Filtered by vendor Mediawiki
Subscriptions
Total
404 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-23173 | 1 Mediawiki | 1 Mediawiki | 2025-06-03 | 6.1 Medium |
| An issue was discovered in the Cargo extension in MediaWiki before 1.35.14, 1.36.x through 1.39.x before 1.39.6, and 1.40.x before 1.40.2. The Special:Drilldown page allows XSS via artist, album, and position parameters because of applied filter values in drilldown/CargoAppliedFilter.php. | ||||
| CVE-2022-28204 | 1 Mediawiki | 1 Mediawiki | 2025-05-29 | 7.5 High |
| A denial-of-service issue was discovered in MediaWiki 1.37.x before 1.37.2. Rendering of w/index.php?title=Special%3AWhatLinksHere&target=Property%3AP31&namespace=1&invert=1 can take more than thirty seconds. There is a DDoS risk. | ||||
| CVE-2022-21710 | 1 Mediawiki | 1 Shortdescription | 2025-04-22 | 4.7 Medium |
| ShortDescription is a MediaWiki extension that provides local short description support. A cross-site scripting (XSS) vulnerability exists in versions prior to 2.3.4. On a wiki that has the ShortDescription enabled, XSS can be triggered on any page or the page with the action=info parameter, which displays the shortdesc property. This is achieved using the wikitext `{{SHORTDESC:<img src=x onerror=alert()>}}`. This issue has a patch in version 2.3.4. | ||||
| CVE-2017-8808 | 2 Debian, Mediawiki | 2 Debian Linux, Mediawiki | 2025-04-20 | N/A |
| MediaWiki before 1.27.4, 1.28.x before 1.28.3, and 1.29.x before 1.29.2 has XSS when the $wgShowExceptionDetails setting is false and the browser sends non-standard URL escaping. | ||||
| CVE-2016-6333 | 1 Mediawiki | 1 Mediawiki | 2025-04-20 | N/A |
| Cross-site scripting (XSS) vulnerability in the CSS user subpage preview feature in MediaWiki before 1.23.15, 1.26.x before 1.26.4, and 1.27.x before 1.27.1 allows remote attackers to inject arbitrary web script or HTML via the edit box in Special:MyPage/common.css. | ||||
| CVE-2014-9487 | 1 Mediawiki | 1 Mediawiki | 2025-04-20 | N/A |
| The getid3 library in MediaWiki before 1.24.1, 1.23.8, 1.22.15 and 1.19.23 allows remote attackers to read arbitrary files, cause a denial of service, or possibly have other impact via an XML External Entity (XXE) attack. NOTE: Related to CVE-2014-2053. | ||||
| CVE-2012-4380 | 1 Mediawiki | 1 Mediawiki | 2025-04-20 | N/A |
| MediaWiki before 1.18.5, and 1.19.x before 1.19.2 allows remote attackers to bypass GlobalBlocking extension IP address blocking and create an account via unspecified vectors. | ||||
| CVE-2012-4378 | 1 Mediawiki | 1 Mediawiki | 2025-04-20 | N/A |
| Multiple cross-site scripting (XSS) vulnerabilities in MediaWiki before 1.18.5 and 1.19.x before 1.19.2, when unspecified JavaScript gadgets are used, allow remote attackers to inject arbitrary web script or HTML via the userlang parameter to w/index.php. | ||||
| CVE-2016-6331 | 1 Mediawiki | 1 Mediawiki | 2025-04-20 | N/A |
| ApiParse in MediaWiki before 1.23.15, 1.26.x before 1.26.4, and 1.27.x before 1.27.1 allows remote attackers to bypass intended per-title read restrictions via a parse action to api.php. | ||||
| CVE-2016-6335 | 1 Mediawiki | 1 Mediawiki | 2025-04-20 | N/A |
| MediaWiki before 1.23.15, 1.26.x before 1.26.4, and 1.27.x before 1.27.1 does not generate head items in the context of a given title, which allows remote attackers to obtain sensitive information via a parse action to api.php. | ||||
| CVE-2017-8811 | 2 Debian, Mediawiki | 2 Debian Linux, Mediawiki | 2025-04-20 | N/A |
| The implementation of raw message parameter expansion in MediaWiki before 1.27.4, 1.28.x before 1.28.3, and 1.29.x before 1.29.2 allows HTML mangling attacks. | ||||
| CVE-2017-8809 | 2 Debian, Mediawiki | 2 Debian Linux, Mediawiki | 2025-04-20 | N/A |
| api.php in MediaWiki before 1.27.4, 1.28.x before 1.28.3, and 1.29.x before 1.29.2 has a Reflected File Download vulnerability. | ||||
| CVE-2017-8814 | 2 Debian, Mediawiki | 2 Debian Linux, Mediawiki | 2025-04-20 | N/A |
| The language converter in MediaWiki before 1.27.4, 1.28.x before 1.28.3, and 1.29.x before 1.29.2 allows attackers to replace text inside tags via a rule definition followed by "a lot of junk." | ||||
| CVE-2016-6332 | 1 Mediawiki | 1 Mediawiki | 2025-04-20 | N/A |
| MediaWiki before 1.23.15, 1.26.x before 1.26.4, and 1.27.x before 1.27.1, when $wgBlockDisablesLogin is true, might allow remote attackers to obtain sensitive information by leveraging failure to terminate sessions when a user account is blocked. | ||||
| CVE-2015-8625 | 1 Mediawiki | 1 Mediawiki | 2025-04-20 | N/A |
| MediaWiki before 1.23.12, 1.24.x before 1.24.5, 1.25.x before 1.25.4, and 1.26.x before 1.26.1 do not properly sanitize parameters when calling the cURL library, which allows remote attackers to read arbitrary files via an @ (at sign) character in unspecified POST array parameters. | ||||
| CVE-2016-6336 | 1 Mediawiki | 1 Mediawiki | 2025-04-20 | N/A |
| MediaWiki before 1.23.15, 1.26.x before 1.26.4, and 1.27.x before 1.27.1 allows remote authenticated users with undelete permissions to bypass intended suppressrevision and deleterevision restrictions and remove the revision deletion status of arbitrary file revisions by using Special:Undelete. | ||||
| CVE-2017-8815 | 2 Debian, Mediawiki | 2 Debian Linux, Mediawiki | 2025-04-20 | N/A |
| The language converter in MediaWiki before 1.27.4, 1.28.x before 1.28.3, and 1.29.x before 1.29.2 allows attribute injection attacks via glossary rules. | ||||
| CVE-2017-8812 | 2 Debian, Mediawiki | 2 Debian Linux, Mediawiki | 2025-04-20 | N/A |
| MediaWiki before 1.27.4, 1.28.x before 1.28.3, and 1.29.x before 1.29.2 allows remote attackers to inject > (greater than) characters via the id attribute of a headline. | ||||
| CVE-2015-8009 | 1 Mediawiki | 1 Mediawiki | 2025-04-20 | N/A |
| The MWOAuthDataStore::lookup_token function in Extension:OAuth for MediaWiki 1.25.x before 1.25.3, 1.24.x before 1.24.4, and before 1.23.11 does not properly validate the signature when checking the authorization signature, which allows remote registered Consumers to use another Consumer's credentials by leveraging knowledge of the credentials. | ||||
| CVE-2015-8008 | 2 Fedoraproject, Mediawiki | 2 Fedora, Mediawiki | 2025-04-20 | N/A |
| The OAuth extension for MediaWiki improperly negotiates a new client token only over Special:OAuth/initiate, which allows attackers to bypass intended IP address access restrictions by making an API request with an existing token. | ||||