Filtered by vendor Mediawiki
Subscribe
Total
374 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2014-9480 | 1 Mediawiki | 1 Mediawiki | 2023-12-10 | 4.3 MEDIUM | N/A |
| Cross-site scripting (XSS) vulnerability in the Hovercards extension for MediaWiki allows remote attackers to inject arbitrary web script or HTML via vectors related to text extracts. | |||||
| CVE-2014-2665 | 1 Mediawiki | 1 Mediawiki | 2023-12-10 | 4.0 MEDIUM | N/A |
| includes/specials/SpecialChangePassword.php in MediaWiki before 1.19.14, 1.20.x and 1.21.x before 1.21.8, and 1.22.x before 1.22.5 does not properly handle a correctly authenticated but unintended login attempt, which makes it easier for remote authenticated users to obtain sensitive information by arranging for a victim to login to the attacker's account, as demonstrated by tracking the victim's activity, related to a "login CSRF" issue. | |||||
| CVE-2015-2935 | 1 Mediawiki | 1 Mediawiki | 2023-12-10 | 5.0 MEDIUM | N/A |
| MediaWiki before 1.19.24, 1.2x before 1.23.9, and 1.24.x before 1.24.2 allows remote attackers to bypass the SVG filtering and obtain sensitive user information via a mixed case @import in a style element in an SVG file, as demonstrated by "@imporT." | |||||
| CVE-2014-7199 | 1 Mediawiki | 1 Mediawiki | 2023-12-10 | 4.3 MEDIUM | N/A |
| Cross-site scripting (XSS) vulnerability in MediaWiki before 1.19.19, 1.22.x before 1.22.11, and 1.23.x before 1.23.4 allows remote attackers to inject arbitrary web script or HTML via a crafted SVG file. | |||||
| CVE-2013-6472 | 1 Mediawiki | 1 Mediawiki | 2023-12-10 | 5.0 MEDIUM | N/A |
| MediaWiki before 1.19.10, 1.2x before 1.21.4, and 1.22.x before 1.22.1 allows remote attackers to obtain information about deleted page via the (1) log API, (2) enhanced RecentChanges, and (3) user watchlists. | |||||
| CVE-2013-4574 | 1 Mediawiki | 1 Mediawiki | 2023-12-10 | 4.3 MEDIUM | N/A |
| Cross-site scripting (XSS) vulnerability in the TimeMediaHandler extension for MediaWiki before 1.19.10, 1.2x before 1.21.4, and 1.22.x before 1.22.1 allows remote attackers to inject arbitrary web script or HTML via vectors related to videos. | |||||
| CVE-2013-6453 | 1 Mediawiki | 1 Mediawiki | 2023-12-10 | 7.5 HIGH | N/A |
| MediaWiki before 1.19.10, 1.2x before 1.21.4, and 1.22.x before 1.22.1 does not properly sanitize SVG files, which allows remote attackers to have unspecified impact via invalid XML. | |||||
| CVE-2013-4304 | 2 Brion Vibber, Mediawiki | 2 Centralauth Extension, Mediawiki | 2023-12-10 | 7.5 HIGH | N/A |
| The CentralAuth extension for MediaWiki 1.19.x before 1.19.8, 1.20.x before 1.20.7, and 1.21.x before 1.21.2 caches a valid CentralAuthUser object in the centralauth_User cookie even when a user has not successfully logged in, which allows remote attackers to bypass authentication without a password. | |||||
| CVE-2015-2932 | 1 Mediawiki | 1 Mediawiki | 2023-12-10 | 4.3 MEDIUM | N/A |
| Incomplete blacklist vulnerability in MediaWiki before 1.19.24, 1.2x before 1.23.9, and 1.24.x before 1.24.2 allows remote attackers to inject arbitrary web script or HTML via an animated href XLink element. | |||||
| CVE-2013-6452 | 1 Mediawiki | 1 Mediawiki | 2023-12-10 | 4.3 MEDIUM | N/A |
| Cross-site scripting (XSS) vulnerability in MediaWiki before 1.19.10, 1.2x before 1.21.4, and 1.22.x before 1.22.1 allows remote attackers to inject arbitrary web script or HTML via crafted XSL in an SVG file. | |||||
| CVE-2014-9479 | 1 Mediawiki | 1 Mediawiki | 2023-12-10 | 4.3 MEDIUM | N/A |
| Cross-site scripting (XSS) vulnerability in the preview in the TemplateSandbox extension for MediaWiki allows remote attackers to inject arbitrary web script or HTML via the text parameter to Special:TemplateSandbox. | |||||
| CVE-2014-9507 | 1 Mediawiki | 1 Mediawiki | 2023-12-10 | 2.6 LOW | N/A |
| MediaWiki 1.21.x, 1.22.x before 1.22.14, and 1.23.x before 1.23.7, when $wgContentHandlerUseDB is enabled, allows remote attackers to conduct cross-site scripting (XSS) attacks by setting the content model for a revision to JS. | |||||
| CVE-2014-3455 | 1 Mediawiki | 1 Mediawiki | 2023-12-10 | 6.8 MEDIUM | N/A |
| Multiple cross-site request forgery (CSRF) vulnerabilities in the (1) CreateProperty, (2) CreateTemplate, (3) CreateForm, and (4) CreateClass special pages in the SemanticForms extension for MediaWiki before 1.19.10, 1.2x before 1.21.4, and 1.22.x before 1.22.1 allow remote attackers to hijack the authentication of users for requests that have unspecified impact and vectors. | |||||
| CVE-2014-5241 | 1 Mediawiki | 1 Mediawiki | 2023-12-10 | 6.8 MEDIUM | N/A |
| The JSONP endpoint in includes/api/ApiFormatJson.php in MediaWiki before 1.19.18, 1.20.x through 1.22.x before 1.22.9, and 1.23.x before 1.23.2 accepts certain long callback values and does not restrict the initial bytes of a JSONP response, which allows remote attackers to conduct cross-site request forgery (CSRF) attacks, and obtain sensitive information, via a crafted OBJECT element with SWF content consistent with a restricted character set. | |||||
| CVE-2014-9475 | 1 Mediawiki | 1 Mediawiki | 2023-12-10 | 3.5 LOW | N/A |
| Cross-site scripting (XSS) vulnerability in thumb.php in MediaWiki before 1.19.23, 1.2x before 1.22.15, 1.23.x before 1.23.8, and 1.24.x before 1.24.1 allows remote authenticated users to inject arbitrary web script or HTML via a wikitext message. | |||||
| CVE-2013-4307 | 1 Mediawiki | 1 Mediawiki | 2023-12-10 | 4.3 MEDIUM | N/A |
| Multiple cross-site scripting (XSS) vulnerabilities in repo/includes/EntityView.php in the Wikibase extension for MediaWiki 1.19.x before 1.19.8, 1.20.x before 1.20.7, and 1.21.x before 1.21.2 allow (1) remote attackers to inject arbitrary web script or HTML via a label in the "In other languages" section or (2) remote administrators to inject arbitrary web script or HTML via a description. | |||||
| CVE-2013-4573 | 1 Mediawiki | 1 Mediawiki | 2023-12-10 | 4.3 MEDIUM | N/A |
| Cross-site scripting (XSS) vulnerability in the ZeroRatedMobileAccess extension for MediaWiki 1.19.x before 1.19.9, 1.20.x before 1.20.8, and 1.21.x before 1.21.3 allows remote attackers to inject arbitrary web script or HTML via the "to" parameter to index.php. | |||||
| CVE-2012-1579 | 1 Mediawiki | 1 Mediawiki | 2023-12-10 | 5.0 MEDIUM | N/A |
| The resource loader in MediaWiki 1.17.x before 1.17.3 and 1.18.x before 1.18.2 includes private data such as CSRF tokens in a JavaScript file, which allows remote attackers to obtain sensitive information. | |||||
| CVE-2013-2031 | 2 Gentoo, Mediawiki | 2 Linux, Mediawiki | 2023-12-10 | 4.3 MEDIUM | N/A |
| MediaWiki before 1.19.6 and 1.20.x before 1.20.5 allows remote attackers to conduct cross-site scripting (XSS) attacks, as demonstrated by a CDATA section containing valid UTF-7 encoded sequences in a SVG file, which is then incorrectly interpreted as UTF-8 by Chrome and Firefox. | |||||
| CVE-2013-2114 | 1 Mediawiki | 1 Mediawiki | 2023-12-10 | 6.8 MEDIUM | N/A |
| Unrestricted file upload vulnerability in the chunk upload API in MediaWiki 1.19 through 1.19.6 and 1.20.x before 1.20.6 allows remote attackers to execute arbitrary code by uploading a file with an executable extension. | |||||