← Back

Mediawiki

mediawiki

428 CVEs • 18 products

Products (18)

Click to collapse
Toggle
Mediawiki
mediawiki
395 CVEs
Checkuser
checkuser
8 CVEs
Cargo
cargo
7 CVEs
Abusefilter
abusefilter
3 CVEs
Visual Editor
visual_editor
3 CVEs
Mobilefrontend
mobilefrontend
2 CVEs
Mediawiki Botquery Ext
mediawiki_botquery_ext
1 CVE
Mediawik
mediawik
1 CVE
Rssreader
rssreader
1 CVE
Scribunto
scribunto
1 CVE
Skin\
skin\
1 CVE
Shortdescription
shortdescription
1 CVE
Createredirect
createredirect
1 CVE
Rss For Mediawiki
rss_for_mediawiki
1 CVE
Semantic Drilldown
semantic_drilldown
1 CVE
Wikisource Category Browser
wikisource_category_browser
1 CVE
Matomo
matomo
1 CVE
Score
score
1 CVE

CVEs (428)

CVE
VENDORS
PRODUCTS
UPDATED
PUBLISHED
CVSS
CVE-2013-4306
1Mediawiki
1Mediawiki
Apr 29, 2026
Oct 11, 2013
N/A· v4
N/A· v3
6.8 MEDIUM· v2
Cross-site request forgery (CSRF) vulnerability in api/ApiQueryCheckUser.php in the CheckUser extension for MediaWiki, possibly Checkuser before 2.3, allows remote attackers to hijack the authentication of arbitrary user...Show more
Cross-site request forgery (CSRF) vulnerability in api/ApiQueryCheckUser.php in the CheckUser extension for MediaWiki, possibly Checkuser before 2.3, allows remote attackers to hijack the authentication of arbitrary users for requests that "perform sensitive write actions" via unspecified vectors.Show less
CVE-2013-4305
1Mediawiki
1Mediawiki
Apr 29, 2026
Oct 11, 2013
N/A· v4
N/A· v3
4.3 MEDIUM· v2
Cross-site scripting (XSS) vulnerability in contrib/example.php in the SyntaxHighlight GeSHi extension for MediaWiki, possibly as downloaded before September 2013, allows remote attackers to inject arbitrary web script o...Show more
Cross-site scripting (XSS) vulnerability in contrib/example.php in the SyntaxHighlight GeSHi extension for MediaWiki, possibly as downloaded before September 2013, allows remote attackers to inject arbitrary web script or HTML via the PATH_INFO.Show less
CVE-2013-4307
1Mediawiki
1Mediawiki
Apr 29, 2026
Sep 12, 2013
N/A· v4
N/A· v3
4.3 MEDIUM· v2
Multiple cross-site scripting (XSS) vulnerabilities in repo/includes/EntityView.php in the Wikibase extension for MediaWiki 1.19.x before 1.19.8, 1.20.x before 1.20.7, and 1.21.x before 1.21.2 allow (1) remote attackers...Show more
Multiple cross-site scripting (XSS) vulnerabilities in repo/includes/EntityView.php in the Wikibase extension for MediaWiki 1.19.x before 1.19.8, 1.20.x before 1.20.7, and 1.21.x before 1.21.2 allow (1) remote attackers to inject arbitrary web script or HTML via a label in the "In other languages" section or (2) remote administrators to inject arbitrary web script or HTML via a description.Show less
CVE-2012-6453
1Mediawiki
1Rssreader
Apr 29, 2026
Dec 31, 2012
N/A· v4
N/A· v3
4.3 MEDIUM· v2
Cross-site scripting (XSS) vulnerability in the RSS Reader extension before 0.2.6 for MediaWiki allows remote attackers to inject arbitrary web script or HTML via a crafted feed.
CVE-2012-4885
1Mediawiki
1Mediawiki
Apr 29, 2026
Sep 9, 2012
N/A· v4
N/A· v3
5.0 MEDIUM· v2
The wikitext parser in MediaWiki 1.17.x before 1.17.3 and 1.18.x before 1.18.2 allows remote attackers to cause a denial of service (infinite loop) via certain input, as demonstrated by the padleft function.
CVE-2012-1582
1Mediawiki
1Mediawiki
Apr 29, 2026
Sep 9, 2012
N/A· v4
N/A· v3
4.3 MEDIUM· v2
Cross-site scripting (XSS) vulnerability in the wikitext parser in MediaWiki 1.17.x before 1.17.3 and 1.18.x before 1.18.2 allows remote attackers to inject arbitrary web script or HTML via a crafted page with "forged st...Show more
Cross-site scripting (XSS) vulnerability in the wikitext parser in MediaWiki 1.17.x before 1.17.3 and 1.18.x before 1.18.2 allows remote attackers to inject arbitrary web script or HTML via a crafted page with "forged strip item markers," as demonstrated using the CharInsert extension.Show less
CVE-2012-1581
1Mediawiki
1Mediawiki
Apr 29, 2026
Sep 9, 2012
N/A· v4
N/A· v3
5.0 MEDIUM· v2
MediaWiki 1.17.x before 1.17.3 and 1.18.x before 1.18.2 uses weak random numbers for password reset tokens, which makes it easier for remote attackers to change the passwords of arbitrary users.
CVE-2012-1580
1Mediawiki
1Mediawiki
Apr 29, 2026
Sep 9, 2012
N/A· v4
N/A· v3
6.8 MEDIUM· v2
Cross-site request forgery (CSRF) vulnerability in Special:Upload in MediaWiki 1.17.x before 1.17.3 and 1.18.x before 1.18.2 allows remote attackers to hijack the authentication of unspecified victims for requests that u...Show more
Cross-site request forgery (CSRF) vulnerability in Special:Upload in MediaWiki 1.17.x before 1.17.3 and 1.18.x before 1.18.2 allows remote attackers to hijack the authentication of unspecified victims for requests that upload files.Show less
CVE-2012-1579
1Mediawiki
1Mediawiki
Apr 29, 2026
Sep 9, 2012
N/A· v4
N/A· v3
5.0 MEDIUM· v2
The resource loader in MediaWiki 1.17.x before 1.17.3 and 1.18.x before 1.18.2 includes private data such as CSRF tokens in a JavaScript file, which allows remote attackers to obtain sensitive information.
CVE-2012-1578
1Mediawiki
1Mediawiki
Apr 29, 2026
Sep 9, 2012
N/A· v4
N/A· v3
6.8 MEDIUM· v2
Multiple cross-site request forgery (CSRF) vulnerabilities in MediaWiki 1.17.x before 1.17.3 and 1.18.x before 1.18.2 allow remote attackers to hijack the authentication of users with the block permission for requests th...Show more
Multiple cross-site request forgery (CSRF) vulnerabilities in MediaWiki 1.17.x before 1.17.3 and 1.18.x before 1.18.2 allow remote attackers to hijack the authentication of users with the block permission for requests that (1) block a user via a request to the Block module or (2) unblock a user via a request to the Unblock module.Show less
CVE-2012-2698
1Mediawiki
1Mediawiki
Apr 29, 2026
Jun 29, 2012
N/A· v4
N/A· v3
4.3 MEDIUM· v2
Cross-site scripting (XSS) vulnerability in the outputPage function in includes/SkinTemplate.php in MediaWiki before 1.17.5, 1.18.x before 1.18.4, and 1.19.x before 1.19.1 allows remote attackers to inject arbitrary web...Show more
Cross-site scripting (XSS) vulnerability in the outputPage function in includes/SkinTemplate.php in MediaWiki before 1.17.5, 1.18.x before 1.18.4, and 1.19.x before 1.19.1 allows remote attackers to inject arbitrary web script or HTML via the uselang parameter to index.php/Main_page.Show less
CVE-2011-4361
2Debian
Mediawiki
2Debian Linux
Mediawiki
Apr 29, 2026
Jan 8, 2012
N/A· v4
N/A· v3
5.0 MEDIUM· v2
MediaWiki before 1.17.1 does not check for read permission before handling action=ajax requests, which allows remote attackers to obtain sensitive information by (1) leveraging the SpecialUpload::ajaxGetExistsWarning fun...Show more
MediaWiki before 1.17.1 does not check for read permission before handling action=ajax requests, which allows remote attackers to obtain sensitive information by (1) leveraging the SpecialUpload::ajaxGetExistsWarning function, or by (2) leveraging an extension, as demonstrated by the CategoryTree, ExtTab, and InlineEditor extensions.Show less
CVE-2011-4360
2Debian
Mediawiki
2Debian Linux
Mediawiki
Apr 29, 2026
Jan 8, 2012
N/A· v4
N/A· v3
5.0 MEDIUM· v2
MediaWiki before 1.17.1 allows remote attackers to obtain the page titles of all restricted pages via a series of requests involving the (1) curid or (2) oldid parameter.
CVE-2011-1766
1Mediawiki
1Mediawiki
Apr 29, 2026
May 23, 2011
N/A· v4
N/A· v3
5.8 MEDIUM· v2
includes/User.php in MediaWiki before 1.16.5, when wgBlockDisablesLogin is enabled, does not clear certain cached data after verification of an auth token fails, which allows remote attackers to bypass authentication by...Show more
includes/User.php in MediaWiki before 1.16.5, when wgBlockDisablesLogin is enabled, does not clear certain cached data after verification of an auth token fails, which allows remote attackers to bypass authentication by creating crafted wikiUserID and wikiUserName cookies, or by leveraging an unattended workstation.Show less
CVE-2011-1765
1Mediawiki
1Mediawiki
Apr 29, 2026
May 23, 2011
N/A· v4
N/A· v3
4.3 MEDIUM· v2
Cross-site scripting (XSS) vulnerability in MediaWiki before 1.16.5, when Internet Explorer 6 or earlier is used, allows remote attackers to inject arbitrary web script or HTML via an uploaded file accessed with a danger...Show more
Cross-site scripting (XSS) vulnerability in MediaWiki before 1.16.5, when Internet Explorer 6 or earlier is used, allows remote attackers to inject arbitrary web script or HTML via an uploaded file accessed with a dangerous extension such as .shtml at the end of the query string, in conjunction with a modified URI path that has a %2E sequence in place of the . (dot) character. NOTE: this vulnerability exists because of an incomplete fix for CVE-2011-1578 and CVE-2011-1587.Show less
CVE-2011-1587
1Mediawiki
1Mediawiki
Apr 29, 2026
Apr 27, 2011
N/A· v4
N/A· v3
4.3 MEDIUM· v2
Cross-site scripting (XSS) vulnerability in MediaWiki before 1.16.4, when Internet Explorer 6 or earlier is used, allows remote attackers to inject arbitrary web script or HTML via an uploaded file accessed with a danger...Show more
Cross-site scripting (XSS) vulnerability in MediaWiki before 1.16.4, when Internet Explorer 6 or earlier is used, allows remote attackers to inject arbitrary web script or HTML via an uploaded file accessed with a dangerous extension such as .html located before a ? (question mark) in a query string, in conjunction with a modified URI path that has a %2E sequence in place of the . (dot) character. NOTE: this vulnerability exists because of an incomplete fix for CVE-2011-1578.Show less
CVE-2011-1580
1Mediawiki
1Mediawiki
Apr 29, 2026
Apr 27, 2011
N/A· v4
N/A· v3
3.5 LOW· v2
The transwiki import functionality in MediaWiki before 1.16.3 does not properly check privileges, which allows remote authenticated users to perform imports from any wgImportSources wiki via a crafted POST request.
CVE-2011-1579
1Mediawiki
1Mediawiki
Apr 29, 2026
Apr 27, 2011
N/A· v4
N/A· v3
5.8 MEDIUM· v2
The checkCss function in includes/Sanitizer.php in the wikitext parser in MediaWiki before 1.16.3 does not properly validate Cascading Style Sheets (CSS) token sequences, which allows remote attackers to conduct cross-si...Show more
The checkCss function in includes/Sanitizer.php in the wikitext parser in MediaWiki before 1.16.3 does not properly validate Cascading Style Sheets (CSS) token sequences, which allows remote attackers to conduct cross-site scripting (XSS) attacks or obtain sensitive information by using the \2f\2a and \2a\2f hex strings to surround CSS comments.Show less
CVE-2011-1578
1Mediawiki
1Mediawiki
Apr 29, 2026
Apr 27, 2011
N/A· v4
N/A· v3
4.3 MEDIUM· v2
Cross-site scripting (XSS) vulnerability in MediaWiki before 1.16.3, when Internet Explorer 6 or earlier is used, allows remote attackers to inject arbitrary web script or HTML via an uploaded file accessed with a danger...Show more
Cross-site scripting (XSS) vulnerability in MediaWiki before 1.16.3, when Internet Explorer 6 or earlier is used, allows remote attackers to inject arbitrary web script or HTML via an uploaded file accessed with a dangerous extension such as .html at the end of the query string, in conjunction with a modified URI path that has a %2E sequence in place of the . (dot) character.Show less
CVE-2010-2789
1Mediawiki
1Mediawiki
Apr 29, 2026
Apr 27, 2011
N/A· v4
N/A· v3
6.8 MEDIUM· v2
PHP remote file inclusion vulnerability in MediaWikiParserTest.php in MediaWiki 1.16 beta, when register_globals is enabled, allows remote attackers to execute arbitrary PHP code via unspecified vectors.