Vulnerabilities (CVE)

Join the Common Vulnerabilities and Exposures (CVE) community and start to get notified about new vulnerabilities.

Filtered by vendor Mediawiki Subscribe
Filtered by product Mediawiki
Total 317 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2021-46147 1 Mediawiki 1 Mediawiki 2022-01-13 6.8 MEDIUM 8.8 HIGH
An issue was discovered in MediaWiki before 1.35.5, 1.36.x before 1.36.3, and 1.37.x before 1.37.1. MassEditRegex allows CSRF.
CVE-2021-46146 1 Mediawiki 1 Mediawiki 2022-01-13 3.5 LOW 5.4 MEDIUM
An issue was discovered in MediaWiki before 1.35.5, 1.36.x before 1.36.3, and 1.37.x before 1.37.1. The WikibaseMediaInfo component is vulnerable to XSS via the caption fields for a given media file.
CVE-2021-46148 1 Mediawiki 1 Mediawiki 2022-01-13 4.0 MEDIUM 6.5 MEDIUM
An issue was discovered in MediaWiki before 1.35.5, 1.36.x before 1.36.3, and 1.37.x before 1.37.1. Some unprivileged users can view confidential information (e.g., IP addresses and User-Agent headers for election traffic) on a testwiki SecurePoll instance.
CVE-2021-46150 1 Mediawiki 1 Mediawiki 2022-01-13 3.5 LOW 4.8 MEDIUM
An issue was discovered in MediaWiki before 1.35.5, 1.36.x before 1.36.3, and 1.37.x before 1.37.1. Special:CheckUserLog allows CheckUser XSS because of date mishandling, as demonstrated by an XSS payload in MediaWiki:October.
CVE-2021-46149 1 Mediawiki 1 Mediawiki 2022-01-13 5.0 MEDIUM 7.5 HIGH
An issue was discovered in MediaWiki before 1.35.5, 1.36.x before 1.36.3, and 1.37.x before 1.37.1. A denial of service (resource consumption) can be accomplished by searching for a very long key in a Language Name Search.
CVE-2020-26121 2 Fedoraproject, Mediawiki 2 Fedora, Mediawiki 2022-01-06 5.0 MEDIUM 7.5 HIGH
An issue was discovered in the FileImporter extension for MediaWiki before 1.34.4. An attacker can import a file even when the target page is protected against "page creation" and the attacker should not be able to create it. This occurs because of a mishandled distinction between an upload restriction and a create restriction. An attacker cannot leverage this to overwrite anything, but can leverage this to force a wiki to have a page with a disallowed title.
CVE-2020-26120 2 Fedoraproject, Mediawiki 2 Fedora, Mediawiki 2022-01-06 4.3 MEDIUM 6.1 MEDIUM
XSS exists in the MobileFrontend extension for MediaWiki before 1.34.4 because section.line is mishandled during regex section line replacement from PageGateway. Using crafted HTML, an attacker can elicit an XSS attack via jQuery's parseHTML method, which can cause image callbacks to fire even without the element being appended to the DOM.
CVE-2020-25869 2 Fedoraproject, Mediawiki 2 Fedora, Mediawiki 2022-01-06 5.0 MEDIUM 7.5 HIGH
An information leak was discovered in MediaWiki before 1.31.10 and 1.32.x through 1.34.x before 1.34.4. Handling of actor ID does not necessarily use the correct database or correct wiki.
CVE-2020-25828 2 Fedoraproject, Mediawiki 2 Fedora, Mediawiki 2022-01-01 4.3 MEDIUM 6.1 MEDIUM
An issue was discovered in MediaWiki before 1.31.10 and 1.32.x through 1.34.x before 1.34.4. The non-jqueryMsg version of mw.message().parse() doesn't escape HTML. This affects both message contents (which are generally safe) and the parameters (which can be based on user input). (When jqueryMsg is loaded, it correctly accepts only whitelisted tags in message contents, and escapes all parameters. Situations with an unloaded jqueryMsg are rare in practice, but can for example occur for Special:SpecialPages on a wiki with no extensions installed.)
CVE-2020-25827 2 Fedoraproject, Mediawiki 2 Fedora, Mediawiki 2022-01-01 5.0 MEDIUM 7.5 HIGH
An issue was discovered in the OATHAuth extension in MediaWiki before 1.31.10 and 1.32.x through 1.34.x before 1.34.4. For Wikis using OATHAuth on a farm/cluster (such as via CentralAuth), rate limiting of OATH tokens is only done on a single site level. Thus, multiple requests can be made across many wikis/sites concurrently.
CVE-2020-25812 2 Fedoraproject, Mediawiki 2 Fedora, Mediawiki 2022-01-01 4.3 MEDIUM 6.1 MEDIUM
An issue was discovered in MediaWiki 1.34.x before 1.34.4. On Special:Contributions, the NS filter uses unescaped messages as keys in the option key for an HTMLForm specifier. This is vulnerable to a mild XSS if one of those messages is changed to include raw HTML.
CVE-2020-25813 2 Fedoraproject, Mediawiki 2 Fedora, Mediawiki 2022-01-01 5.0 MEDIUM 5.3 MEDIUM
In MediaWiki before 1.31.10 and 1.32.x through 1.34.x before 1.34.4, Special:UserRights exposes the existence of hidden users.
CVE-2020-25815 2 Fedoraproject, Mediawiki 2 Fedora, Mediawiki 2022-01-01 4.3 MEDIUM 6.1 MEDIUM
An issue was discovered in MediaWiki 1.32.x through 1.34.x before 1.34.4. LogEventList::getFiltersDesc is insecurely using message text to build options names for an HTML multi-select field. The relevant code should use escaped() instead of text().
CVE-2020-25814 2 Fedoraproject, Mediawiki 2 Fedora, Mediawiki 2022-01-01 4.3 MEDIUM 6.1 MEDIUM
In MediaWiki before 1.31.10 and 1.32.x through 1.34.x before 1.34.4, XSS related to jQuery can occur. The attacker creates a message with [javascript:payload xss] and turns it into a jQuery object with mw.message().parse(). The expected result is that the jQuery object does not contain an <a> tag (or it does not have a href attribute, or it's empty, etc.). The actual result is that the object contains an <a href ="javascript... that executes when clicked.
CVE-2021-44858 1 Mediawiki 1 Mediawiki 2021-12-29 5.0 MEDIUM 7.5 HIGH
An issue was discovered in MediaWiki before 1.35.5, 1.36.x before 1.36.3, and 1.37.x before 1.37.1. It is possible to use action=edit&undo= followed by action=mcrundo and action=mcrrestore to view private pages on a private wiki that has at least one page set in $wgWhitelistRead.
CVE-2021-45038 1 Mediawiki 1 Mediawiki 2021-12-21 5.0 MEDIUM 5.3 MEDIUM
An issue was discovered in MediaWiki before 1.35.5, 1.36.x before 1.36.3, and 1.37.x before 1.37.1. By using an action=rollback query, attackers can view private wiki contents.
CVE-2021-30157 3 Debian, Fedoraproject, Mediawiki 3 Debian Linux, Fedora, Mediawiki 2021-12-10 4.3 MEDIUM 6.1 MEDIUM
An issue was discovered in MediaWiki before 1.31.12 and 1.32.x through 1.35.x before 1.35.2. On ChangesList special pages such as Special:RecentChanges and Special:Watchlist, some of the rcfilters-filter-* label messages are output in HTML unescaped, leading to XSS.
CVE-2021-30154 3 Debian, Fedoraproject, Mediawiki 3 Debian Linux, Fedora, Mediawiki 2021-12-10 4.3 MEDIUM 6.1 MEDIUM
An issue was discovered in MediaWiki before 1.31.12 and 1.32.x through 1.35.x before 1.35.2. On Special:NewFiles, all the mediastatistics-header-* messages are output in HTML unescaped, leading to XSS.
CVE-2021-30155 3 Debian, Fedoraproject, Mediawiki 3 Debian Linux, Fedora, Mediawiki 2021-12-08 4.0 MEDIUM 4.3 MEDIUM
An issue was discovered in MediaWiki before 1.31.12 and 1.32.x through 1.35.x before 1.35.2. ContentModelChange does not check if a user has correct permissions to create and set the content model of a nonexistent page.
CVE-2021-30158 3 Debian, Fedoraproject, Mediawiki 3 Debian Linux, Fedora, Mediawiki 2021-12-08 5.0 MEDIUM 5.3 MEDIUM
An issue was discovered in MediaWiki before 1.31.12 and 1.32.x through 1.35.x before 1.35.2. Blocked users are unable to use Special:ResetTokens. This has security relevance because a blocked user might have accidentally shared a token, or might know that a token has been compromised, and yet is not able to block any potential future use of the token by an unauthorized party.