Note:
This project will be discontinued after December 13, 2021. [more]
Product:
Mediawiki
(Mediawiki)| Repositories |
• https://github.com/wikimedia/mediawiki
• https://github.com/wikimedia/mediawiki-core |
| #Vulnerabilities | 354 |
| Date | Id | Summary | Products | Score | Patch | Annotated |
|---|---|---|---|---|---|---|
| 2020-12-21 | CVE-2020-35622 | An issue was discovered in the GlobalUsage extension for MediaWiki through 1.35.1. SpecialGlobalUsage.php calls WikiMap::makeForeignLink unsafely. The $page variable within the formatItem function was not being properly escaped, allowing for XSS under certain conditions. | Mediawiki | 6.1 | ||
| 2020-11-24 | CVE-2020-29003 | The PollNY extension for MediaWiki through 1.35 allows XSS via an answer option for a poll question, entered during Special:CreatePoll or Special:UpdatePoll. | Mediawiki | 5.4 | ||
| 2020-11-24 | CVE-2020-29002 | includes/CologneBlueTemplate.php in the CologneBlue skin for MediaWiki through 1.35 allows XSS via a qbfind message supplied by an administrator. | Mediawiki | 4.8 | ||
| 2020-10-28 | CVE-2020-27957 | The RandomGameUnit extension for MediaWiki through 1.35 was not properly escaping various title-related data. When certain varieties of games were created within MediaWiki, their names or titles could be manipulated to generate stored XSS within the RandomGameUnit extension. | Mediawiki | 5.4 | ||
| 2020-10-22 | CVE-2020-27621 | The FileImporter extension in MediaWiki through 1.35.0 was not properly attributing various user actions to a specific user's IP address. Instead, for various actions, it would report the IP address of an internal Wikimedia Foundation server by omitting X-Forwarded-For data. This resulted in an inability to properly audit and attribute various user actions performed via the FileImporter extension. | Mediawiki | 4.3 | ||
| 2019-10-31 | CVE-2013-1951 | A cross-site scripting (XSS) vulnerability in MediaWiki before 1.19.5 and 1.20.x before 1.20.4 and allows remote attackers to inject arbitrary web script or HTML via Lua function names. | Debian_linux, Mediawiki | N/A | ||
| 2020-06-02 | CVE-2020-10959 | resources/src/mediawiki.page.ready/ready.js in MediaWiki before 1.35 allows remote attackers to force a logout and external redirection via HTML content in a MediaWiki page. | Mediawiki | N/A | ||
| 2020-02-08 | CVE-2012-4381 | MediaWiki before 1.18.5, and 1.19.x before 1.19.2 saves passwords in the local database, (1) which could make it easier for context-dependent attackers to obtain cleartext passwords via a brute-force attack or, (2) when an authentication plugin returns a false in the strict function, could allow remote attackers to use old passwords for non-existing accounts in an external authentication system via unspecified vectors. | Mediawiki | N/A | ||
| 2020-02-06 | CVE-2013-4572 | The CentralNotice extension for MediaWiki before 1.19.9, 1.20.x before 1.20.8, and 1.21.x before 1.21.3 sets the Cache-Control header to cache session cookies when a user is autocreated, which allows remote attackers to authenticate as the created user. | Fedora, Mediawiki | N/A | ||
| 2020-01-27 | CVE-2014-9481 | The Scribunto extension for MediaWiki allows remote attackers to obtain the rollback token and possibly other sensitive information via a crafted module, related to unstripping special page HTML. | Mediawiki | N/A |