Vulnerabilities (CVE)

Filtered by vendor Mediawiki Subscribe
Filtered by product Mediawiki
Total 370 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2012-5391 1 Mediawiki 1 Mediawiki 2025-04-12 6.8 MEDIUM N/A
Session fixation vulnerability in Special:UserLogin in MediaWiki before 1.18.6, 1.19.x before 1.19.3, and 1.20.x before 1.20.1 allows remote attackers to hijack web sessions via the session_id.
CVE-2013-4571 1 Mediawiki 1 Mediawiki 2025-04-12 7.5 HIGH N/A
Buffer overflow in php-luasandbox in the Scribuntu extension for MediaWiki before 1.19.10, 1.2x before 1.21.4, and 1.22.x before 1.22.1 has unspecified impact and remote vectors.
CVE-2014-2243 1 Mediawiki 1 Mediawiki 2025-04-12 5.8 MEDIUM N/A
includes/User.php in MediaWiki before 1.19.12, 1.20.x and 1.21.x before 1.21.6, and 1.22.x before 1.22.3 terminates validation of a user token upon encountering the first incorrect character, which makes it easier for remote attackers to obtain access via a brute-force attack that relies on timing differences in responses to incorrect token guesses.
CVE-2015-6734 1 Mediawiki 1 Mediawiki 2025-04-12 4.3 MEDIUM N/A
Cross-site scripting (XSS) vulnerability in contrib/cssgen.php in the GeSHi, as used in the SyntaxHighlight_GeSHi extension and MediaWiki before 1.23.10, 1.24.x before 1.24.3, and 1.25.x before 1.25.2, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
CVE-2013-6472 1 Mediawiki 1 Mediawiki 2025-04-12 5.0 MEDIUM N/A
MediaWiki before 1.19.10, 1.2x before 1.21.4, and 1.22.x before 1.22.1 allows remote attackers to obtain information about deleted page via the (1) log API, (2) enhanced RecentChanges, and (3) user watchlists.
CVE-2013-7444 1 Mediawiki 1 Mediawiki 2025-04-12 5.0 MEDIUM N/A
The Special:Contributions page in MediaWiki before 1.22.0 allows remote attackers to determine if an IP is autoblocked via the "Change block" text.
CVE-2015-2933 1 Mediawiki 1 Mediawiki 2025-04-12 4.3 MEDIUM N/A
Cross-site scripting (XSS) vulnerability in the Html class in MediaWiki before 1.19.24, 1.2x before 1.23.9, and 1.24.x before 1.24.2 allows remote attackers to inject arbitrary web script or HTML via a LanguageConverter substitution string when using a language variant.
CVE-2014-2853 1 Mediawiki 1 Mediawiki 2025-04-12 4.3 MEDIUM N/A
Cross-site scripting (XSS) vulnerability in includes/actions/InfoAction.php in MediaWiki before 1.21.9 and 1.22.x before 1.22.6 allows remote attackers to inject arbitrary web script or HTML via the sort key in an info action.
CVE-2015-2942 1 Mediawiki 1 Mediawiki 2025-04-12 7.1 HIGH N/A
MediaWiki before 1.19.24, 1.2x before 1.23.9, and 1.24.x before 1.24.2, when using HHVM, allows remote attackers to cause a denial of service (CPU and memory consumption) via a large number of nested entity references in an (1) SVG file or (2) XMP metadata in a PDF file, aka a "billion laughs attack," a different vulnerability than CVE-2015-2937.
CVE-2015-2934 1 Mediawiki 1 Mediawiki 2025-04-12 4.3 MEDIUM N/A
MediaWiki before 1.19.24, 1.2x before 1.23.9, and 1.24.x before 1.24.2 does not properly handle when the Zend interpreter xml_parse function does not expand entities, which allows remote attackers to inject arbitrary web script or HTML via a crafted SVG file.
CVE-2013-6454 1 Mediawiki 1 Mediawiki 2025-04-12 4.3 MEDIUM N/A
Cross-site scripting (XSS) vulnerability in MediaWiki before 1.19.10, 1.2x before 1.21.4, and 1.22.x before 1.22.1 allows remote attackers to inject arbitrary web script or HTML via a -o-link attribute.
CVE-2013-6452 1 Mediawiki 1 Mediawiki 2025-04-12 4.3 MEDIUM N/A
Cross-site scripting (XSS) vulnerability in MediaWiki before 1.19.10, 1.2x before 1.21.4, and 1.22.x before 1.22.1 allows remote attackers to inject arbitrary web script or HTML via crafted XSL in an SVG file.
CVE-2015-6730 1 Mediawiki 1 Mediawiki 2025-04-12 4.3 MEDIUM N/A
Cross-site scripting (XSS) vulnerability in thumb.php in MediaWiki before 1.23.10, 1.24.x before 1.24.3, and 1.25.x before 1.25.2 allows remote attackers to inject arbitrary web script or HTML via the f parameter, which is not properly handled in an error page, related to "ForeignAPI images."
CVE-2014-9276 1 Mediawiki 1 Mediawiki 2025-04-12 5.1 MEDIUM N/A
Cross-site request forgery (CSRF) vulnerability in the Special:ExpandedTemplates page in MediaWiki before 1.19.22, 1.20.x through 1.22.x before 1.22.14, and 1.23.x before 1.23.7, when $wgRawHTML is set to true, allows remote attackers to hijack the authentication of users with edit permissions for requests that cross-site scripting (XSS) attacks via the wpInput parameter, which is not properly handled in the preview.
CVE-2012-5395 1 Mediawiki 1 Mediawiki 2025-04-12 6.8 MEDIUM N/A
Session fixation vulnerability in the CentralAuth extension for MediaWiki before 1.18.6, 1.19.x before 1.19.3, and 1.20.x before 1.20.1 allows remote attackers to hijack web sessions via the centralauth_Session cookie.
CVE-2015-8004 1 Mediawiki 1 Mediawiki 2025-04-12 4.0 MEDIUM N/A
MediaWiki before 1.23.11, 1.24.x before 1.24.4, and 1.25.x before 1.25.3 does not properly restrict access to revisions, which allows remote authenticated users with the viewsuppressed user right to remove revision suppressions via a crafted revisiondelete action, which returns a valid a change form.
CVE-2014-2665 1 Mediawiki 1 Mediawiki 2025-04-12 4.0 MEDIUM N/A
includes/specials/SpecialChangePassword.php in MediaWiki before 1.19.14, 1.20.x and 1.21.x before 1.21.8, and 1.22.x before 1.22.5 does not properly handle a correctly authenticated but unintended login attempt, which makes it easier for remote authenticated users to obtain sensitive information by arranging for a victim to login to the attacker's account, as demonstrated by tracking the victim's activity, related to a "login CSRF" issue.
CVE-2013-4574 1 Mediawiki 1 Mediawiki 2025-04-12 4.3 MEDIUM N/A
Cross-site scripting (XSS) vulnerability in the TimeMediaHandler extension for MediaWiki before 1.19.10, 1.2x before 1.21.4, and 1.22.x before 1.22.1 allows remote attackers to inject arbitrary web script or HTML via vectors related to videos.
CVE-2014-9475 1 Mediawiki 1 Mediawiki 2025-04-12 3.5 LOW N/A
Cross-site scripting (XSS) vulnerability in thumb.php in MediaWiki before 1.19.23, 1.2x before 1.22.15, 1.23.x before 1.23.8, and 1.24.x before 1.24.1 allows remote authenticated users to inject arbitrary web script or HTML via a wikitext message.
CVE-2014-5242 1 Mediawiki 1 Mediawiki 2025-04-12 4.3 MEDIUM N/A
Cross-site scripting (XSS) vulnerability in mediawiki.page.image.pagination.js in MediaWiki 1.22.x before 1.22.9 and 1.23.x before 1.23.2 allows remote attackers to inject arbitrary web script or HTML via vectors involving the multipageimagenavbox class in conjunction with an action=raw value.