Total
370 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2015-2935 | 1 Mediawiki | 1 Mediawiki | 2016-12-07 | 5.0 MEDIUM | N/A |
| MediaWiki before 1.19.24, 1.2x before 1.23.9, and 1.24.x before 1.24.2 allows remote attackers to bypass the SVG filtering and obtain sensitive user information via a mixed case @import in a style element in an SVG file, as demonstrated by "@imporT." | |||||
| CVE-2015-2936 | 1 Mediawiki | 1 Mediawiki | 2016-12-07 | 7.1 HIGH | N/A |
| MediaWiki 1.24.x before 1.24.2, when using PBKDF2 for password hashing, allows remote attackers to cause a denial of service (CPU consumption) via a long password. | |||||
| CVE-2015-2932 | 1 Mediawiki | 1 Mediawiki | 2016-12-07 | 4.3 MEDIUM | N/A |
| Incomplete blacklist vulnerability in MediaWiki before 1.19.24, 1.2x before 1.23.9, and 1.24.x before 1.24.2 allows remote attackers to inject arbitrary web script or HTML via an animated href XLink element. | |||||
| CVE-2015-2933 | 1 Mediawiki | 1 Mediawiki | 2016-12-07 | 4.3 MEDIUM | N/A |
| Cross-site scripting (XSS) vulnerability in the Html class in MediaWiki before 1.19.24, 1.2x before 1.23.9, and 1.24.x before 1.24.2 allows remote attackers to inject arbitrary web script or HTML via a LanguageConverter substitution string when using a language variant. | |||||
| CVE-2013-2032 | 3 Fedoraproject, Gentoo, Mediawiki | 3 Fedora, Linux, Mediawiki | 2016-10-18 | 5.0 MEDIUM | N/A |
| MediaWiki before 1.19.6 and 1.20.x before 1.20.5 does not allow extensions to prevent password changes without using both Special:PasswordReset and Special:ChangePassword, which allows remote attackers to bypass the intended restrictions of an extension that only implements one of these blocks. | |||||
| CVE-2004-1405 | 1 Mediawiki | 1 Mediawiki | 2016-10-18 | 7.5 HIGH | N/A |
| MediaWiki 1.3.8 and earlier, when used with Apache mod_mime, does not properly handle files with two file extensions, such as .php.rar, which allows remote attackers to upload and execute arbitrary code. | |||||
| CVE-2014-1610 | 1 Mediawiki | 1 Mediawiki | 2016-05-25 | 6.0 MEDIUM | N/A |
| MediaWiki 1.22.x before 1.22.2, 1.21.x before 1.21.5, and 1.19.x before 1.19.11, when DjVu or PDF file upload support is enabled, allows remote attackers to execute arbitrary commands via shell metacharacters in (1) the page parameter to includes/media/DjVu.php; (2) the w parameter (aka width field) to thumb.php, which is not properly handled by includes/media/PdfHandler_body.php; and possibly unspecified vectors in (3) includes/media/Bitmap.php and (4) includes/media/ImageHandler.php. | |||||
| CVE-2015-8002 | 1 Mediawiki | 1 Mediawiki | 2015-11-10 | 6.8 MEDIUM | N/A |
| The chunked upload API (ApiUpload) in MediaWiki before 1.23.11, 1.24.x before 1.24.4, and 1.25.x before 1.25.3 allows remote authenticated users to cause a denial of service (disk consumption) via a file upload using one byte chunks. | |||||
| CVE-2015-8004 | 1 Mediawiki | 1 Mediawiki | 2015-11-10 | 4.0 MEDIUM | N/A |
| MediaWiki before 1.23.11, 1.24.x before 1.24.4, and 1.25.x before 1.25.3 does not properly restrict access to revisions, which allows remote authenticated users with the viewsuppressed user right to remove revision suppressions via a crafted revisiondelete action, which returns a valid a change form. | |||||
| CVE-2015-8003 | 1 Mediawiki | 1 Mediawiki | 2015-11-10 | 6.8 MEDIUM | N/A |
| MediaWiki before 1.23.11, 1.24.x before 1.24.4, and 1.25.x before 1.25.3 does not throttle file uploads, which allows remote authenticated users to have unspecified impact via multiple file uploads. | |||||
| CVE-2015-8001 | 1 Mediawiki | 1 Mediawiki | 2015-11-10 | 3.5 LOW | N/A |
| The chunked upload API (ApiUpload) in MediaWiki before 1.23.11, 1.24.x before 1.24.4, and 1.25.x before 1.25.3 does not restrict the uploaded data to the claimed file size, which allows remote authenticated users to cause a denial of service via a chunk that exceeds the file size. | |||||
| CVE-2015-8005 | 1 Mediawiki | 1 Mediawiki | 2015-11-10 | 5.0 MEDIUM | N/A |
| MediaWiki before 1.23.11, 1.24.x before 1.24.4, and 1.25.x before 1.25.3 uses the thumbnail ImageMagick command line argument, which allows remote attackers to obtain the installation path by reading the metadata of a PNG thumbnail file. | |||||
| CVE-2014-9476 | 1 Mediawiki | 1 Mediawiki | 2015-09-17 | 5.0 MEDIUM | N/A |
| MediaWiki 1.2x before 1.22.15, 1.23.x before 1.23.8, and 1.24.x before 1.24.1 allows remote attackers to bypass CORS restrictions in $wgCrossSiteAJAXdomains via a domain that has a partial match to an allowed origin, as demonstrated by "http://en.wikipedia.org.evilsite.example/." | |||||
| CVE-2014-9475 | 1 Mediawiki | 1 Mediawiki | 2015-09-17 | 3.5 LOW | N/A |
| Cross-site scripting (XSS) vulnerability in thumb.php in MediaWiki before 1.19.23, 1.2x before 1.22.15, 1.23.x before 1.23.8, and 1.24.x before 1.24.1 allows remote authenticated users to inject arbitrary web script or HTML via a wikitext message. | |||||
| CVE-2014-2853 | 1 Mediawiki | 1 Mediawiki | 2015-09-10 | 4.3 MEDIUM | N/A |
| Cross-site scripting (XSS) vulnerability in includes/actions/InfoAction.php in MediaWiki before 1.21.9 and 1.22.x before 1.22.6 allows remote attackers to inject arbitrary web script or HTML via the sort key in an info action. | |||||
| CVE-2014-5242 | 1 Mediawiki | 1 Mediawiki | 2015-09-08 | 4.3 MEDIUM | N/A |
| Cross-site scripting (XSS) vulnerability in mediawiki.page.image.pagination.js in MediaWiki 1.22.x before 1.22.9 and 1.23.x before 1.23.2 allows remote attackers to inject arbitrary web script or HTML via vectors involving the multipageimagenavbox class in conjunction with an action=raw value. | |||||
| CVE-2015-6727 | 2 Canonical, Mediawiki | 2 Ubuntu Linux, Mediawiki | 2015-09-02 | 5.0 MEDIUM | N/A |
| The Special:DeletedContributions page in MediaWiki before 1.23.10, 1.24.x before 1.24.3, and 1.25.x before 1.25.2 allows remote attackers to determine if an IP is autoblocked via the "Change block" text. | |||||
| CVE-2013-7444 | 1 Mediawiki | 1 Mediawiki | 2015-09-02 | 5.0 MEDIUM | N/A |
| The Special:Contributions page in MediaWiki before 1.22.0 allows remote attackers to determine if an IP is autoblocked via the "Change block" text. | |||||
| CVE-2014-7295 | 1 Mediawiki | 1 Mediawiki | 2015-08-06 | 3.5 LOW | N/A |
| The (1) Special:Preferences and (2) Special:UserLogin pages in MediaWiki before 1.19.20, 1.22.x before 1.22.12 and 1.23.x before 1.23.5 allows remote authenticated users to conduct cross-site scripting (XSS) attacks or have unspecified other impact via crafted CSS, as demonstrated by modifying MediaWiki:Common.css. | |||||
| CVE-2014-9480 | 1 Mediawiki | 1 Mediawiki | 2015-01-20 | 4.3 MEDIUM | N/A |
| Cross-site scripting (XSS) vulnerability in the Hovercards extension for MediaWiki allows remote attackers to inject arbitrary web script or HTML via vectors related to text extracts. | |||||