Filtered by vendor Mediawiki
Subscriptions
Filtered by product Mediawiki
Subscriptions
Total
366 CVE
CVE | Vendors | Products | Updated | CVSS v3.1 |
---|---|---|---|---|
CVE-2024-40601 | 1 Mediawiki | 1 Mediawiki | 2024-10-27 | 6.3 Medium |
An issue was discovered in the MediaWikiChat extension for MediaWiki through 1.42.1. CSRF can occur in API modules. | ||||
CVE-2023-45363 | 2 Debian, Mediawiki | 2 Debian Linux, Mediawiki | 2024-10-15 | 7.5 High |
An issue was discovered in ApiPageSet.php in MediaWiki before 1.35.12, 1.36.x through 1.39.x before 1.39.5, and 1.40.x before 1.40.1. It allows attackers to cause a denial of service (unbounded loop and RequestTimeoutException) when querying pages redirected to other variants with redirects and converttitles set. | ||||
CVE-2023-45361 | 1 Mediawiki | 1 Mediawiki | 2024-10-10 | 6.1 Medium |
An issue was discovered in VectorComponentUserLinks.php in the Vector Skin component in MediaWiki before 1.39.5 and 1.40.x before 1.40.1. vector-intro-page MalformedTitleException is uncaught if it is not a valid title, leading to incorrect web pages. | ||||
CVE-2023-36674 | 1 Mediawiki | 1 Mediawiki | 2024-10-08 | 5.3 Medium |
An issue was discovered in MediaWiki before 1.35.11, 1.36.x through 1.38.x before 1.38.7, 1.39.x before 1.39.4, and 1.40.x before 1.40.1. It is possible to bypass the Bad image list (aka badFile) by using the thumb parameter (aka Manualthumb) of the File syntax. | ||||
CVE-2023-51704 | 1 Mediawiki | 1 Mediawiki | 2024-09-26 | 6.1 Medium |
An issue was discovered in MediaWiki before 1.35.14, 1.36.x through 1.39.x before 1.39.6, and 1.40.x before 1.40.2. In includes/logging/RightsLogFormatter.php, group-*-member messages can result in XSS on Special:log/rights. | ||||
CVE-2024-23179 | 1 Mediawiki | 1 Mediawiki | 2024-09-25 | 6.1 Medium |
An issue was discovered in the GlobalBlocking extension in MediaWiki before 1.40.2. For a Special:GlobalBlock?uselang=x-xss URI, i18n-based XSS can occur via the parentheses message. This affects subtitle links in buildSubtitleLinks. | ||||
CVE-2023-3550 | 2 Debian, Mediawiki | 2 Debian Linux, Mediawiki | 2024-09-24 | 7.3 High |
Mediawiki v1.40.0 does not validate namespaces used in XML files. Therefore, if the instance administrator allows XML file uploads, a remote attacker with a low-privileged user account can use this exploit to become an administrator by sending a malicious link to the instance administrator. | ||||
CVE-2023-45374 | 1 Mediawiki | 1 Mediawiki | 2024-09-19 | 5.3 Medium |
An issue was discovered in the SportsTeams extension for MediaWiki before 1.35.12, 1.36.x through 1.39.x before 1.39.5, and 1.40.x before 1.40.1. It does not check for the anti-CSRF edit token in Special:SportsTeamsManager and Special:UpdateFavoriteTeams. | ||||
CVE-2023-45372 | 1 Mediawiki | 1 Mediawiki | 2024-09-19 | 5.3 Medium |
An issue was discovered in the Wikibase extension for MediaWiki before 1.35.12, 1.36.x through 1.39.x before 1.39.5, and 1.40.x before 1.40.1. During item merging, ItemMergeInteractor does not have an edit filter running (e.g., AbuseFilter). | ||||
CVE-2023-45370 | 1 Mediawiki | 1 Mediawiki | 2024-09-19 | 5.3 Medium |
An issue was discovered in the SportsTeams extension for MediaWiki before 1.35.12, 1.36.x through 1.39.x before 1.39.5, and 1.40.x before 1.40.1. SportsTeams: Special:SportsManagerLogo and Special:SportsTeamsManagerLogo do not check for the sportsteamsmanager user right, and thus an attacker may be able to affect pages that are concerned with sports teams. | ||||
CVE-2023-45364 | 2 Debian, Mediawiki | 2 Debian Linux, Mediawiki | 2024-09-19 | 5.3 Medium |
An issue was discovered in includes/page/Article.php in MediaWiki 1.36.x through 1.39.x before 1.39.5 and 1.40.x before 1.40.1. Deleted revision existence is leaked due to incorrect permissions being checked. This reveals that a given revision ID belonged to the given page title, and its timestamp, both of which are not supposed to be public information. | ||||
CVE-2023-45367 | 1 Mediawiki | 1 Mediawiki | 2024-09-19 | 6.5 Medium |
An issue was discovered in the CheckUser extension for MediaWiki before 1.35.12, 1.36.x through 1.39.x before 1.39.5, and 1.40.x before 1.40.1. A user can use a rest.php/checkuser/v0/useragent-clienthints/revision/ URL to store an arbitrary number of rows in cu_useragent_clienthints, leading to a denial of service. | ||||
CVE-2023-45369 | 1 Mediawiki | 1 Mediawiki | 2024-09-19 | 4.3 Medium |
An issue was discovered in the PageTriage extension for MediaWiki before 1.35.12, 1.36.x through 1.39.x before 1.39.5, and 1.40.x before 1.40.1. Usernames of hidden users are exposed. | ||||
CVE-2023-45371 | 1 Mediawiki | 1 Mediawiki | 2024-09-19 | 7.5 High |
An issue was discovered in the Wikibase extension for MediaWiki before 1.35.12, 1.36.x through 1.39.x before 1.39.5, and 1.40.x before 1.40.1. There is no rate limit for merging items. | ||||
CVE-2023-45373 | 1 Mediawiki | 1 Mediawiki | 2024-09-19 | 6.1 Medium |
An issue was discovered in the ProofreadPage extension for MediaWiki before 1.35.12, 1.36.x through 1.39.x before 1.39.5, and 1.40.x before 1.40.1. XSS can occur via formatNumNoSeparators. | ||||
CVE-2010-2789 | 1 Mediawiki | 1 Mediawiki | 2024-09-17 | N/A |
PHP remote file inclusion vulnerability in MediaWikiParserTest.php in MediaWiki 1.16 beta, when register_globals is enabled, allows remote attackers to execute arbitrary PHP code via unspecified vectors. | ||||
CVE-2014-3455 | 1 Mediawiki | 1 Mediawiki | 2024-09-17 | N/A |
Multiple cross-site request forgery (CSRF) vulnerabilities in the (1) CreateProperty, (2) CreateTemplate, (3) CreateForm, and (4) CreateClass special pages in the SemanticForms extension for MediaWiki before 1.19.10, 1.2x before 1.21.4, and 1.22.x before 1.22.1 allow remote attackers to hijack the authentication of users for requests that have unspecified impact and vectors. | ||||
CVE-2004-2186 | 1 Mediawiki | 1 Mediawiki | 2024-09-17 | N/A |
SQL injection vulnerability in MediaWiki 1.3.5 allows remote attackers to execute arbitrary SQL commands via SpecialMaintenance. | ||||
CVE-2005-3165 | 1 Mediawiki | 1 Mediawiki | 2024-09-17 | N/A |
Multiple cross-site scripting (XSS) vulnerabilities in MediaWiki before 1.4.9 allow remote attackers to inject arbitrary web script or HTML via (1) <math> tags or (2) Extension or <nowiki> sections that "bypass HTML style attribute restrictions" that are intended to protect against XSS vulnerabilities in Internet Explorer clients. | ||||
CVE-2018-0503 | 3 Debian, Mediawiki, Redhat | 3 Debian Linux, Mediawiki, Openshift | 2024-09-17 | N/A |
Mediawiki 1.31 before 1.31.1, 1.30.1, 1.29.3 and 1.27.5 contains a flaw where contrary to the documentation, $wgRateLimits entry for 'user' overrides that for 'newbie'. |