Total
370 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2012-5391 | 1 Mediawiki | 1 Mediawiki | 2025-04-12 | 6.8 MEDIUM | N/A |
Session fixation vulnerability in Special:UserLogin in MediaWiki before 1.18.6, 1.19.x before 1.19.3, and 1.20.x before 1.20.1 allows remote attackers to hijack web sessions via the session_id. | |||||
CVE-2013-4571 | 1 Mediawiki | 1 Mediawiki | 2025-04-12 | 7.5 HIGH | N/A |
Buffer overflow in php-luasandbox in the Scribuntu extension for MediaWiki before 1.19.10, 1.2x before 1.21.4, and 1.22.x before 1.22.1 has unspecified impact and remote vectors. | |||||
CVE-2014-2243 | 1 Mediawiki | 1 Mediawiki | 2025-04-12 | 5.8 MEDIUM | N/A |
includes/User.php in MediaWiki before 1.19.12, 1.20.x and 1.21.x before 1.21.6, and 1.22.x before 1.22.3 terminates validation of a user token upon encountering the first incorrect character, which makes it easier for remote attackers to obtain access via a brute-force attack that relies on timing differences in responses to incorrect token guesses. | |||||
CVE-2015-6734 | 1 Mediawiki | 1 Mediawiki | 2025-04-12 | 4.3 MEDIUM | N/A |
Cross-site scripting (XSS) vulnerability in contrib/cssgen.php in the GeSHi, as used in the SyntaxHighlight_GeSHi extension and MediaWiki before 1.23.10, 1.24.x before 1.24.3, and 1.25.x before 1.25.2, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | |||||
CVE-2013-6472 | 1 Mediawiki | 1 Mediawiki | 2025-04-12 | 5.0 MEDIUM | N/A |
MediaWiki before 1.19.10, 1.2x before 1.21.4, and 1.22.x before 1.22.1 allows remote attackers to obtain information about deleted page via the (1) log API, (2) enhanced RecentChanges, and (3) user watchlists. | |||||
CVE-2013-7444 | 1 Mediawiki | 1 Mediawiki | 2025-04-12 | 5.0 MEDIUM | N/A |
The Special:Contributions page in MediaWiki before 1.22.0 allows remote attackers to determine if an IP is autoblocked via the "Change block" text. | |||||
CVE-2015-2933 | 1 Mediawiki | 1 Mediawiki | 2025-04-12 | 4.3 MEDIUM | N/A |
Cross-site scripting (XSS) vulnerability in the Html class in MediaWiki before 1.19.24, 1.2x before 1.23.9, and 1.24.x before 1.24.2 allows remote attackers to inject arbitrary web script or HTML via a LanguageConverter substitution string when using a language variant. | |||||
CVE-2014-2853 | 1 Mediawiki | 1 Mediawiki | 2025-04-12 | 4.3 MEDIUM | N/A |
Cross-site scripting (XSS) vulnerability in includes/actions/InfoAction.php in MediaWiki before 1.21.9 and 1.22.x before 1.22.6 allows remote attackers to inject arbitrary web script or HTML via the sort key in an info action. | |||||
CVE-2015-2942 | 1 Mediawiki | 1 Mediawiki | 2025-04-12 | 7.1 HIGH | N/A |
MediaWiki before 1.19.24, 1.2x before 1.23.9, and 1.24.x before 1.24.2, when using HHVM, allows remote attackers to cause a denial of service (CPU and memory consumption) via a large number of nested entity references in an (1) SVG file or (2) XMP metadata in a PDF file, aka a "billion laughs attack," a different vulnerability than CVE-2015-2937. | |||||
CVE-2015-2934 | 1 Mediawiki | 1 Mediawiki | 2025-04-12 | 4.3 MEDIUM | N/A |
MediaWiki before 1.19.24, 1.2x before 1.23.9, and 1.24.x before 1.24.2 does not properly handle when the Zend interpreter xml_parse function does not expand entities, which allows remote attackers to inject arbitrary web script or HTML via a crafted SVG file. | |||||
CVE-2013-6454 | 1 Mediawiki | 1 Mediawiki | 2025-04-12 | 4.3 MEDIUM | N/A |
Cross-site scripting (XSS) vulnerability in MediaWiki before 1.19.10, 1.2x before 1.21.4, and 1.22.x before 1.22.1 allows remote attackers to inject arbitrary web script or HTML via a -o-link attribute. | |||||
CVE-2013-6452 | 1 Mediawiki | 1 Mediawiki | 2025-04-12 | 4.3 MEDIUM | N/A |
Cross-site scripting (XSS) vulnerability in MediaWiki before 1.19.10, 1.2x before 1.21.4, and 1.22.x before 1.22.1 allows remote attackers to inject arbitrary web script or HTML via crafted XSL in an SVG file. | |||||
CVE-2015-6730 | 1 Mediawiki | 1 Mediawiki | 2025-04-12 | 4.3 MEDIUM | N/A |
Cross-site scripting (XSS) vulnerability in thumb.php in MediaWiki before 1.23.10, 1.24.x before 1.24.3, and 1.25.x before 1.25.2 allows remote attackers to inject arbitrary web script or HTML via the f parameter, which is not properly handled in an error page, related to "ForeignAPI images." | |||||
CVE-2014-9276 | 1 Mediawiki | 1 Mediawiki | 2025-04-12 | 5.1 MEDIUM | N/A |
Cross-site request forgery (CSRF) vulnerability in the Special:ExpandedTemplates page in MediaWiki before 1.19.22, 1.20.x through 1.22.x before 1.22.14, and 1.23.x before 1.23.7, when $wgRawHTML is set to true, allows remote attackers to hijack the authentication of users with edit permissions for requests that cross-site scripting (XSS) attacks via the wpInput parameter, which is not properly handled in the preview. | |||||
CVE-2012-5395 | 1 Mediawiki | 1 Mediawiki | 2025-04-12 | 6.8 MEDIUM | N/A |
Session fixation vulnerability in the CentralAuth extension for MediaWiki before 1.18.6, 1.19.x before 1.19.3, and 1.20.x before 1.20.1 allows remote attackers to hijack web sessions via the centralauth_Session cookie. | |||||
CVE-2015-8004 | 1 Mediawiki | 1 Mediawiki | 2025-04-12 | 4.0 MEDIUM | N/A |
MediaWiki before 1.23.11, 1.24.x before 1.24.4, and 1.25.x before 1.25.3 does not properly restrict access to revisions, which allows remote authenticated users with the viewsuppressed user right to remove revision suppressions via a crafted revisiondelete action, which returns a valid a change form. | |||||
CVE-2014-2665 | 1 Mediawiki | 1 Mediawiki | 2025-04-12 | 4.0 MEDIUM | N/A |
includes/specials/SpecialChangePassword.php in MediaWiki before 1.19.14, 1.20.x and 1.21.x before 1.21.8, and 1.22.x before 1.22.5 does not properly handle a correctly authenticated but unintended login attempt, which makes it easier for remote authenticated users to obtain sensitive information by arranging for a victim to login to the attacker's account, as demonstrated by tracking the victim's activity, related to a "login CSRF" issue. | |||||
CVE-2013-4574 | 1 Mediawiki | 1 Mediawiki | 2025-04-12 | 4.3 MEDIUM | N/A |
Cross-site scripting (XSS) vulnerability in the TimeMediaHandler extension for MediaWiki before 1.19.10, 1.2x before 1.21.4, and 1.22.x before 1.22.1 allows remote attackers to inject arbitrary web script or HTML via vectors related to videos. | |||||
CVE-2014-9475 | 1 Mediawiki | 1 Mediawiki | 2025-04-12 | 3.5 LOW | N/A |
Cross-site scripting (XSS) vulnerability in thumb.php in MediaWiki before 1.19.23, 1.2x before 1.22.15, 1.23.x before 1.23.8, and 1.24.x before 1.24.1 allows remote authenticated users to inject arbitrary web script or HTML via a wikitext message. | |||||
CVE-2014-5242 | 1 Mediawiki | 1 Mediawiki | 2025-04-12 | 4.3 MEDIUM | N/A |
Cross-site scripting (XSS) vulnerability in mediawiki.page.image.pagination.js in MediaWiki 1.22.x before 1.22.9 and 1.23.x before 1.23.2 allows remote attackers to inject arbitrary web script or HTML via vectors involving the multipageimagenavbox class in conjunction with an action=raw value. |