Note:
This project will be discontinued after December 13, 2021. [more]
Product:
Mediawiki
(Mediawiki)Repositories |
• https://github.com/wikimedia/mediawiki
• https://github.com/wikimedia/mediawiki-core |
#Vulnerabilities | 369 |
Date | Id | Summary | Products | Score | Patch | Annotated |
---|---|---|---|---|---|---|
2008-12-19 | CVE-2008-5688 | MediaWiki 1.8.1, and other versions before 1.13.3, when the wgShowExceptionDetails variable is enabled, sometimes provides the full installation path in a debugging message, which might allow remote attackers to obtain sensitive information via unspecified requests that trigger an uncaught exception. | Mediawiki | N/A | ||
2011-04-27 | CVE-2011-1587 | Cross-site scripting (XSS) vulnerability in MediaWiki before 1.16.4, when Internet Explorer 6 or earlier is used, allows remote attackers to inject arbitrary web script or HTML via an uploaded file accessed with a dangerous extension such as .html located before a ? (question mark) in a query string, in conjunction with a modified URI path that has a %2E sequence in place of the . (dot) character. NOTE: this vulnerability exists because of an incomplete fix for CVE-2011-1578. | Mediawiki | N/A | ||
2011-05-23 | CVE-2011-1765 | Cross-site scripting (XSS) vulnerability in MediaWiki before 1.16.5, when Internet Explorer 6 or earlier is used, allows remote attackers to inject arbitrary web script or HTML via an uploaded file accessed with a dangerous extension such as .shtml at the end of the query string, in conjunction with a modified URI path that has a %2E sequence in place of the . (dot) character. NOTE: this vulnerability exists because of an incomplete fix for CVE-2011-1578 and CVE-2011-1587. | Mediawiki | N/A | ||
2014-03-02 | CVE-2014-2242 | includes/upload/UploadBase.php in MediaWiki before 1.19.12, 1.20.x and 1.21.x before 1.21.6, and 1.22.x before 1.22.3 does not prevent use of invalid namespaces in SVG files, which allows remote attackers to conduct cross-site scripting (XSS) attacks via an SVG upload, as demonstrated by use of a W3C XHTML namespace in conjunction with an IFRAME element. | Mediawiki | N/A | ||
2014-03-02 | CVE-2014-2243 | includes/User.php in MediaWiki before 1.19.12, 1.20.x and 1.21.x before 1.21.6, and 1.22.x before 1.22.3 terminates validation of a user token upon encountering the first incorrect character, which makes it easier for remote attackers to obtain access via a brute-force attack that relies on timing differences in responses to incorrect token guesses. | Mediawiki | N/A | ||
2014-03-02 | CVE-2014-2244 | Cross-site scripting (XSS) vulnerability in the formatHTML function in includes/api/ApiFormatBase.php in MediaWiki before 1.19.12, 1.20.x and 1.21.x before 1.21.6, and 1.22.x before 1.22.3 allows remote attackers to inject arbitrary web script or HTML via a crafted string located after http:// in the text parameter to api.php. | Mediawiki | N/A | ||
2019-09-26 | CVE-2019-16738 | In MediaWiki through 1.33.0, Special:Redirect allows information disclosure of suppressed usernames via a User ID Lookup. | Debian_linux, Fedora, Mediawiki | 5.3 | ||
2010-04-20 | CVE-2010-1150 | MediaWiki before 1.15.3, and 1.6.x before 1.16.0beta2, does not properly handle a correctly authenticated but unintended login attempt, which makes it easier for remote authenticated users to conduct phishing attacks by arranging for a victim to login to the attacker's account and then execute a crafted user script, related to a "login CSRF" issue. | Mediawiki | N/A | ||
2019-12-11 | CVE-2019-19709 | MediaWiki through 1.33.1 allows attackers to bypass the Title_blacklist protection mechanism by starting with an arbitrary title, establishing a non-resolvable redirect for the associated page, and using redirect=1 in the action API when editing that page. | Debian_linux, Mediawiki | 6.1 | ||
2022-02-18 | CVE-2017-0371 | MediaWiki before 1.23.16, 1.24.x through 1.27.x before 1.27.2, and 1.28.x before 1.28.1 allows remote attackers to discover the IP addresses of Wiki visitors via a style="background-image: attr(title url);" attack within a DIV element that has an attacker-controlled URL in the title attribute. | Mediawiki | 7.5 |