XSS exists within the edit summary field of the watchlist feed. This affects REL1_31, REL1_32, and REL1_33.
- CVE-2020-10534Mar 12, 2020risk 0.00cvss —epss 0.01
In the GlobalBlocking extension before 2020-03-10 for MediaWiki through 1.34.0, an issue related to IP range evaluation resulted in blocked users re-gaining escalated privileges. This is related to the case in which an IP address is contained in two ranges, one of which is…
- CVE-2012-4381Feb 8, 2020risk 0.00cvss —epss 0.04
MediaWiki before 1.18.5, and 1.19.x before 1.19.2 saves passwords in the local database, (1) which could make it easier for context-dependent attackers to obtain cleartext passwords via a brute-force attack or, (2) when an authentication plugin returns a false in the strict…
- CVE-2013-6451Jan 28, 2020risk 0.00cvss —epss 0.01
Cross-site scripting (XSS) vulnerability in MediaWiki 1.19.9 before 1.19.10, 1.2x before 1.21.4, and 1.22.x before 1.22.1 allows remote attackers to inject arbitrary web script or HTML via unspecified CSS values.
- CVE-2014-9481Jan 27, 2020risk 0.00cvss —epss 0.01
The Scribunto extension for MediaWiki allows remote attackers to obtain the rollback token and possibly other sensitive information via a crafted module, related to unstripping special page HTML.
- CVE-2020-6163Jan 8, 2020risk 0.00cvss —epss 0.01
The WikibaseMediaInfo extension 1.35 for MediaWiki allows XSS because of improper template syntax within the PropertySuggestionsWidget template (in the templates/search/PropertySuggestionsWidget.mustache+dom file).
- CVE-2019-19910Dec 19, 2019risk 0.00cvss —epss 0.01
The MinervaNeue Skin in MediaWiki from 2019-11-05 to 2019-12-13 (1.35 and/or 1.34) mishandles certain HTML attributes, as demonstrated by IMG onmouseover= (impact is XSS) and IMG src=http (impact is disclosing the client's IP address). This can occur within a talk page topical…
- CVE-2013-4303Dec 11, 2019risk 0.00cvss —epss 0.02
includes/libs/IEUrlExtension.php in the MediaWiki API in MediaWiki 1.19.x before 1.19.8, 1.20.x before 1.20.7, and 1.21.x before 1.21.2 does not properly detect extensions when there are an even number of "." (period) characters in a string, which allows remote attackers to…
- CVE-2019-19708Dec 11, 2019risk 0.00cvss —epss 0.01
The VisualEditor extension through 1.34 for MediaWiki allows XSS via pasted content containing an element with a data-ve-clipboard-key attribute.
- CVE-2013-1817Nov 20, 2019risk 0.00cvss —epss 0.03
MediaWiki before 1.19.4 and 1.20.x before 1.20.3 contains an error in the api.php script which allows remote attackers to obtain sensitive information.
- CVE-2013-1816Nov 20, 2019risk 0.00cvss —epss 0.03
MediaWiki before 1.19.4 and 1.20.x before 1.20.3 allows remote attackers to cause a denial of service (application crash) by sending a specially crafted request.
- CVE-2013-1951Oct 31, 2019risk 0.00cvss —epss 0.02
A cross-site scripting (XSS) vulnerability in MediaWiki before 1.19.5 and 1.20.x before 1.20.4 and allows remote attackers to inject arbitrary web script or HTML via Lua function names.
- CVE-2019-18611Oct 29, 2019risk 0.00cvss —epss 0.01
An issue was discovered in the CheckUser extension through 1.34 for MediaWiki. Certain sensitive information within oversighted edit summaries made available via the MediaWiki API was potentially visible to users with various levels of access to this extension. Said users should…
- CVE-2012-0046Oct 29, 2019risk 0.00cvss —epss 0.01
mediawiki allows deleted text to be exposed
- CVE-2019-14807Aug 9, 2019risk 0.00cvss —epss 0.01
In the MobileFrontend extension 1.31 through 1.33 for MediaWiki, XSS exists within the edit summary field in includes/specials/MobileSpecialPageFeed.php.
- CVE-2015-8005Nov 9, 2015risk 0.00cvss —epss 0.01
MediaWiki before 1.23.11, 1.24.x before 1.24.4, and 1.25.x before 1.25.3 uses the thumbnail ImageMagick command line argument, which allows remote attackers to obtain the installation path by reading the metadata of a PNG thumbnail file.
- CVE-2015-8004Nov 9, 2015risk 0.00cvss —epss 0.02
MediaWiki before 1.23.11, 1.24.x before 1.24.4, and 1.25.x before 1.25.3 does not properly restrict access to revisions, which allows remote authenticated users with the viewsuppressed user right to remove revision suppressions via a crafted revisiondelete action, which returns…
- CVE-2015-8003Nov 9, 2015risk 0.00cvss —epss 0.02
MediaWiki before 1.23.11, 1.24.x before 1.24.4, and 1.25.x before 1.25.3 does not throttle file uploads, which allows remote authenticated users to have unspecified impact via multiple file uploads.
- CVE-2015-8002Nov 9, 2015risk 0.00cvss —epss 0.02
The chunked upload API (ApiUpload) in MediaWiki before 1.23.11, 1.24.x before 1.24.4, and 1.25.x before 1.25.3 allows remote authenticated users to cause a denial of service (disk consumption) via a file upload using one byte chunks.
- CVE-2015-8001Nov 9, 2015risk 0.00cvss —epss 0.02
The chunked upload API (ApiUpload) in MediaWiki before 1.23.11, 1.24.x before 1.24.4, and 1.25.x before 1.25.3 does not restrict the uploaded data to the claimed file size, which allows remote authenticated users to cause a denial of service via a chunk that exceeds the file…
- CVE-2015-6737Sep 1, 2015risk 0.00cvss —epss 0.02
Cross-site scripting (XSS) vulnerability in the Widgets extension for MediaWiki allows remote attackers to inject arbitrary web script or HTML via vectors involving base64 encoded content.
- CVE-2015-6736Sep 1, 2015risk 0.00cvss —epss 0.03
The Quiz extension for MediaWiki allows remote attackers to cause a denial of service via regex metacharacters in a regular expression.
- CVE-2015-6735Sep 1, 2015risk 0.00cvss —epss 0.03
The reset functionality in the TimedMediaHandler extension for MediaWiki does not create a new transcode, which allows remote attackers to cause a denial of service (transcode deletion) by resetting a transcode.
- CVE-2015-6734Sep 1, 2015risk 0.00cvss —epss 0.02
Cross-site scripting (XSS) vulnerability in contrib/cssgen.php in the GeSHi, as used in the SyntaxHighlight_GeSHi extension and MediaWiki before 1.23.10, 1.24.x before 1.24.3, and 1.25.x before 1.25.2, allows remote attackers to inject arbitrary web script or HTML via…
Page 5 of 8