Filtered by vendor Mediawiki
Subscriptions
Filtered by product Mediawiki
Subscriptions
Total
456 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2015-6734 | 1 Mediawiki | 1 Mediawiki | 2025-04-12 | N/A |
| Cross-site scripting (XSS) vulnerability in contrib/cssgen.php in the GeSHi, as used in the SyntaxHighlight_GeSHi extension and MediaWiki before 1.23.10, 1.24.x before 1.24.3, and 1.25.x before 1.25.2, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | ||||
| CVE-2015-8004 | 1 Mediawiki | 1 Mediawiki | 2025-04-12 | N/A |
| MediaWiki before 1.23.11, 1.24.x before 1.24.4, and 1.25.x before 1.25.3 does not properly restrict access to revisions, which allows remote authenticated users with the viewsuppressed user right to remove revision suppressions via a crafted revisiondelete action, which returns a valid a change form. | ||||
| CVE-2014-2853 | 1 Mediawiki | 1 Mediawiki | 2025-04-12 | N/A |
| Cross-site scripting (XSS) vulnerability in includes/actions/InfoAction.php in MediaWiki before 1.21.9 and 1.22.x before 1.22.6 allows remote attackers to inject arbitrary web script or HTML via the sort key in an info action. | ||||
| CVE-2014-9476 | 1 Mediawiki | 1 Mediawiki | 2025-04-12 | N/A |
| MediaWiki 1.2x before 1.22.15, 1.23.x before 1.23.8, and 1.24.x before 1.24.1 allows remote attackers to bypass CORS restrictions in $wgCrossSiteAJAXdomains via a domain that has a partial match to an allowed origin, as demonstrated by "http://en.wikipedia.org.evilsite.example/." | ||||
| CVE-2013-7444 | 1 Mediawiki | 1 Mediawiki | 2025-04-12 | N/A |
| The Special:Contributions page in MediaWiki before 1.22.0 allows remote attackers to determine if an IP is autoblocked via the "Change block" text. | ||||
| CVE-2014-3966 | 1 Mediawiki | 1 Mediawiki | 2025-04-12 | N/A |
| Cross-site scripting (XSS) vulnerability in Special:PasswordReset in MediaWiki before 1.19.16, 1.21.x before 1.21.10, and 1.22.x before 1.22.7, when wgRawHtml is enabled, allows remote attackers to inject arbitrary web script or HTML via an invalid username. | ||||
| CVE-2014-9478 | 1 Mediawiki | 1 Mediawiki | 2025-04-12 | N/A |
| Cross-site scripting (XSS) vulnerability in the preview in the ExpandTemplates extension for MediaWiki, when $wgRawHTML is set to true, allows remote attackers to inject arbitrary web script or HTML via the wpInput parameter to the Special:ExpandTemplates page. | ||||
| CVE-2015-8001 | 1 Mediawiki | 1 Mediawiki | 2025-04-12 | N/A |
| The chunked upload API (ApiUpload) in MediaWiki before 1.23.11, 1.24.x before 1.24.4, and 1.25.x before 1.25.3 does not restrict the uploaded data to the claimed file size, which allows remote authenticated users to cause a denial of service via a chunk that exceeds the file size. | ||||
| CVE-2015-6730 | 1 Mediawiki | 1 Mediawiki | 2025-04-12 | N/A |
| Cross-site scripting (XSS) vulnerability in thumb.php in MediaWiki before 1.23.10, 1.24.x before 1.24.3, and 1.25.x before 1.25.2 allows remote attackers to inject arbitrary web script or HTML via the f parameter, which is not properly handled in an error page, related to "ForeignAPI images." | ||||
| CVE-2013-4307 | 1 Mediawiki | 1 Mediawiki | 2025-04-11 | N/A |
| Multiple cross-site scripting (XSS) vulnerabilities in repo/includes/EntityView.php in the Wikibase extension for MediaWiki 1.19.x before 1.19.8, 1.20.x before 1.20.7, and 1.21.x before 1.21.2 allow (1) remote attackers to inject arbitrary web script or HTML via a label in the "In other languages" section or (2) remote administrators to inject arbitrary web script or HTML via a description. | ||||
| CVE-2013-4568 | 1 Mediawiki | 1 Mediawiki | 2025-04-11 | N/A |
| Incomplete blacklist vulnerability in Sanitizer::checkCss in MediaWiki before 1.19.9, 1.20.x before 1.20.8, and 1.21.x before 1.21.3 allows remote attackers to conduct cross-site scripting (XSS) attacks via certain non-ASCII characters in CSS, as demonstrated using variations of "expression" containing (1) full width characters or (2) IPA extensions, which are converted and rendered by Internet Explorer. | ||||
| CVE-2010-2787 | 1 Mediawiki | 1 Mediawiki | 2025-04-11 | N/A |
| api.php in MediaWiki before 1.15.5 does not prevent use of public caching headers for private data, which allows remote attackers to bypass intended access restrictions and obtain sensitive information by retrieving documents from an HTTP proxy cache that has been used by a victim. | ||||
| CVE-2011-0047 | 1 Mediawiki | 1 Mediawiki | 2025-04-11 | N/A |
| Cross-site scripting (XSS) vulnerability in MediaWiki before 1.16.2 allows remote attackers to inject arbitrary web script or HTML via crafted Cascading Style Sheets (CSS) comments, aka "CSS injection vulnerability." | ||||
| CVE-2010-1150 | 1 Mediawiki | 1 Mediawiki | 2025-04-11 | N/A |
| MediaWiki before 1.15.3, and 1.6.x before 1.16.0beta2, does not properly handle a correctly authenticated but unintended login attempt, which makes it easier for remote authenticated users to conduct phishing attacks by arranging for a victim to login to the attacker's account and then execute a crafted user script, related to a "login CSRF" issue. | ||||
| CVE-2012-1579 | 1 Mediawiki | 1 Mediawiki | 2025-04-11 | N/A |
| The resource loader in MediaWiki 1.17.x before 1.17.3 and 1.18.x before 1.18.2 includes private data such as CSRF tokens in a JavaScript file, which allows remote attackers to obtain sensitive information. | ||||
| CVE-2013-4308 | 2 Liquidthreads Project, Mediawiki | 2 Liquidthreads, Mediawiki | 2025-04-11 | N/A |
| Cross-site scripting (XSS) vulnerability in pages/TalkpageHistoryView.php in the LiquidThreads (LQT) extension 2.x and possibly 3.x for MediaWiki 1.19.x before 1.19.8, 1.20.x before 1.20.7, and 1.21.x before 1.21.2 allows remote attackers to inject arbitrary web script or HTML via a thread subject. | ||||
| CVE-2012-1580 | 1 Mediawiki | 1 Mediawiki | 2025-04-11 | N/A |
| Cross-site request forgery (CSRF) vulnerability in Special:Upload in MediaWiki 1.17.x before 1.17.3 and 1.18.x before 1.18.2 allows remote attackers to hijack the authentication of unspecified victims for requests that upload files. | ||||
| CVE-2013-2114 | 1 Mediawiki | 1 Mediawiki | 2025-04-11 | N/A |
| Unrestricted file upload vulnerability in the chunk upload API in MediaWiki 1.19 through 1.19.6 and 1.20.x before 1.20.6 allows remote attackers to execute arbitrary code by uploading a file with an executable extension. | ||||
| CVE-2011-4360 | 2 Debian, Mediawiki | 2 Debian Linux, Mediawiki | 2025-04-11 | N/A |
| MediaWiki before 1.17.1 allows remote attackers to obtain the page titles of all restricted pages via a series of requests involving the (1) curid or (2) oldid parameter. | ||||
| CVE-2011-0003 | 1 Mediawiki | 1 Mediawiki | 2025-04-11 | N/A |
| MediaWiki before 1.16.1, when user or site JavaScript or CSS is enabled, allows remote attackers to conduct clickjacking attacks via unspecified vectors. | ||||