Mediawiki

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2017-0363 2Debian Mediawiki 2Debian Linux Mediawiki Nov 21, 2024 Apr 13, 2018 N/A· v4 6.1 MEDIUM· v3 5.8 MEDIUM· v2 Mediawiki before 1.28.1 / 1.27.2 / 1.23.16 has a flaw where Special:UserLogin?returnto=interwiki:foo will redirect to external sites.
CVE-2017-0362 2Debian Mediawiki 2Debian Linux Mediawiki Nov 21, 2024 Apr 13, 2018 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 Mediawiki before 1.28.1 / 1.27.2 / 1.23.16 contains a flaw where the "Mark all pages visited" on the watchlist does not require a CSRF token.
CVE-2017-0361 2Debian Mediawiki 2Debian Linux Mediawiki Nov 21, 2024 Apr 13, 2018 N/A· v4 7.8 HIGH· v3 2.1 LOW· v2 Mediawiki before 1.28.1 / 1.27.2 / 1.23.16 contains an information disclosure flaw, where the api.log might contain passwords in plaintext.
CVE-2015-8008 2Fedoraproject Mediawiki 2Fedora Mediawiki May 13, 2026 Dec 29, 2017 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 The OAuth extension for MediaWiki improperly negotiates a new client token only over Special:OAuth/initiate, which allows attackers to bypass intended IP address access restrictions by making an API request with an exist...Show more The OAuth extension for MediaWiki improperly negotiates a new client token only over Special:OAuth/initiate, which allows attackers to bypass intended IP address access restrictions by making an API request with an existing token.Show less
CVE-2017-8815 2Debian Mediawiki 2Debian Linux Mediawiki May 13, 2026 Nov 15, 2017 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 The language converter in MediaWiki before 1.27.4, 1.28.x before 1.28.3, and 1.29.x before 1.29.2 allows attribute injection attacks via glossary rules.
CVE-2017-8814 2Debian Mediawiki 2Debian Linux Mediawiki May 13, 2026 Nov 15, 2017 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 The language converter in MediaWiki before 1.27.4, 1.28.x before 1.28.3, and 1.29.x before 1.29.2 allows attackers to replace text inside tags via a rule definition followed by "a lot of junk."
CVE-2017-8812 2Debian Mediawiki 2Debian Linux Mediawiki May 13, 2026 Nov 15, 2017 N/A· v4 5.3 MEDIUM· v3 5.0 MEDIUM· v2 MediaWiki before 1.27.4, 1.28.x before 1.28.3, and 1.29.x before 1.29.2 allows remote attackers to inject > (greater than) characters via the id attribute of a headline.
CVE-2017-8811 2Debian Mediawiki 2Debian Linux Mediawiki May 13, 2026 Nov 15, 2017 N/A· v4 6.1 MEDIUM· v3 4.3 MEDIUM· v2 The implementation of raw message parameter expansion in MediaWiki before 1.27.4, 1.28.x before 1.28.3, and 1.29.x before 1.29.2 allows HTML mangling attacks.
CVE-2017-8810 2Debian Mediawiki 2Debian Linux Mediawiki May 13, 2026 Nov 15, 2017 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 MediaWiki before 1.27.4, 1.28.x before 1.28.3, and 1.29.x before 1.29.2, when a private wiki is configured, provides different error messages for failed login attempts depending on whether the username exists, which allo...Show more MediaWiki before 1.27.4, 1.28.x before 1.28.3, and 1.29.x before 1.29.2, when a private wiki is configured, provides different error messages for failed login attempts depending on whether the username exists, which allows remote attackers to enumerate account names and conduct brute-force attacks via a series of requests.Show less
CVE-2017-8809 2Debian Mediawiki 2Debian Linux Mediawiki May 13, 2026 Nov 15, 2017 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 api.php in MediaWiki before 1.27.4, 1.28.x before 1.28.3, and 1.29.x before 1.29.2 has a Reflected File Download vulnerability.
CVE-2017-8808 2Debian Mediawiki 2Debian Linux Mediawiki May 13, 2026 Nov 15, 2017 N/A· v4 6.1 MEDIUM· v3 4.3 MEDIUM· v2 MediaWiki before 1.27.4, 1.28.x before 1.28.3, and 1.29.x before 1.29.2 has XSS when the $wgShowExceptionDetails setting is false and the browser sends non-standard URL escaping.
CVE-2012-4378 1Mediawiki 1Mediawiki May 13, 2026 Oct 26, 2017 N/A· v4 6.1 MEDIUM· v3 4.3 MEDIUM· v2 Multiple cross-site scripting (XSS) vulnerabilities in MediaWiki before 1.18.5 and 1.19.x before 1.19.2, when unspecified JavaScript gadgets are used, allow remote attackers to inject arbitrary web script or HTML via the...Show more Multiple cross-site scripting (XSS) vulnerabilities in MediaWiki before 1.18.5 and 1.19.x before 1.19.2, when unspecified JavaScript gadgets are used, allow remote attackers to inject arbitrary web script or HTML via the userlang parameter to w/index.php.Show less
CVE-2012-4377 1Mediawiki 1Mediawiki May 13, 2026 Oct 26, 2017 N/A· v4 6.1 MEDIUM· v3 4.3 MEDIUM· v2 Cross-site scripting (XSS) vulnerability in MediaWiki before 1.18.5 and 1.19.x before 1.19.2 allows remote attackers to inject arbitrary web script or HTML via a File: link to a nonexistent image.
CVE-2012-4382 1Mediawiki 1Mediawiki May 13, 2026 Oct 19, 2017 N/A· v4 4.9 MEDIUM· v3 4.0 MEDIUM· v2 MediaWiki before 1.18.5, and 1.19.x before 1.19.2 does not properly protect user block metadata, which allows remote administrators to read a user block reason via a reblock attempt.
CVE-2012-4380 1Mediawiki 1Mediawiki May 13, 2026 Oct 19, 2017 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 MediaWiki before 1.18.5, and 1.19.x before 1.19.2 allows remote attackers to bypass GlobalBlocking extension IP address blocking and create an account via unspecified vectors.
CVE-2012-4379 1Mediawiki 1Mediawiki May 13, 2026 Oct 19, 2017 N/A· v4 6.5 MEDIUM· v3 4.3 MEDIUM· v2 MediaWiki before 1.18.5, and 1.19.x before 1.19.2 does not send a restrictive X-Frame-Options HTTP header, which allows remote attackers to conduct clickjacking attacks via an embedded API response in an IFRAME element.
CVE-2014-9487 1Mediawiki 1Mediawiki May 13, 2026 Oct 17, 2017 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 The getid3 library in MediaWiki before 1.24.1, 1.23.8, 1.22.15 and 1.19.23 allows remote attackers to read arbitrary files, cause a denial of service, or possibly have other impact via an XML External Entity (XXE) attack...Show more The getid3 library in MediaWiki before 1.24.1, 1.23.8, 1.22.15 and 1.19.23 allows remote attackers to read arbitrary files, cause a denial of service, or possibly have other impact via an XML External Entity (XXE) attack. NOTE: Related to CVE-2014-2053.Show less
CVE-2015-8009 1Mediawiki 1Mediawiki May 13, 2026 Jul 25, 2017 N/A· v4 9.8 CRITICAL· v3 5.0 MEDIUM· v2 The MWOAuthDataStore::lookup_token function in Extension:OAuth for MediaWiki 1.25.x before 1.25.3, 1.24.x before 1.24.4, and before 1.23.11 does not properly validate the signature when checking the authorization signatu...Show more The MWOAuthDataStore::lookup_token function in Extension:OAuth for MediaWiki 1.25.x before 1.25.3, 1.24.x before 1.24.4, and before 1.23.11 does not properly validate the signature when checking the authorization signature, which allows remote registered Consumers to use another Consumer's credentials by leveraging knowledge of the credentials.Show less
CVE-2016-6337 1Mediawiki 1Mediawiki May 13, 2026 Apr 20, 2017 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 MediaWiki 1.27.x before 1.27.1 might allow remote attackers to bypass intended session access restrictions by leveraging a call to the UserGetRights function after Session::getAllowedUserRights.
CVE-2016-6336 1Mediawiki 1Mediawiki May 13, 2026 Apr 20, 2017 N/A· v4 6.5 MEDIUM· v3 4.0 MEDIUM· v2 MediaWiki before 1.23.15, 1.26.x before 1.26.4, and 1.27.x before 1.27.1 allows remote authenticated users with undelete permissions to bypass intended suppressrevision and deleterevision restrictions and remove the revi...Show more MediaWiki before 1.23.15, 1.26.x before 1.26.4, and 1.27.x before 1.27.1 allows remote authenticated users with undelete permissions to bypass intended suppressrevision and deleterevision restrictions and remove the revision deletion status of arbitrary file revisions by using Special:Undelete.Show less

Previous 1...131415...22 Next