Vulnerabilities (CVE)

Join the Common Vulnerabilities and Exposures (CVE) community and start to get notified about new vulnerabilities.

Filtered by vendor Mediawiki Subscribe
Total 335 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2014-7295 1 Mediawiki 1 Mediawiki 2015-08-06 3.5 LOW N/A
The (1) Special:Preferences and (2) Special:UserLogin pages in MediaWiki before 1.19.20, 1.22.x before 1.22.12 and 1.23.x before 1.23.5 allows remote authenticated users to conduct cross-site scripting (XSS) attacks or have unspecified other impact via crafted CSS, as demonstrated by modifying MediaWiki:Common.css.
CVE-2014-9480 1 Mediawiki 1 Mediawiki 2015-01-20 4.3 MEDIUM N/A
Cross-site scripting (XSS) vulnerability in the Hovercards extension for MediaWiki allows remote attackers to inject arbitrary web script or HTML via vectors related to text extracts.
CVE-2014-9479 1 Mediawiki 1 Mediawiki 2015-01-20 4.3 MEDIUM N/A
Cross-site scripting (XSS) vulnerability in the preview in the TemplateSandbox extension for MediaWiki allows remote attackers to inject arbitrary web script or HTML via the text parameter to Special:TemplateSandbox.
CVE-2014-9478 1 Mediawiki 1 Mediawiki 2015-01-20 2.6 LOW N/A
Cross-site scripting (XSS) vulnerability in the preview in the ExpandTemplates extension for MediaWiki, when $wgRawHTML is set to true, allows remote attackers to inject arbitrary web script or HTML via the wpInput parameter to the Special:ExpandTemplates page.
CVE-2014-9477 1 Mediawiki 1 Mediawiki 2015-01-20 4.3 MEDIUM N/A
Multiple cross-site scripting (XSS) vulnerabilities in the Listings extension for MediaWiki allow remote attackers to inject arbitrary web script or HTML via the (1) name or (2) url parameter.
CVE-2014-9507 1 Mediawiki 1 Mediawiki 2015-01-13 2.6 LOW N/A
MediaWiki 1.21.x, 1.22.x before 1.22.14, and 1.23.x before 1.23.7, when $wgContentHandlerUseDB is enabled, allows remote attackers to conduct cross-site scripting (XSS) attacks by setting the content model for a revision to JS.
CVE-2014-9277 1 Mediawiki 1 Mediawiki 2015-01-06 7.5 HIGH N/A
The wfMangleFlashPolicy function in OutputHandler.php in MediaWiki before 1.19.22, 1.20.x through 1.22.x before 1.22.14, and 1.23.x before 1.23.7 allows remote attackers to conduct PHP object injection attacks via a crafted string containing <cross-domain-policy> in a PHP format request, which causes the string length to change when converting the request to <NOT-cross-domain-policy>.
CVE-2014-9276 1 Mediawiki 1 Mediawiki 2015-01-06 5.1 MEDIUM N/A
Cross-site request forgery (CSRF) vulnerability in the Special:ExpandedTemplates page in MediaWiki before 1.19.22, 1.20.x through 1.22.x before 1.22.14, and 1.23.x before 1.23.7, when $wgRawHTML is set to true, allows remote attackers to hijack the authentication of users with edit permissions for requests that cross-site scripting (XSS) attacks via the wpInput parameter, which is not properly handled in the preview.
CVE-2014-7199 1 Mediawiki 1 Mediawiki 2014-10-03 4.3 MEDIUM N/A
Cross-site scripting (XSS) vulnerability in MediaWiki before 1.19.19, 1.22.x before 1.22.11, and 1.23.x before 1.23.4 allows remote attackers to inject arbitrary web script or HTML via a crafted SVG file.
CVE-2012-5395 1 Mediawiki 1 Mediawiki 2014-06-03 6.8 MEDIUM N/A
Session fixation vulnerability in the CentralAuth extension for MediaWiki before 1.18.6, 1.19.x before 1.19.3, and 1.20.x before 1.20.1 allows remote attackers to hijack web sessions via the centralauth_Session cookie.
CVE-2014-3455 1 Mediawiki 1 Mediawiki 2014-05-13 6.8 MEDIUM N/A
Multiple cross-site request forgery (CSRF) vulnerabilities in the (1) CreateProperty, (2) CreateTemplate, (3) CreateForm, and (4) CreateClass special pages in the SemanticForms extension for MediaWiki before 1.19.10, 1.2x before 1.21.4, and 1.22.x before 1.22.1 allow remote attackers to hijack the authentication of users for requests that have unspecified impact and vectors.
CVE-2014-3454 1 Mediawiki 1 Mediawiki 2014-05-13 6.8 MEDIUM N/A
Cross-site request forgery (CSRF) vulnerability in Special:CreateCategory in the SemanticForms extension for MediaWiki before 1.19.10, 1.2x before 1.21.4, and 1.22.x before 1.22.1 allows remote attackers to hijack the authentication of users for requests that create categories via unspecified vectors.
CVE-2013-6472 1 Mediawiki 1 Mediawiki 2014-05-13 5.0 MEDIUM N/A
MediaWiki before 1.19.10, 1.2x before 1.21.4, and 1.22.x before 1.22.1 allows remote attackers to obtain information about deleted page via the (1) log API, (2) enhanced RecentChanges, and (3) user watchlists.
CVE-2013-6454 1 Mediawiki 1 Mediawiki 2014-05-13 4.3 MEDIUM N/A
Cross-site scripting (XSS) vulnerability in MediaWiki before 1.19.10, 1.2x before 1.21.4, and 1.22.x before 1.22.1 allows remote attackers to inject arbitrary web script or HTML via a -o-link attribute.
CVE-2013-6453 1 Mediawiki 1 Mediawiki 2014-05-13 7.5 HIGH N/A
MediaWiki before 1.19.10, 1.2x before 1.21.4, and 1.22.x before 1.22.1 does not properly sanitize SVG files, which allows remote attackers to have unspecified impact via invalid XML.
CVE-2013-6452 1 Mediawiki 1 Mediawiki 2014-05-13 4.3 MEDIUM N/A
Cross-site scripting (XSS) vulnerability in MediaWiki before 1.19.10, 1.2x before 1.21.4, and 1.22.x before 1.22.1 allows remote attackers to inject arbitrary web script or HTML via crafted XSL in an SVG file.
CVE-2013-4574 1 Mediawiki 1 Mediawiki 2014-05-12 4.3 MEDIUM N/A
Cross-site scripting (XSS) vulnerability in the TimeMediaHandler extension for MediaWiki before 1.19.10, 1.2x before 1.21.4, and 1.22.x before 1.22.1 allows remote attackers to inject arbitrary web script or HTML via vectors related to videos.
CVE-2013-4571 1 Mediawiki 1 Mediawiki 2014-05-12 7.5 HIGH N/A
Buffer overflow in php-luasandbox in the Scribuntu extension for MediaWiki before 1.19.10, 1.2x before 1.21.4, and 1.22.x before 1.22.1 has unspecified impact and remote vectors.
CVE-2013-4570 1 Mediawiki 1 Mediawiki 2014-05-12 5.0 MEDIUM N/A
The zend_inline_hash_func function in php-luasandbox in the Scribuntu extension for MediaWiki before 1.19.10, 1.2x before 1.21.4, and 1.22.x before 1.22.1 allows remote attackers to cause a denial of service (NULL pointer dereference and crash) via vectors related to converting Lua data structures to PHP, as demonstrated by passing { [{}] = 1 } to a module function.
CVE-2014-2665 1 Mediawiki 1 Mediawiki 2014-04-23 4.0 MEDIUM N/A
includes/specials/SpecialChangePassword.php in MediaWiki before 1.19.14, 1.20.x and 1.21.x before 1.21.8, and 1.22.x before 1.22.5 does not properly handle a correctly authenticated but unintended login attempt, which makes it easier for remote authenticated users to obtain sensitive information by arranging for a victim to login to the attacker's account, as demonstrated by tracking the victim's activity, related to a "login CSRF" issue.