Filtered by vendor Mediawiki Subscriptions
Total 389 CVE
CVE Vendors Products Updated CVSS v3.1
CVE-2022-29904 1 Mediawiki 1 Mediawiki 2024-08-03 9.8 Critical
The SemanticDrilldown extension for MediaWiki through 1.37.2 (before e688bdba6434591b5dff689a45e4d53459954773) allows SQL injection with certain '-' and '_' constraints.
CVE-2022-29905 1 Mediawiki 1 Mediawiki 2024-08-03 4.3 Medium
The FanBoxes extension for MediaWiki through 1.37.2 (before 027ffb0b9d6fe0d823810cf03f5b562a212162d4) allows Special:UserBoxes CSRF.
CVE-2022-29547 1 Mediawiki 1 Createredirect 2024-08-03 7.5 High
The CreateRedirect extension before 2022-04-14 for MediaWiki does not properly check whether the user has permissions to edit the target page. This could lead to an unauthorised (or blocked) user being able to edit a page.
CVE-2022-28323 1 Mediawiki 1 Mediawiki 2024-08-03 7.5 High
An issue was discovered in MediaWiki through 1.37.2. The SecurePoll extension allows a leak because sorting by timestamp is supported,
CVE-2022-28203 2 Debian, Mediawiki 2 Debian Linux, Mediawiki 2024-08-03 7.5 High
A denial-of-service issue was discovered in MediaWiki before 1.35.6, 1.36.x before 1.36.4, and 1.37.x before 1.37.2. When many files exist, requesting Special:NewFiles with actor as a condition can result in a very long running query.
CVE-2022-28205 1 Mediawiki 1 Mediawiki 2024-08-03 9.8 Critical
An issue was discovered in MediaWiki through 1.37.1. The CentralAuth extension mishandles a ttl issue for groups expiring in the future.
CVE-2022-28206 1 Mediawiki 1 Mediawiki 2024-08-03 9.8 Critical
An issue was discovered in MediaWiki through 1.37.1. ImportPlanValidator.php in the FileImporter extension mishandles the check for edit rights.
CVE-2022-28201 2 Debian, Mediawiki 2 Debian Linux, Mediawiki 2024-08-03 4.4 Medium
An issue was discovered in MediaWiki before 1.35.6, 1.36.x before 1.36.4, and 1.37.x before 1.37.2. Users with the editinterface permission can trigger infinite recursion, because a bare local interwiki is mishandled for the mainpage message.
CVE-2022-28204 1 Mediawiki 1 Mediawiki 2024-08-03 7.5 High
A denial-of-service issue was discovered in MediaWiki 1.37.x before 1.37.2. Rendering of w/index.php?title=Special%3AWhatLinksHere&target=Property%3AP31&namespace=1&invert=1 can take more than thirty seconds. There is a DDoS risk.
CVE-2022-28202 3 Debian, Fedoraproject, Mediawiki 3 Debian Linux, Fedora, Mediawiki 2024-08-03 6.1 Medium
An XSS issue was discovered in MediaWiki before 1.35.6, 1.36.x before 1.36.4, and 1.37.x before 1.37.2. The widthheight, widthheightpage, and nbytes properties of messages are not escaped when used in galleries or Special:RevisionDelete.
CVE-2022-28209 1 Mediawiki 1 Mediawiki 2024-08-03 9.8 Critical
An issue was discovered in Mediawiki through 1.37.1. The check for the override-antispoof permission in the AntiSpoof extension is incorrect.
CVE-2022-21710 1 Mediawiki 1 Shortdescription 2024-08-03 4.7 Medium
ShortDescription is a MediaWiki extension that provides local short description support. A cross-site scripting (XSS) vulnerability exists in versions prior to 2.3.4. On a wiki that has the ShortDescription enabled, XSS can be triggered on any page or the page with the action=info parameter, which displays the shortdesc property. This is achieved using the wikitext `{{SHORTDESC:<img src=x onerror=alert()>}}`. This issue has a patch in version 2.3.4.
CVE-2022-4561 1 Mediawiki 1 Semantic Drilldown 2024-08-03 3.5 Low
A vulnerability classified as problematic has been found in SemanticDrilldown Extension. Affected is the function printFilterLine of the file includes/specials/SDBrowseDataPage.php of the component GET Parameter Handler. The manipulation of the argument value leads to cross site scripting. It is possible to launch the attack remotely. The name of the patch is 6e18cf740a4548166c1d95f6d3a28541d298a3aa. It is recommended to apply a patch to fix this issue. The identifier of this vulnerability is VDB-215964.
CVE-2023-45362 1 Mediawiki 1 Mediawiki 2024-08-02 4.3 Medium
An issue was discovered in DifferenceEngine.php in MediaWiki before 1.35.12, 1.36.x through 1.39.x before 1.39.5, and 1.40.x before 1.40.1. diff-multi-sameuser (aka "X intermediate revisions by the same user not shown") ignores username suppression. This is an information leak.
CVE-2023-45360 1 Mediawiki 1 Mediawiki 2024-08-02 5.4 Medium
An issue was discovered in MediaWiki before 1.35.12, 1.36.x through 1.39.x before 1.39.5, and 1.40.x before 1.40.1. There is XSS in youhavenewmessagesmanyusers and youhavenewmessages i18n messages. This is related to MediaWiki:Youhavenewmessagesfromusers.
CVE-2023-37304 1 Mediawiki 1 Mediawiki 2024-08-02 5.4 Medium
An issue was discovered in the DoubleWiki extension for MediaWiki through 1.39.3. includes/DoubleWiki.php allows XSS via the column alignment feature.
CVE-2023-37305 1 Mediawiki 1 Mediawiki 2024-08-02 5.3 Medium
An issue was discovered in the ProofreadPage (aka Proofread Page) extension for MediaWiki through 1.39.3. In includes/Page/PageContentHandler.php and includes/Page/PageDisplayHandler.php, hidden users can be exposed via public interfaces.
CVE-2023-37303 1 Mediawiki 1 Mediawiki 2024-08-02 9.8 Critical
An issue was discovered in the CheckUser extension for MediaWiki through 1.39.3. In certain situations, an attempt to block a user fails after a temporary browser hang and a DBQueryDisconnectedError error message.
CVE-2023-37301 1 Mediawiki 1 Mediawiki 2024-08-02 5.3 Medium
An issue was discovered in SubmitEntityAction in Wikibase in MediaWiki through 1.39.3. Because it doesn't use EditEntity for undo and restore, the intended interaction with AbuseFilter does not occur.
CVE-2023-37300 1 Mediawiki 1 Mediawiki 2024-08-02 5.3 Medium
An issue was discovered in the CheckUserLog API in the CheckUser extension for MediaWiki through 1.39.3. There is incorrect access control for visibility of hidden users.