Vulnerabilities > Mediawiki > Mediawiki > 1.20

DATE CVE VULNERABILITY TITLE RISK
2013-12-13 CVE-2012-5394 Cross-Site Request Forgery (CSRF) vulnerability in Mediawiki
Cross-site request forgery (CSRF) vulnerability in the CentralAuth extension for MediaWiki before 1.19.9, 1.20.x before 1.20.8, and 1.21.x before 1.21.3 allows remote attackers to hijack the authentication of users for requests that login via vectors involving image loading.
network
mediawiki CWE-352
6.8
6.8
2013-11-25 CVE-2013-4573 Cross-Site Scripting vulnerability in Mediawiki
Cross-site scripting (XSS) vulnerability in the ZeroRatedMobileAccess extension for MediaWiki 1.19.x before 1.19.9, 1.20.x before 1.20.8, and 1.21.x before 1.21.3 allows remote attackers to inject arbitrary web script or HTML via the "to" parameter to index.php.
network
mediawiki CWE-79
4.3
4.3
2013-10-27 CVE-2013-4302 Permissions, Privileges, and Access Controls vulnerability in Mediawiki
(1) ApiBlock.php, (2) ApiCreateAccount.php, (3) ApiLogin.php, (4) ApiMain.php, (5) ApiQueryDeletedrevs.php, (6) ApiTokens.php, and (7) ApiUnblock.php in includes/api/ in MediaWiki 1.19.x before 1.19.8, 1.20.x before 1.20.7, and 1.21.x before 1.21.2 allow remote attackers to obtain CSRF tokens and bypass the cross-site request forgery (CSRF) protection mechanism via a JSONP request to wiki/api.php.
network
low complexity
mediawiki CWE-264
5.0
5.0
2013-10-27 CVE-2013-4301 Information Exposure vulnerability in Mediawiki
includes/resourceloader/ResourceLoaderContext.php in MediaWiki 1.19.x before 1.19.8, 1.20.x before 1.20.7, and 1.21.x before 1.21.2 allows remote attackers to obtain sensitive information via a "<" (open angle bracket) character in the lang parameter to w/load.php, which reveals the installation path in an error message.
network
low complexity
mediawiki CWE-200
5.0
5.0
2013-09-12 CVE-2013-4308 Cross-Site Scripting vulnerability in Liquidthreads Project Liquidthreads 2.0/2.1
Cross-site scripting (XSS) vulnerability in pages/TalkpageHistoryView.php in the LiquidThreads (LQT) extension 2.x and possibly 3.x for MediaWiki 1.19.x before 1.19.8, 1.20.x before 1.20.7, and 1.21.x before 1.21.2 allows remote attackers to inject arbitrary web script or HTML via a thread subject. 		4.3
4.3
2013-09-12 CVE-2013-4307 Cross-Site Scripting vulnerability in Mediawiki
Multiple cross-site scripting (XSS) vulnerabilities in repo/includes/EntityView.php in the Wikibase extension for MediaWiki 1.19.x before 1.19.8, 1.20.x before 1.20.7, and 1.21.x before 1.21.2 allow (1) remote attackers to inject arbitrary web script or HTML via a label in the "In other languages" section or (2) remote administrators to inject arbitrary web script or HTML via a description.
network
mediawiki CWE-79
4.3
4.3