Filtered by vendor Mediawiki
Subscribe
Total
335 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2014-7295 | 1 Mediawiki | 1 Mediawiki | 2015-08-06 | 3.5 LOW | N/A |
The (1) Special:Preferences and (2) Special:UserLogin pages in MediaWiki before 1.19.20, 1.22.x before 1.22.12 and 1.23.x before 1.23.5 allows remote authenticated users to conduct cross-site scripting (XSS) attacks or have unspecified other impact via crafted CSS, as demonstrated by modifying MediaWiki:Common.css. | |||||
CVE-2014-9480 | 1 Mediawiki | 1 Mediawiki | 2015-01-20 | 4.3 MEDIUM | N/A |
Cross-site scripting (XSS) vulnerability in the Hovercards extension for MediaWiki allows remote attackers to inject arbitrary web script or HTML via vectors related to text extracts. | |||||
CVE-2014-9479 | 1 Mediawiki | 1 Mediawiki | 2015-01-20 | 4.3 MEDIUM | N/A |
Cross-site scripting (XSS) vulnerability in the preview in the TemplateSandbox extension for MediaWiki allows remote attackers to inject arbitrary web script or HTML via the text parameter to Special:TemplateSandbox. | |||||
CVE-2014-9478 | 1 Mediawiki | 1 Mediawiki | 2015-01-20 | 2.6 LOW | N/A |
Cross-site scripting (XSS) vulnerability in the preview in the ExpandTemplates extension for MediaWiki, when $wgRawHTML is set to true, allows remote attackers to inject arbitrary web script or HTML via the wpInput parameter to the Special:ExpandTemplates page. | |||||
CVE-2014-9477 | 1 Mediawiki | 1 Mediawiki | 2015-01-20 | 4.3 MEDIUM | N/A |
Multiple cross-site scripting (XSS) vulnerabilities in the Listings extension for MediaWiki allow remote attackers to inject arbitrary web script or HTML via the (1) name or (2) url parameter. | |||||
CVE-2014-9507 | 1 Mediawiki | 1 Mediawiki | 2015-01-13 | 2.6 LOW | N/A |
MediaWiki 1.21.x, 1.22.x before 1.22.14, and 1.23.x before 1.23.7, when $wgContentHandlerUseDB is enabled, allows remote attackers to conduct cross-site scripting (XSS) attacks by setting the content model for a revision to JS. | |||||
CVE-2014-9277 | 1 Mediawiki | 1 Mediawiki | 2015-01-06 | 7.5 HIGH | N/A |
The wfMangleFlashPolicy function in OutputHandler.php in MediaWiki before 1.19.22, 1.20.x through 1.22.x before 1.22.14, and 1.23.x before 1.23.7 allows remote attackers to conduct PHP object injection attacks via a crafted string containing <cross-domain-policy> in a PHP format request, which causes the string length to change when converting the request to <NOT-cross-domain-policy>. | |||||
CVE-2014-9276 | 1 Mediawiki | 1 Mediawiki | 2015-01-06 | 5.1 MEDIUM | N/A |
Cross-site request forgery (CSRF) vulnerability in the Special:ExpandedTemplates page in MediaWiki before 1.19.22, 1.20.x through 1.22.x before 1.22.14, and 1.23.x before 1.23.7, when $wgRawHTML is set to true, allows remote attackers to hijack the authentication of users with edit permissions for requests that cross-site scripting (XSS) attacks via the wpInput parameter, which is not properly handled in the preview. | |||||
CVE-2014-7199 | 1 Mediawiki | 1 Mediawiki | 2014-10-03 | 4.3 MEDIUM | N/A |
Cross-site scripting (XSS) vulnerability in MediaWiki before 1.19.19, 1.22.x before 1.22.11, and 1.23.x before 1.23.4 allows remote attackers to inject arbitrary web script or HTML via a crafted SVG file. | |||||
CVE-2012-5395 | 1 Mediawiki | 1 Mediawiki | 2014-06-03 | 6.8 MEDIUM | N/A |
Session fixation vulnerability in the CentralAuth extension for MediaWiki before 1.18.6, 1.19.x before 1.19.3, and 1.20.x before 1.20.1 allows remote attackers to hijack web sessions via the centralauth_Session cookie. | |||||
CVE-2014-3455 | 1 Mediawiki | 1 Mediawiki | 2014-05-13 | 6.8 MEDIUM | N/A |
Multiple cross-site request forgery (CSRF) vulnerabilities in the (1) CreateProperty, (2) CreateTemplate, (3) CreateForm, and (4) CreateClass special pages in the SemanticForms extension for MediaWiki before 1.19.10, 1.2x before 1.21.4, and 1.22.x before 1.22.1 allow remote attackers to hijack the authentication of users for requests that have unspecified impact and vectors. | |||||
CVE-2014-3454 | 1 Mediawiki | 1 Mediawiki | 2014-05-13 | 6.8 MEDIUM | N/A |
Cross-site request forgery (CSRF) vulnerability in Special:CreateCategory in the SemanticForms extension for MediaWiki before 1.19.10, 1.2x before 1.21.4, and 1.22.x before 1.22.1 allows remote attackers to hijack the authentication of users for requests that create categories via unspecified vectors. | |||||
CVE-2013-6472 | 1 Mediawiki | 1 Mediawiki | 2014-05-13 | 5.0 MEDIUM | N/A |
MediaWiki before 1.19.10, 1.2x before 1.21.4, and 1.22.x before 1.22.1 allows remote attackers to obtain information about deleted page via the (1) log API, (2) enhanced RecentChanges, and (3) user watchlists. | |||||
CVE-2013-6454 | 1 Mediawiki | 1 Mediawiki | 2014-05-13 | 4.3 MEDIUM | N/A |
Cross-site scripting (XSS) vulnerability in MediaWiki before 1.19.10, 1.2x before 1.21.4, and 1.22.x before 1.22.1 allows remote attackers to inject arbitrary web script or HTML via a -o-link attribute. | |||||
CVE-2013-6453 | 1 Mediawiki | 1 Mediawiki | 2014-05-13 | 7.5 HIGH | N/A |
MediaWiki before 1.19.10, 1.2x before 1.21.4, and 1.22.x before 1.22.1 does not properly sanitize SVG files, which allows remote attackers to have unspecified impact via invalid XML. | |||||
CVE-2013-6452 | 1 Mediawiki | 1 Mediawiki | 2014-05-13 | 4.3 MEDIUM | N/A |
Cross-site scripting (XSS) vulnerability in MediaWiki before 1.19.10, 1.2x before 1.21.4, and 1.22.x before 1.22.1 allows remote attackers to inject arbitrary web script or HTML via crafted XSL in an SVG file. | |||||
CVE-2013-4574 | 1 Mediawiki | 1 Mediawiki | 2014-05-12 | 4.3 MEDIUM | N/A |
Cross-site scripting (XSS) vulnerability in the TimeMediaHandler extension for MediaWiki before 1.19.10, 1.2x before 1.21.4, and 1.22.x before 1.22.1 allows remote attackers to inject arbitrary web script or HTML via vectors related to videos. | |||||
CVE-2013-4571 | 1 Mediawiki | 1 Mediawiki | 2014-05-12 | 7.5 HIGH | N/A |
Buffer overflow in php-luasandbox in the Scribuntu extension for MediaWiki before 1.19.10, 1.2x before 1.21.4, and 1.22.x before 1.22.1 has unspecified impact and remote vectors. | |||||
CVE-2013-4570 | 1 Mediawiki | 1 Mediawiki | 2014-05-12 | 5.0 MEDIUM | N/A |
The zend_inline_hash_func function in php-luasandbox in the Scribuntu extension for MediaWiki before 1.19.10, 1.2x before 1.21.4, and 1.22.x before 1.22.1 allows remote attackers to cause a denial of service (NULL pointer dereference and crash) via vectors related to converting Lua data structures to PHP, as demonstrated by passing { [{}] = 1 } to a module function. | |||||
CVE-2014-2665 | 1 Mediawiki | 1 Mediawiki | 2014-04-23 | 4.0 MEDIUM | N/A |
includes/specials/SpecialChangePassword.php in MediaWiki before 1.19.14, 1.20.x and 1.21.x before 1.21.8, and 1.22.x before 1.22.5 does not properly handle a correctly authenticated but unintended login attempt, which makes it easier for remote authenticated users to obtain sensitive information by arranging for a victim to login to the attacker's account, as demonstrated by tracking the victim's activity, related to a "login CSRF" issue. |