Note:
This project will be discontinued after December 13, 2021. [more]
Product:
Mediawiki
(Mediawiki)Repositories |
• https://github.com/wikimedia/mediawiki
• https://github.com/wikimedia/mediawiki-core |
#Vulnerabilities | 354 |
Date | Id | Summary | Products | Score | Patch | Annotated |
---|---|---|---|---|---|---|
2019-07-10 | CVE-2019-12473 | Wikimedia MediaWiki 1.27.0 through 1.32.1 might allow DoS. Passing invalid titles to the API could cause a DoS by querying the entire watchlist table. Fixed in 1.32.2, 1.31.2, 1.30.2 and 1.27.6. | Debian_linux, Mediawiki | 7.5 | ||
2019-07-10 | CVE-2019-12471 | Wikimedia MediaWiki 1.30.0 through 1.32.1 has XSS. Loading user JavaScript from a non-existent account allows anyone to create the account, and perform XSS on users loading that script. Fixed in 1.32.2, 1.31.2, 1.30.2 and 1.27.6. | Debian_linux, Mediawiki | 6.1 | ||
2019-07-10 | CVE-2019-12470 | Wikimedia MediaWiki through 1.32.1 has Incorrect Access Control. Suppressed log in RevisionDelete page is exposed. Fixed in 1.32.2, 1.31.2, 1.30.2 and 1.27.6. | Debian_linux, Mediawiki | 6.5 | ||
2019-07-10 | CVE-2019-12469 | MediaWiki through 1.32.1 has Incorrect Access Control. Suppressed username or log in Special:EditTags are exposed. Fixed in 1.32.2, 1.31.2, 1.30.2 and 1.27.6. | Debian_linux, Mediawiki | 6.5 | ||
2019-07-10 | CVE-2019-12467 | MediaWiki through 1.32.1 has Incorrect Access Control (issue 1 of 3). A spammer can use Special:ChangeEmail to send out spam with no rate limiting or ability to block them. Fixed in 1.32.2, 1.31.2, 1.30.2 and 1.27.6. | Debian_linux, Mediawiki | 5.3 | ||
2019-07-10 | CVE-2019-12474 | Wikimedia MediaWiki 1.23.0 through 1.32.1 has an information leak. Privileged API responses that include whether a recent change has been patrolled may be cached publicly. Fixed in 1.32.2, 1.31.2, 1.30.2 and 1.27.6. | Debian_linux, Mediawiki | 7.5 | ||
2019-07-10 | CVE-2019-12466 | Wikimedia MediaWiki through 1.32.1 allows CSRF. | Debian_linux, Mediawiki | 8.8 | ||
2018-10-04 | CVE-2018-13258 | Mediawiki 1.31 before 1.31.1 misses .htaccess files in the provided tarball used to protect some directories that shouldn't be web accessible. | Mediawiki | 5.3 | ||
2017-11-15 | CVE-2017-8815 | The language converter in MediaWiki before 1.27.4, 1.28.x before 1.28.3, and 1.29.x before 1.29.2 allows attribute injection attacks via glossary rules. | Debian_linux, Mediawiki | 7.5 | ||
2017-11-15 | CVE-2017-8814 | The language converter in MediaWiki before 1.27.4, 1.28.x before 1.28.3, and 1.29.x before 1.29.2 allows attackers to replace text inside tags via a rule definition followed by "a lot of junk." | Debian_linux, Mediawiki | 7.5 |