Total
355 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2014-9481 | 1 Mediawiki | 1 Mediawiki | 2023-12-10 | 4.3 MEDIUM | 5.9 MEDIUM |
The Scribunto extension for MediaWiki allows remote attackers to obtain the rollback token and possibly other sensitive information via a crafted module, related to unstripping special page HTML. | |||||
CVE-2012-0046 | 1 Mediawiki | 1 Mediawiki | 2023-12-10 | 5.0 MEDIUM | 7.5 HIGH |
mediawiki allows deleted text to be exposed | |||||
CVE-2013-6455 | 1 Mediawiki | 1 Mediawiki | 2023-12-10 | 5.0 MEDIUM | 5.3 MEDIUM |
The CentralAuth extension for MediaWiki before 1.19.10, 1.2x before 1.21.4, and 1.22.x before 1.22.1 allows remote attackers to obtain usernames via vectors related to writing the names to the DOM of a page. | |||||
CVE-2012-4381 | 1 Mediawiki | 1 Mediawiki | 2023-12-10 | 9.3 HIGH | 8.1 HIGH |
MediaWiki before 1.18.5, and 1.19.x before 1.19.2 saves passwords in the local database, (1) which could make it easier for context-dependent attackers to obtain cleartext passwords via a brute-force attack or, (2) when an authentication plugin returns a false in the strict function, could allow remote attackers to use old passwords for non-existing accounts in an external authentication system via unspecified vectors. | |||||
CVE-2020-6163 | 1 Mediawiki | 1 Mediawiki | 2023-12-10 | 4.3 MEDIUM | 6.1 MEDIUM |
The WikibaseMediaInfo extension 1.35 for MediaWiki allows XSS because of improper template syntax within the PropertySuggestionsWidget template (in the templates/search/PropertySuggestionsWidget.mustache+dom file). | |||||
CVE-2013-1951 | 3 Debian, Linux, Mediawiki | 3 Debian Linux, Linux Kernel, Mediawiki | 2023-12-10 | 4.3 MEDIUM | 6.1 MEDIUM |
A cross-site scripting (XSS) vulnerability in MediaWiki before 1.19.5 and 1.20.x before 1.20.4 and allows remote attackers to inject arbitrary web script or HTML via Lua function names. | |||||
CVE-2013-1817 | 4 Debian, Fedoraproject, Mediawiki and 1 more | 4 Debian Linux, Fedora, Mediawiki and 1 more | 2023-12-10 | 5.0 MEDIUM | 7.5 HIGH |
MediaWiki before 1.19.4 and 1.20.x before 1.20.3 contains an error in the api.php script which allows remote attackers to obtain sensitive information. | |||||
CVE-2019-12469 | 2 Debian, Mediawiki | 2 Debian Linux, Mediawiki | 2023-12-10 | 4.0 MEDIUM | 6.5 MEDIUM |
MediaWiki through 1.32.1 has Incorrect Access Control. Suppressed username or log in Special:EditTags are exposed. Fixed in 1.32.2, 1.31.2, 1.30.2 and 1.27.6. | |||||
CVE-2019-12467 | 2 Debian, Mediawiki | 2 Debian Linux, Mediawiki | 2023-12-10 | 5.0 MEDIUM | 5.3 MEDIUM |
MediaWiki through 1.32.1 has Incorrect Access Control (issue 1 of 3). A spammer can use Special:ChangeEmail to send out spam with no rate limiting or ability to block them. Fixed in 1.32.2, 1.31.2, 1.30.2 and 1.27.6. | |||||
CVE-2019-12472 | 1 Mediawiki | 1 Mediawiki | 2023-12-10 | 5.0 MEDIUM | 7.5 HIGH |
An Incorrect Access Control vulnerability was found in Wikimedia MediaWiki 1.18.0 through 1.32.1. It is possible to bypass the limits on IP range blocks ($wgBlockCIDRLimit) by using the API. Fixed in 1.32.2, 1.31.2, 1.30.2 and 1.27.6. | |||||
CVE-2019-12474 | 2 Debian, Mediawiki | 2 Debian Linux, Mediawiki | 2023-12-10 | 5.0 MEDIUM | 7.5 HIGH |
Wikimedia MediaWiki 1.23.0 through 1.32.1 has an information leak. Privileged API responses that include whether a recent change has been patrolled may be cached publicly. Fixed in 1.32.2, 1.31.2, 1.30.2 and 1.27.6. | |||||
CVE-2019-12473 | 2 Debian, Mediawiki | 2 Debian Linux, Mediawiki | 2023-12-10 | 5.0 MEDIUM | 7.5 HIGH |
Wikimedia MediaWiki 1.27.0 through 1.32.1 might allow DoS. Passing invalid titles to the API could cause a DoS by querying the entire watchlist table. Fixed in 1.32.2, 1.31.2, 1.30.2 and 1.27.6. | |||||
CVE-2019-12468 | 2 Debian, Mediawiki | 2 Debian Linux, Mediawiki | 2023-12-10 | 7.5 HIGH | 9.8 CRITICAL |
An Incorrect Access Control vulnerability was found in Wikimedia MediaWiki 1.27.0 through 1.32.1. Directly POSTing to Special:ChangeEmail would allow for bypassing re-authentication, allowing for potential account takeover. | |||||
CVE-2019-12471 | 2 Debian, Mediawiki | 2 Debian Linux, Mediawiki | 2023-12-10 | 4.3 MEDIUM | 6.1 MEDIUM |
Wikimedia MediaWiki 1.30.0 through 1.32.1 has XSS. Loading user JavaScript from a non-existent account allows anyone to create the account, and perform XSS on users loading that script. Fixed in 1.32.2, 1.31.2, 1.30.2 and 1.27.6. | |||||
CVE-2019-12470 | 2 Debian, Mediawiki | 2 Debian Linux, Mediawiki | 2023-12-10 | 4.0 MEDIUM | 6.5 MEDIUM |
Wikimedia MediaWiki through 1.32.1 has Incorrect Access Control. Suppressed log in RevisionDelete page is exposed. Fixed in 1.32.2, 1.31.2, 1.30.2 and 1.27.6. | |||||
CVE-2019-12466 | 2 Debian, Mediawiki | 2 Debian Linux, Mediawiki | 2023-12-10 | 6.8 MEDIUM | 8.8 HIGH |
Wikimedia MediaWiki through 1.32.1 allows CSRF. | |||||
CVE-2018-0505 | 2 Debian, Mediawiki | 2 Debian Linux, Mediawiki | 2023-12-10 | 4.0 MEDIUM | 6.5 MEDIUM |
Mediawiki 1.31 before 1.31.1, 1.30.1, 1.29.3 and 1.27.5 contains a flaw where BotPasswords can bypass CentralAuth's account lock | |||||
CVE-2018-0504 | 2 Debian, Mediawiki | 2 Debian Linux, Mediawiki | 2023-12-10 | 4.0 MEDIUM | 6.5 MEDIUM |
Mediawiki 1.31 before 1.31.1, 1.30.1, 1.29.3 and 1.27.5 contains an information disclosure flaw in the Special:Redirect/logid | |||||
CVE-2018-0503 | 2 Debian, Mediawiki | 2 Debian Linux, Mediawiki | 2023-12-10 | 4.0 MEDIUM | 4.3 MEDIUM |
Mediawiki 1.31 before 1.31.1, 1.30.1, 1.29.3 and 1.27.5 contains a flaw where contrary to the documentation, $wgRateLimits entry for 'user' overrides that for 'newbie'. | |||||
CVE-2018-13258 | 1 Mediawiki | 1 Mediawiki | 2023-12-10 | 5.0 MEDIUM | 5.3 MEDIUM |
Mediawiki 1.31 before 1.31.1 misses .htaccess files in the provided tarball used to protect some directories that shouldn't be web accessible. |