Vulnerabilities (CVE)

Join the Common Vulnerabilities and Exposures (CVE) community and start to get notified about new vulnerabilities.

Filtered by vendor Mediawiki Subscribe
Total 335 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2023-22945 2 Fedoraproject, Mediawiki 2 Fedora, Mediawiki 2023-02-27 N/A 4.3 MEDIUM
In the GrowthExperiments extension for MediaWiki through 1.39, the growthmanagementorlist API allows blocked users (blocked in ApiManageMentorList) to enroll as mentors or edit any of their mentorship-related properties.
CVE-2023-22909 2 Fedoraproject, Mediawiki 2 Fedora, Mediawiki 2023-02-27 N/A 5.3 MEDIUM
An issue was discovered in MediaWiki before 1.35.9, 1.36.x through 1.38.x before 1.38.5, and 1.39.x before 1.39.1. SpecialMobileHistory allows remote attackers to cause a denial of service because database queries are slow.
CVE-2023-22911 2 Fedoraproject, Mediawiki 2 Fedora, Mediawiki 2023-02-27 N/A 6.1 MEDIUM
An issue was discovered in MediaWiki before 1.35.9, 1.36.x through 1.38.x before 1.38.5, and 1.39.x before 1.39.1. E-Widgets does widget replacement in HTML attributes, which can lead to XSS, because widget authors often do not expect that their widget is executed in an HTML attribute context.
CVE-2017-20175 1 Mediawiki 1 Matomo 2023-02-14 N/A 6.1 MEDIUM
A vulnerability classified as problematic has been found in DaSchTour matomo-mediawiki-extension up to 2.4.2. This affects an unknown part of the file Piwik.hooks.php of the component Username Handler. The manipulation leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 2.4.3 is able to address this issue. The name of the patch is 681324e4f518a8af4bd1f93867074c728eb9923d. It is recommended to upgrade the affected component. The associated identifier of this vulnerability is VDB-220203.
CVE-2010-1150 1 Mediawiki 1 Mediawiki 2023-02-12 6.0 MEDIUM N/A
MediaWiki before 1.15.3, and 1.6.x before 1.16.0beta2, does not properly handle a correctly authenticated but unintended login attempt, which makes it easier for remote authenticated users to conduct phishing attacks by arranging for a victim to login to the attacker's account and then execute a crafted user script, related to a "login CSRF" issue.
CVE-2011-1587 2 Mediawiki, Microsoft 2 Mediawiki, Internet Explorer 2023-02-12 4.3 MEDIUM N/A
Cross-site scripting (XSS) vulnerability in MediaWiki before 1.16.4, when Internet Explorer 6 or earlier is used, allows remote attackers to inject arbitrary web script or HTML via an uploaded file accessed with a dangerous extension such as .html located before a ? (question mark) in a query string, in conjunction with a modified URI path that has a %2E sequence in place of the . (dot) character. NOTE: this vulnerability exists because of an incomplete fix for CVE-2011-1578.
CVE-2011-1765 2 Mediawiki, Microsoft 2 Mediawiki, Internet Explorer 2023-02-12 4.3 MEDIUM N/A
Cross-site scripting (XSS) vulnerability in MediaWiki before 1.16.5, when Internet Explorer 6 or earlier is used, allows remote attackers to inject arbitrary web script or HTML via an uploaded file accessed with a dangerous extension such as .shtml at the end of the query string, in conjunction with a modified URI path that has a %2E sequence in place of the . (dot) character. NOTE: this vulnerability exists because of an incomplete fix for CVE-2011-1578 and CVE-2011-1587.
CVE-2022-39193 1 Mediawiki 1 Mediawiki 2023-02-02 N/A 5.3 MEDIUM
An issue was discovered in the CheckUser extension for MediaWiki through 1.39.x. Various components of this extension can expose information on the performer of edits and logged actions. This information should not allow public viewing: it is supposed to be viewable only by users with checkuser access.
CVE-2019-19709 2 Debian, Mediawiki 2 Debian Linux, Mediawiki 2023-02-01 5.8 MEDIUM 6.1 MEDIUM
MediaWiki through 1.33.1 allows attackers to bypass the Title_blacklist protection mechanism by starting with an arbitrary title, establishing a non-resolvable redirect for the associated page, and using redirect=1 in the action API when editing that page.
CVE-2022-47927 2 Fedoraproject, Mediawiki 2 Fedora, Mediawiki 2023-01-30 N/A 5.5 MEDIUM
An issue was discovered in MediaWiki before 1.35.9, 1.36.x through 1.38.x before 1.38.5, and 1.39.x before 1.39.1. When installing with a pre-existing data directory that has weak permissions, the SQLite files are created with file mode 0644, i.e., world readable to local users. These files include credentials data.
CVE-2023-22910 1 Mediawiki 1 Mediawiki 2023-01-26 N/A 5.4 MEDIUM
An issue was discovered in MediaWiki before 1.35.9, 1.36.x through 1.38.x before 1.38.5, and 1.39.x before 1.39.1. There is XSS in Wikibase date formatting via wikibase-time-precision-* fields. This allows JavaScript execution by staff/admin users who do not intentionally have the editsitejs capability.
CVE-2023-22912 1 Mediawiki 1 Mediawiki 2023-01-26 N/A 5.3 MEDIUM
An issue was discovered in MediaWiki before 1.35.9, 1.36.x through 1.38.x before 1.38.5, and 1.39.x before 1.39.1. CheckUser TokenManager insecurely uses AES-CTR encryption with a repeated (aka re-used) nonce, allowing an adversary to decrypt.
CVE-2015-10058 1 Mediawiki 1 Wikisource Category Browser 2023-01-24 N/A 6.1 MEDIUM
A vulnerability, which was classified as problematic, was found in Wikisource Category Browser. This affects an unknown part of the file index.php. The manipulation of the argument lang leads to cross site scripting. It is possible to initiate the attack remotely. The name of the patch is 764f4e8ce3f9242637df77530c70ae8a2ec4b6a1. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-218415.
CVE-2021-44856 1 Mediawiki 1 Mediawiki 2023-01-04 N/A 5.3 MEDIUM
An issue was discovered in MediaWiki before 1.35.5, 1.36.x before 1.36.3, and 1.37.x before 1.37.1. A title blocked by AbuseFilter can be created via Special:ChangeContentModel due to the mishandling of the EditFilterMergedContent hook return value.
CVE-2022-41767 1 Mediawiki 1 Mediawiki 2023-01-04 N/A 5.3 MEDIUM
An issue was discovered in MediaWiki before 1.35.8, 1.36.x and 1.37.x before 1.37.5, and 1.38.x before 1.38.3. When changes made by an IP address are reassigned to a user (using reassignEdits.php), the changes will still be attributed to the IP address on Special:Contributions when doing a range lookup.
CVE-2022-41765 1 Mediawiki 1 Mediawiki 2023-01-04 N/A 5.3 MEDIUM
An issue was discovered in MediaWiki before 1.35.8, 1.36.x and 1.37.x before 1.37.5, and 1.38.x before 1.38.3. HTMLUserTextField exposes the existence of hidden users.
CVE-2021-44855 1 Mediawiki 1 Mediawiki 2023-01-03 N/A 5.4 MEDIUM
An issue was discovered in MediaWiki before 1.35.5, 1.36.x before 1.36.3, and 1.37.x before 1.37.1. There is Blind Stored XSS via a URL to the Upload Image feature.
CVE-2021-44854 1 Mediawiki 1 Mediawiki 2023-01-03 N/A 5.3 MEDIUM
An issue was discovered in MediaWiki before 1.35.5, 1.36.x before 1.36.3, and 1.37.x before 1.37.1. The REST API publicly caches results from private wikis.
CVE-2022-4561 1 Mediawiki 1 Semantic Drilldown 2022-12-21 N/A 6.1 MEDIUM
A vulnerability classified as problematic has been found in SemanticDrilldown Extension. Affected is the function printFilterLine of the file includes/specials/SDBrowseDataPage.php of the component GET Parameter Handler. The manipulation of the argument value leads to cross site scripting. It is possible to launch the attack remotely. The name of the patch is 6e18cf740a4548166c1d95f6d3a28541d298a3aa. It is recommended to apply a patch to fix this issue. The identifier of this vulnerability is VDB-215964.
CVE-2022-28203 2 Debian, Mediawiki 2 Debian Linux, Mediawiki 2022-11-03 N/A 7.5 HIGH
A denial-of-service issue was discovered in MediaWiki before 1.35.6, 1.36.x before 1.36.4, and 1.37.x before 1.37.2. When many files exist, requesting Special:NewFiles with actor as a condition can result in a very long running query.