ReportizFlow
Filtered by vendor Mediawiki
Subscriptions
Total
404 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2014-5243 | 1 Mediawiki | 1 Mediawiki | 2025-04-12 | N/A |
| MediaWiki before 1.19.18, 1.20.x through 1.22.x before 1.22.9, and 1.23.x before 1.23.2 does not enforce an IFRAME protection mechanism for transcluded pages, which makes it easier for remote attackers to conduct clickjacking attacks via a crafted web site. | ||||
| CVE-2012-5395 | 1 Mediawiki | 1 Mediawiki | 2025-04-12 | N/A |
| Session fixation vulnerability in the CentralAuth extension for MediaWiki before 1.18.6, 1.19.x before 1.19.3, and 1.20.x before 1.20.1 allows remote attackers to hijack web sessions via the centralauth_Session cookie. | ||||
| CVE-2013-6452 | 1 Mediawiki | 1 Mediawiki | 2025-04-12 | N/A |
| Cross-site scripting (XSS) vulnerability in MediaWiki before 1.19.10, 1.2x before 1.21.4, and 1.22.x before 1.22.1 allows remote attackers to inject arbitrary web script or HTML via crafted XSL in an SVG file. | ||||
| CVE-2013-6472 | 1 Mediawiki | 1 Mediawiki | 2025-04-12 | N/A |
| MediaWiki before 1.19.10, 1.2x before 1.21.4, and 1.22.x before 1.22.1 allows remote attackers to obtain information about deleted page via the (1) log API, (2) enhanced RecentChanges, and (3) user watchlists. | ||||
| CVE-2015-2936 | 1 Mediawiki | 1 Mediawiki | 2025-04-12 | N/A |
| MediaWiki 1.24.x before 1.24.2, when using PBKDF2 for password hashing, allows remote attackers to cause a denial of service (CPU consumption) via a long password. | ||||
| CVE-2013-4574 | 1 Mediawiki | 1 Mediawiki | 2025-04-12 | N/A |
| Cross-site scripting (XSS) vulnerability in the TimeMediaHandler extension for MediaWiki before 1.19.10, 1.2x before 1.21.4, and 1.22.x before 1.22.1 allows remote attackers to inject arbitrary web script or HTML via vectors related to videos. | ||||
| CVE-2015-2942 | 1 Mediawiki | 1 Mediawiki | 2025-04-12 | N/A |
| MediaWiki before 1.19.24, 1.2x before 1.23.9, and 1.24.x before 1.24.2, when using HHVM, allows remote attackers to cause a denial of service (CPU and memory consumption) via a large number of nested entity references in an (1) SVG file or (2) XMP metadata in a PDF file, aka a "billion laughs attack," a different vulnerability than CVE-2015-2937. | ||||
| CVE-2015-2940 | 1 Mediawiki | 1 Checkuser | 2025-04-12 | N/A |
| Cross-site request forgery (CSRF) vulnerability in the CheckUser extension for MediaWiki allows remote attackers to hijack the authentication of certain users for requests that retrieve sensitive user information via unspecified vectors. | ||||
| CVE-2015-8001 | 1 Mediawiki | 1 Mediawiki | 2025-04-12 | N/A |
| The chunked upload API (ApiUpload) in MediaWiki before 1.23.11, 1.24.x before 1.24.4, and 1.25.x before 1.25.3 does not restrict the uploaded data to the claimed file size, which allows remote authenticated users to cause a denial of service via a chunk that exceeds the file size. | ||||
| CVE-2014-3454 | 1 Mediawiki | 1 Mediawiki | 2025-04-12 | N/A |
| Cross-site request forgery (CSRF) vulnerability in Special:CreateCategory in the SemanticForms extension for MediaWiki before 1.19.10, 1.2x before 1.21.4, and 1.22.x before 1.22.1 allows remote attackers to hijack the authentication of users for requests that create categories via unspecified vectors. | ||||
| CVE-2015-2941 | 1 Mediawiki | 1 Mediawiki | 2025-04-12 | N/A |
| Cross-site scripting (XSS) vulnerability in MediaWiki before 1.19.24, 1.2x before 1.23.9, and 1.24.x before 1.24.2, when using HHVM, allows remote attackers to inject arbitrary web script or HTML via an invalid parameter in a wddx format request to api.php, which is not properly handled in an error message, related to unsafe calls to wddx_serialize_value. | ||||
| CVE-2014-7295 | 1 Mediawiki | 1 Mediawiki | 2025-04-12 | N/A |
| The (1) Special:Preferences and (2) Special:UserLogin pages in MediaWiki before 1.19.20, 1.22.x before 1.22.12 and 1.23.x before 1.23.5 allows remote authenticated users to conduct cross-site scripting (XSS) attacks or have unspecified other impact via crafted CSS, as demonstrated by modifying MediaWiki:Common.css. | ||||
| CVE-2015-6729 | 1 Mediawiki | 1 Mediawiki | 2025-04-12 | N/A |
| Cross-site scripting (XSS) vulnerability in thumb.php in MediaWiki before 1.23.10, 1.24.x before 1.24.3, and 1.25.x before 1.25.2 allows remote attackers to inject arbitrary web script or HTML via the rel404 parameter, which is not properly handled in an error page. | ||||
| CVE-2015-2939 | 1 Mediawiki | 1 Scribunto | 2025-04-12 | N/A |
| Cross-site scripting (XSS) vulnerability in the Scribunto extension for MediaWiki allows remote attackers to inject arbitrary web script or HTML via a function name, which is not properly handled in a Lua error backtrace. | ||||
| CVE-2015-2935 | 1 Mediawiki | 1 Mediawiki | 2025-04-12 | N/A |
| MediaWiki before 1.19.24, 1.2x before 1.23.9, and 1.24.x before 1.24.2 allows remote attackers to bypass the SVG filtering and obtain sensitive user information via a mixed case @import in a style element in an SVG file, as demonstrated by "@imporT." | ||||
| CVE-2014-3455 | 1 Mediawiki | 1 Mediawiki | 2025-04-12 | N/A |
| Multiple cross-site request forgery (CSRF) vulnerabilities in the (1) CreateProperty, (2) CreateTemplate, (3) CreateForm, and (4) CreateClass special pages in the SemanticForms extension for MediaWiki before 1.19.10, 1.2x before 1.21.4, and 1.22.x before 1.22.1 allow remote attackers to hijack the authentication of users for requests that have unspecified impact and vectors. | ||||
| CVE-2015-6728 | 1 Mediawiki | 1 Mediawiki | 2025-04-12 | N/A |
| The ApiBase::getWatchlistUser function in MediaWiki before 1.23.10, 1.24.x before 1.24.3, and 1.25.x before 1.25.2 does not perform token comparison in constant time, which allows remote attackers to guess the watchlist token and bypass CSRF protection via a timing attack. | ||||
| CVE-2015-6734 | 1 Mediawiki | 1 Mediawiki | 2025-04-12 | N/A |
| Cross-site scripting (XSS) vulnerability in contrib/cssgen.php in the GeSHi, as used in the SyntaxHighlight_GeSHi extension and MediaWiki before 1.23.10, 1.24.x before 1.24.3, and 1.25.x before 1.25.2, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | ||||
| CVE-2015-6733 | 1 Mediawiki | 1 Mediawiki | 2025-04-12 | N/A |
| GeSHi, as used in the SyntaxHighlight_GeSHi extension and MediaWiki before 1.23.10, 1.24.x before 1.24.3, and 1.25.x before 1.25.2, allows remote attackers to cause a denial of service (resource consumption) via unspecified vectors. | ||||
| CVE-2012-5391 | 1 Mediawiki | 1 Mediawiki | 2025-04-12 | N/A |
| Session fixation vulnerability in Special:UserLogin in MediaWiki before 1.18.6, 1.19.x before 1.19.3, and 1.20.x before 1.20.1 allows remote attackers to hijack web sessions via the session_id. | ||||