Note:
This project will be discontinued after December 13, 2021. [more]
Product:
Mediawiki
(Mediawiki)| Repositories |
• https://github.com/wikimedia/mediawiki
• https://github.com/wikimedia/mediawiki-core |
| #Vulnerabilities | 354 |
| Date | Id | Summary | Products | Score | Patch | Annotated |
|---|---|---|---|---|---|---|
| 2021-01-29 | CVE-2020-29004 | The API in the Push extension for MediaWiki through 1.35 did not require an edit token in ApiPushBase.php and therefore facilitated a CSRF attack. | Mediawiki | 8.8 | ||
| 2020-12-21 | CVE-2020-35626 | An issue was discovered in the PushToWatch extension for MediaWiki through 1.35.1. The primary form did not implement an anti-CSRF token and therefore was completely vulnerable to CSRF attacks against onSkinAddFooterLinks in PushToWatch.php. | Mediawiki | 8.8 | ||
| 2020-12-21 | CVE-2020-35624 | An issue was discovered in the SecurePoll extension for MediaWiki through 1.35.1. The non-admin vote list contains a full vote timestamp, which may provide unintended clues about how a voting process unfolded. | Mediawiki | 5.3 | ||
| 2020-12-21 | CVE-2020-35622 | An issue was discovered in the GlobalUsage extension for MediaWiki through 1.35.1. SpecialGlobalUsage.php calls WikiMap::makeForeignLink unsafely. The $page variable within the formatItem function was not being properly escaped, allowing for XSS under certain conditions. | Mediawiki | 6.1 | ||
| 2020-11-24 | CVE-2020-29003 | The PollNY extension for MediaWiki through 1.35 allows XSS via an answer option for a poll question, entered during Special:CreatePoll or Special:UpdatePoll. | Mediawiki | 5.4 | ||
| 2020-11-24 | CVE-2020-29002 | includes/CologneBlueTemplate.php in the CologneBlue skin for MediaWiki through 1.35 allows XSS via a qbfind message supplied by an administrator. | Mediawiki | 4.8 | ||
| 2020-10-28 | CVE-2020-27957 | The RandomGameUnit extension for MediaWiki through 1.35 was not properly escaping various title-related data. When certain varieties of games were created within MediaWiki, their names or titles could be manipulated to generate stored XSS within the RandomGameUnit extension. | Mediawiki | 5.4 | ||
| 2020-10-22 | CVE-2020-27621 | The FileImporter extension in MediaWiki through 1.35.0 was not properly attributing various user actions to a specific user's IP address. Instead, for various actions, it would report the IP address of an internal Wikimedia Foundation server by omitting X-Forwarded-For data. This resulted in an inability to properly audit and attribute various user actions performed via the FileImporter extension. | Mediawiki | 4.3 | ||
| 2019-10-31 | CVE-2013-1951 | A cross-site scripting (XSS) vulnerability in MediaWiki before 1.19.5 and 1.20.x before 1.20.4 and allows remote attackers to inject arbitrary web script or HTML via Lua function names. | Debian_linux, Mediawiki | N/A | ||
| 2020-06-02 | CVE-2020-10959 | resources/src/mediawiki.page.ready/ready.js in MediaWiki before 1.35 allows remote attackers to force a logout and external redirection via HTML content in a MediaWiki page. | Mediawiki | N/A |