Filtered by vendor Mediawiki
Subscriptions
Total
389 CVE
CVE | Vendors | Products | Updated | CVSS v3.1 |
---|---|---|---|---|
CVE-2020-25815 | 2 Fedoraproject, Mediawiki | 2 Fedora, Mediawiki | 2024-08-04 | 6.1 Medium |
An issue was discovered in MediaWiki 1.32.x through 1.34.x before 1.34.4. LogEventList::getFiltersDesc is insecurely using message text to build options names for an HTML multi-select field. The relevant code should use escaped() instead of text(). | ||||
CVE-2020-25813 | 2 Fedoraproject, Mediawiki | 2 Fedora, Mediawiki | 2024-08-04 | 5.3 Medium |
In MediaWiki before 1.31.10 and 1.32.x through 1.34.x before 1.34.4, Special:UserRights exposes the existence of hidden users. | ||||
CVE-2020-25828 | 2 Fedoraproject, Mediawiki | 2 Fedora, Mediawiki | 2024-08-04 | 6.1 Medium |
An issue was discovered in MediaWiki before 1.31.10 and 1.32.x through 1.34.x before 1.34.4. The non-jqueryMsg version of mw.message().parse() doesn't escape HTML. This affects both message contents (which are generally safe) and the parameters (which can be based on user input). (When jqueryMsg is loaded, it correctly accepts only whitelisted tags in message contents, and escapes all parameters. Situations with an unloaded jqueryMsg are rare in practice, but can for example occur for Special:SpecialPages on a wiki with no extensions installed.) | ||||
CVE-2020-15005 | 3 Debian, Fedoraproject, Mediawiki | 3 Debian Linux, Fedora, Mediawiki | 2024-08-04 | 3.1 Low |
In MediaWiki before 1.31.8, 1.32.x and 1.33.x before 1.33.4, and 1.34.x before 1.34.2, private wikis behind a caching server using the img_auth.php image authorization security feature may have had their files cached publicly, so any unauthorized user could view them. This occurs because Cache-Control and Vary headers were mishandled. | ||||
CVE-2020-12051 | 1 Mediawiki | 1 Mediawiki | 2024-08-04 | 7.5 High |
The CentralAuth extension through REL1_34 for MediaWiki allows remote attackers to obtain sensitive hidden account information via an api.php?action=query&meta=globaluserinfo&guiuser= request. In other words, the information can be retrieved via the action API even though access would be denied when simply visiting wiki/Special:CentralAuth in a web browser. | ||||
CVE-2020-10959 | 1 Mediawiki | 1 Mediawiki | 2024-08-04 | 6.1 Medium |
resources/src/mediawiki.page.ready/ready.js in MediaWiki before 1.35 allows remote attackers to force a logout and external redirection via HTML content in a MediaWiki page. | ||||
CVE-2020-10960 | 1 Mediawiki | 1 Mediawiki | 2024-08-04 | 5.3 Medium |
In MediaWiki before 1.34.1, users can add various Cascading Style Sheets (CSS) classes (which can affect what content is shown or hidden in the user interface) to arbitrary DOM nodes via HTML content within a MediaWiki page. This occurs because jquery.makeCollapsible allows applying an event handler to any Cascading Style Sheets (CSS) selector. There is no known way to exploit this for cross-site scripting (XSS). | ||||
CVE-2020-10534 | 1 Mediawiki | 1 Mediawiki | 2024-08-04 | 9.8 Critical |
In the GlobalBlocking extension before 2020-03-10 for MediaWiki through 1.34.0, an issue related to IP range evaluation resulted in blocked users re-gaining escalated privileges. This is related to the case in which an IP address is contained in two ranges, one of which is locally disabled. | ||||
CVE-2020-6163 | 1 Mediawiki | 1 Mediawiki | 2024-08-04 | 6.1 Medium |
The WikibaseMediaInfo extension 1.35 for MediaWiki allows XSS because of improper template syntax within the PropertySuggestionsWidget template (in the templates/search/PropertySuggestionsWidget.mustache+dom file). | ||||
CVE-2021-46149 | 1 Mediawiki | 1 Mediawiki | 2024-08-04 | 7.5 High |
An issue was discovered in MediaWiki before 1.35.5, 1.36.x before 1.36.3, and 1.37.x before 1.37.1. A denial of service (resource consumption) can be accomplished by searching for a very long key in a Language Name Search. | ||||
CVE-2021-46150 | 1 Mediawiki | 1 Mediawiki | 2024-08-04 | 4.8 Medium |
An issue was discovered in MediaWiki before 1.35.5, 1.36.x before 1.36.3, and 1.37.x before 1.37.1. Special:CheckUserLog allows CheckUser XSS because of date mishandling, as demonstrated by an XSS payload in MediaWiki:October. | ||||
CVE-2021-46148 | 1 Mediawiki | 1 Mediawiki | 2024-08-04 | 6.5 Medium |
An issue was discovered in MediaWiki before 1.35.5, 1.36.x before 1.36.3, and 1.37.x before 1.37.1. Some unprivileged users can view confidential information (e.g., IP addresses and User-Agent headers for election traffic) on a testwiki SecurePoll instance. | ||||
CVE-2021-46147 | 1 Mediawiki | 1 Mediawiki | 2024-08-04 | 8.8 High |
An issue was discovered in MediaWiki before 1.35.5, 1.36.x before 1.36.3, and 1.37.x before 1.37.1. MassEditRegex allows CSRF. | ||||
CVE-2021-46146 | 1 Mediawiki | 1 Mediawiki | 2024-08-04 | 5.4 Medium |
An issue was discovered in MediaWiki before 1.35.5, 1.36.x before 1.36.3, and 1.37.x before 1.37.1. The WikibaseMediaInfo component is vulnerable to XSS via the caption fields for a given media file. | ||||
CVE-2021-45471 | 2 Fedoraproject, Mediawiki | 2 Fedora, Mediawiki | 2024-08-04 | 5.3 Medium |
In MediaWiki through 1.37, blocked IP addresses are allowed to edit EntitySchema items. | ||||
CVE-2021-45472 | 2 Fedoraproject, Mediawiki | 2 Fedora, Mediawiki | 2024-08-04 | 6.1 Medium |
In MediaWiki through 1.37, XSS can occur in Wikibase because an external identifier property can have a URL format that includes a $1 formatter substitution marker, and the javascript: URL scheme (among others) can be used. | ||||
CVE-2021-45474 | 2 Fedoraproject, Mediawiki | 2 Fedora, Mediawiki | 2024-08-04 | 6.1 Medium |
In MediaWiki through 1.37, the Special:ImportFile URI (aka FileImporter) allows XSS, as demonstrated by the clientUrl parameter. | ||||
CVE-2021-45473 | 2 Fedoraproject, Mediawiki | 2 Fedora, Mediawiki | 2024-08-04 | 6.1 Medium |
In MediaWiki through 1.37, Wikibase item descriptions allow XSS, which is triggered upon a visit to an action=info URL (aka a page-information sidebar). | ||||
CVE-2021-45038 | 1 Mediawiki | 1 Mediawiki | 2024-08-04 | 5.3 Medium |
An issue was discovered in MediaWiki before 1.35.5, 1.36.x before 1.36.3, and 1.37.x before 1.37.1. By using an action=rollback query, attackers can view private wiki contents. | ||||
CVE-2021-44857 | 1 Mediawiki | 1 Mediawiki | 2024-08-04 | 6.5 Medium |
An issue was discovered in MediaWiki before 1.35.5, 1.36.x before 1.36.3, and 1.37.x before 1.37.1. It is possible to use action=mcrundo followed by action=mcrrestore to replace the content of any arbitrary page (that the user doesn't have edit rights for). This applies to any public wiki, or a private wiki that has at least one page set in $wgWhitelistRead. |