Total
355 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2021-44855 | 1 Mediawiki | 1 Mediawiki | 2023-12-10 | N/A | 5.4 MEDIUM |
An issue was discovered in MediaWiki before 1.35.5, 1.36.x before 1.36.3, and 1.37.x before 1.37.1. There is Blind Stored XSS via a URL to the Upload Image feature. | |||||
CVE-2023-22911 | 2 Fedoraproject, Mediawiki | 2 Fedora, Mediawiki | 2023-12-10 | N/A | 6.1 MEDIUM |
An issue was discovered in MediaWiki before 1.35.9, 1.36.x through 1.38.x before 1.38.5, and 1.39.x before 1.39.1. E-Widgets does widget replacement in HTML attributes, which can lead to XSS, because widget authors often do not expect that their widget is executed in an HTML attribute context. | |||||
CVE-2023-22909 | 2 Fedoraproject, Mediawiki | 2 Fedora, Mediawiki | 2023-12-10 | N/A | 5.3 MEDIUM |
An issue was discovered in MediaWiki before 1.35.9, 1.36.x through 1.38.x before 1.38.5, and 1.39.x before 1.39.1. SpecialMobileHistory allows remote attackers to cause a denial of service because database queries are slow. | |||||
CVE-2023-22945 | 2 Fedoraproject, Mediawiki | 2 Fedora, Mediawiki | 2023-12-10 | N/A | 4.3 MEDIUM |
In the GrowthExperiments extension for MediaWiki through 1.39, the growthmanagementorlist API allows blocked users (blocked in ApiManageMentorList) to enroll as mentors or edit any of their mentorship-related properties. | |||||
CVE-2023-22910 | 1 Mediawiki | 1 Mediawiki | 2023-12-10 | N/A | 5.4 MEDIUM |
An issue was discovered in MediaWiki before 1.35.9, 1.36.x through 1.38.x before 1.38.5, and 1.39.x before 1.39.1. There is XSS in Wikibase date formatting via wikibase-time-precision-* fields. This allows JavaScript execution by staff/admin users who do not intentionally have the editsitejs capability. | |||||
CVE-2023-22912 | 1 Mediawiki | 1 Mediawiki | 2023-12-10 | N/A | 5.3 MEDIUM |
An issue was discovered in MediaWiki before 1.35.9, 1.36.x through 1.38.x before 1.38.5, and 1.39.x before 1.39.1. CheckUser TokenManager insecurely uses AES-CTR encryption with a repeated (aka re-used) nonce, allowing an adversary to decrypt. | |||||
CVE-2021-44854 | 1 Mediawiki | 1 Mediawiki | 2023-12-10 | N/A | 5.3 MEDIUM |
An issue was discovered in MediaWiki before 1.35.5, 1.36.x before 1.36.3, and 1.37.x before 1.37.1. The REST API publicly caches results from private wikis. | |||||
CVE-2021-44856 | 1 Mediawiki | 1 Mediawiki | 2023-12-10 | N/A | 5.3 MEDIUM |
An issue was discovered in MediaWiki before 1.35.5, 1.36.x before 1.36.3, and 1.37.x before 1.37.1. A title blocked by AbuseFilter can be created via Special:ChangeContentModel due to the mishandling of the EditFilterMergedContent hook return value. | |||||
CVE-2022-41765 | 1 Mediawiki | 1 Mediawiki | 2023-12-10 | N/A | 5.3 MEDIUM |
An issue was discovered in MediaWiki before 1.35.8, 1.36.x and 1.37.x before 1.37.5, and 1.38.x before 1.38.3. HTMLUserTextField exposes the existence of hidden users. | |||||
CVE-2022-39193 | 1 Mediawiki | 1 Mediawiki | 2023-12-10 | N/A | 5.3 MEDIUM |
An issue was discovered in the CheckUser extension for MediaWiki through 1.39.x. Various components of this extension can expose information on the performer of edits and logged actions. This information should not allow public viewing: it is supposed to be viewable only by users with suppression rights. | |||||
CVE-2021-42046 | 1 Mediawiki | 1 Mediawiki | 2023-12-10 | N/A | 6.1 MEDIUM |
An issue was discovered in the GlobalWatchlist extension in MediaWiki through 1.36.2. The rev-deleted-user and ntimes messages were not properly escaped and allowed for users to inject HTML and JavaScript. | |||||
CVE-2021-42049 | 1 Mediawiki | 1 Mediawiki | 2023-12-10 | N/A | 6.5 MEDIUM |
An issue was discovered in the Translate extension in MediaWiki through 1.36.2. Oversighters cannot undo revisions or oversight on pages where they suppressed information (such as PII). This allows oversighters to whitewash revisions. | |||||
CVE-2021-42048 | 1 Mediawiki | 1 Mediawiki | 2023-12-10 | N/A | 4.8 MEDIUM |
An issue was discovered in the Growth extension in MediaWiki through 1.36.2. Any admin can add arbitrary JavaScript code to the Newcomer home page footer, which can be executed by viewers with zero edits. | |||||
CVE-2022-34911 | 2 Fedoraproject, Mediawiki | 2 Fedora, Mediawiki | 2023-12-10 | 4.3 MEDIUM | 6.1 MEDIUM |
An issue was discovered in MediaWiki before 1.35.7, 1.36.x and 1.37.x before 1.37.3, and 1.38.x before 1.38.1. XSS can occur in configurations that allow a JavaScript payload in a username. After account creation, when it sets the page title to "Welcome" followed by the username, the username is not escaped: SpecialCreateAccount::successfulAction() calls ::showSuccessPage() with a message as second parameter, and OutputPage::setPageTitle() uses text(). | |||||
CVE-2021-42045 | 1 Mediawiki | 1 Mediawiki | 2023-12-10 | N/A | 5.4 MEDIUM |
An issue was discovered in SecurePoll in the Growth extension in MediaWiki through 1.36.2. Simple polls allow users to create alerts by changing their User-Agent HTTP header and submitting a vote. | |||||
CVE-2022-28201 | 2 Debian, Mediawiki | 2 Debian Linux, Mediawiki | 2023-12-10 | N/A | 4.4 MEDIUM |
An issue was discovered in MediaWiki before 1.35.6, 1.36.x before 1.36.4, and 1.37.x before 1.37.2. Users with the editinterface permission can trigger infinite recursion, because a bare local interwiki is mishandled for the mainpage message. | |||||
CVE-2022-28204 | 1 Mediawiki | 1 Mediawiki | 2023-12-10 | N/A | 7.5 HIGH |
A denial-of-service issue was discovered in MediaWiki 1.37.x before 1.37.2. Rendering of w/index.php?title=Special%3AWhatLinksHere&target=Property%3AP31&namespace=1&invert=1 can take more than thirty seconds. There is a DDoS risk. | |||||
CVE-2022-34912 | 2 Fedoraproject, Mediawiki | 2 Fedora, Mediawiki | 2023-12-10 | 4.3 MEDIUM | 6.1 MEDIUM |
An issue was discovered in MediaWiki before 1.37.3 and 1.38.x before 1.38.1. The contributions-title, used on Special:Contributions, is used as page title without escaping. Hence, in a non-default configuration where a username contains HTML entities, it won't be escaped. | |||||
CVE-2021-42047 | 1 Mediawiki | 1 Mediawiki | 2023-12-10 | N/A | 5.4 MEDIUM |
An issue was discovered in the Growth extension in MediaWiki through 1.36.2. On any Wiki with the Mentor Dashboard feature enabled, users can login with a mentor account and trigger an XSS payload (such as alert) via Growthexperiments-mentor-dashboard-mentee-overview-no-js-fallback. | |||||
CVE-2022-39194 | 1 Mediawiki | 1 Mediawiki | 2023-12-10 | N/A | 4.9 MEDIUM |
An issue was discovered in the MediaWiki through 1.38.2. The community configuration pages for the GrowthExperiments extension could cause a site to become unavailable due to insufficient validation when certain actions (including page moves) were performed. |