Filtered by vendor Mediawiki
Subscriptions
Filtered by product Mediawiki
Subscriptions
Total
355 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2023-37251 | 1 Mediawiki | 1 Mediawiki | 2023-07-06 | 6.1 Medium |
| An issue was discovered in the GoogleAnalyticsMetrics extension for MediaWiki through 1.39.3. The googleanalyticstrackurl parser function does not properly escape JavaScript in the onclick handler and does not prevent use of javascript: URLs. | ||||
| CVE-2023-37254 | 1 Mediawiki | 1 Mediawiki | 2023-07-06 | 6.1 Medium |
| An issue was discovered in the Cargo extension for MediaWiki through 1.39.3. XSS can occur in Special:CargoQuery via a crafted page item when using the default format. | ||||
| CVE-2023-37255 | 1 Mediawiki | 1 Mediawiki | 2023-07-06 | 6.1 Medium |
| An issue was discovered in the CheckUser extension for MediaWiki through 1.39.3. In Special:CheckUser, a check of the "get edits" type is vulnerable to HTML injection through the User-Agent HTTP request header. | ||||
| CVE-2023-37256 | 1 Mediawiki | 1 Mediawiki | 2023-07-06 | 6.1 Medium |
| An issue was discovered in the Cargo extension for MediaWiki through 1.39.3. It allows one to store javascript: URLs in URL fields, and automatically links these URLs. | ||||
| CVE-2022-41766 | 1 Mediawiki | 1 Mediawiki | 2023-06-05 | 4.3 Medium |
| An issue was discovered in MediaWiki before 1.35.8, 1.36.x and 1.37.x before 1.37.5, and 1.38.x before 1.38.3. Upon an action=rollback operation, the alreadyrolled message can leak a user name (when the user has been revision deleted/suppressed). | ||||
| CVE-2022-41767 | 1 Mediawiki | 1 Mediawiki | 2023-05-21 | 5.3 Medium |
| An issue was discovered in MediaWiki before 1.35.8, 1.36.x and 1.37.x before 1.37.5, and 1.38.x before 1.38.3. When changes made by an IP address are reassigned to a user (using reassignEdits.php), the changes will still be attributed to the IP address on Special:Contributions when doing a range lookup. | ||||
| CVE-2022-41765 | 1 Mediawiki | 1 Mediawiki | 2023-05-21 | 5.3 Medium |
| An issue was discovered in MediaWiki before 1.35.8, 1.36.x and 1.37.x before 1.37.5, and 1.38.x before 1.38.3. HTMLUserTextField exposes the existence of hidden users. | ||||
| CVE-2022-28209 | 1 Mediawiki | 1 Mediawiki | 2023-05-21 | 9.8 Critical |
| An issue was discovered in Mediawiki through 1.37.1. The check for the override-antispoof permission in the AntiSpoof extension is incorrect. | ||||
| CVE-2022-28206 | 1 Mediawiki | 1 Mediawiki | 2023-05-21 | 9.8 Critical |
| An issue was discovered in MediaWiki through 1.37.1. ImportPlanValidator.php in the FileImporter extension mishandles the check for edit rights. | ||||
| CVE-2022-28205 | 1 Mediawiki | 1 Mediawiki | 2023-05-21 | 9.8 Critical |
| An issue was discovered in MediaWiki through 1.37.1. The CentralAuth extension mishandles a ttl issue for groups expiring in the future. | ||||
| CVE-2021-45038 | 1 Mediawiki | 1 Mediawiki | 2023-05-21 | 5.3 Medium |
| An issue was discovered in MediaWiki before 1.35.5, 1.36.x before 1.36.3, and 1.37.x before 1.37.1. By using an action=rollback query, attackers can view private wiki contents. | ||||
| CVE-2021-44858 | 1 Mediawiki | 1 Mediawiki | 2023-05-21 | 7.5 High |
| An issue was discovered in MediaWiki before 1.35.5, 1.36.x before 1.36.3, and 1.37.x before 1.37.1. It is possible to use action=edit&undo= followed by action=mcrundo and action=mcrrestore to view private pages on a private wiki that has at least one page set in $wgWhitelistRead. | ||||
| CVE-2021-44857 | 1 Mediawiki | 1 Mediawiki | 2023-05-21 | 6.5 Medium |
| An issue was discovered in MediaWiki before 1.35.5, 1.36.x before 1.36.3, and 1.37.x before 1.37.1. It is possible to use action=mcrundo followed by action=mcrrestore to replace the content of any arbitrary page (that the user doesn't have edit rights for). This applies to any public wiki, or a private wiki that has at least one page set in $wgWhitelistRead. | ||||
| CVE-2021-44856 | 1 Mediawiki | 1 Mediawiki | 2023-05-21 | 5.3 Medium |
| An issue was discovered in MediaWiki before 1.35.5, 1.36.x before 1.36.3, and 1.37.x before 1.37.1. A title blocked by AbuseFilter can be created via Special:ChangeContentModel due to the mishandling of the EditFilterMergedContent hook return value. | ||||
| CVE-2021-44855 | 1 Mediawiki | 1 Mediawiki | 2023-05-21 | 5.4 Medium |
| An issue was discovered in MediaWiki before 1.35.5, 1.36.x before 1.36.3, and 1.37.x before 1.37.1. There is Blind Stored XSS via a URL to the Upload Image feature. | ||||
| CVE-2023-29140 | 1 Mediawiki | 1 Mediawiki | 2023-04-11 | 5.3 Medium |
| An issue was discovered in the GrowthExperiments extension for MediaWiki through 1.39.3. Attackers might be able to see edits for which the username has been hidden, because there is no check for rev_deleted. | ||||
| CVE-2023-29139 | 1 Mediawiki | 1 Mediawiki | 2023-04-11 | 6.5 Medium |
| An issue was discovered in the CheckUser extension for MediaWiki through 1.39.3. When a user with checkuserlog permissions makes many CheckUserLog API requests in some configurations, denial of service can occur (RequestTimeoutException or upstream request timeout). | ||||
| CVE-2023-29137 | 1 Mediawiki | 1 Mediawiki | 2023-04-10 | 4.3 Medium |
| An issue was discovered in the GrowthExperiments extension for MediaWiki through 1.39.3. The UserImpactHandler for GrowthExperiments inadvertently returns the timezone preference for arbitrary users, which can be used to de-anonymize users. | ||||
| CVE-2010-1150 | 1 Mediawiki | 1 Mediawiki | 2023-02-13 | N/A |
| MediaWiki before 1.15.3, and 1.6.x before 1.16.0beta2, does not properly handle a correctly authenticated but unintended login attempt, which makes it easier for remote authenticated users to conduct phishing attacks by arranging for a victim to login to the attacker's account and then execute a crafted user script, related to a "login CSRF" issue. | ||||
| CVE-2019-19709 | 2 Debian, Mediawiki | 2 Debian Linux, Mediawiki | 2023-02-01 | 6.1 Medium |
| MediaWiki through 1.33.1 allows attackers to bypass the Title_blacklist protection mechanism by starting with an arbitrary title, establishing a non-resolvable redirect for the associated page, and using redirect=1 in the action API when editing that page. | ||||