Vulnerabilities > Mediawiki > Mediawiki > 1.21.1

DATE CVE VULNERABILITY TITLE RISK
2013-12-13 CVE-2013-4569 Information Exposure vulnerability in Mediawiki
The CleanChanges extension for MediaWiki before 1.19.9, 1.20.x before 1.20.8, and 1.21.x before 1.21.3, when "Group changes by page in recent changes and watchlist" is enabled, allows remote attackers to obtain sensitive information (revision-deleted IPs) via the Recent Changes page.
network
mediawiki CWE-200
4.3
4.3
2013-12-13 CVE-2013-4568 HTML Injection vulnerability in Mediawiki CSS Tags
Incomplete blacklist vulnerability in Sanitizer::checkCss in MediaWiki before 1.19.9, 1.20.x before 1.20.8, and 1.21.x before 1.21.3 allows remote attackers to conduct cross-site scripting (XSS) attacks via certain non-ASCII characters in CSS, as demonstrated using variations of "expression" containing (1) full width characters or (2) IPA extensions, which are converted and rendered by Internet Explorer.
network
mediawiki
4.3
4.3
2013-12-13 CVE-2013-4567 HTML Injection vulnerability in Mediawiki CSS Tags
Incomplete blacklist vulnerability in Sanitizer::checkCss in MediaWiki before 1.19.9, 1.20.x before 1.20.8, and 1.21.x before 1.21.3 allows remote attackers to conduct cross-site scripting (XSS) attacks via a \b (backspace) character in CSS.
network
mediawiki
4.3
4.3
2013-12-13 CVE-2012-5394 Cross-Site Request Forgery (CSRF) vulnerability in Mediawiki
Cross-site request forgery (CSRF) vulnerability in the CentralAuth extension for MediaWiki before 1.19.9, 1.20.x before 1.20.8, and 1.21.x before 1.21.3 allows remote attackers to hijack the authentication of users for requests that login via vectors involving image loading.
network
mediawiki CWE-352
6.8
6.8
2013-11-25 CVE-2013-4573 Cross-Site Scripting vulnerability in Mediawiki
Cross-site scripting (XSS) vulnerability in the ZeroRatedMobileAccess extension for MediaWiki 1.19.x before 1.19.9, 1.20.x before 1.20.8, and 1.21.x before 1.21.3 allows remote attackers to inject arbitrary web script or HTML via the "to" parameter to index.php.
network
mediawiki CWE-79
4.3
4.3
2013-10-27 CVE-2013-4302 Permissions, Privileges, and Access Controls vulnerability in Mediawiki
(1) ApiBlock.php, (2) ApiCreateAccount.php, (3) ApiLogin.php, (4) ApiMain.php, (5) ApiQueryDeletedrevs.php, (6) ApiTokens.php, and (7) ApiUnblock.php in includes/api/ in MediaWiki 1.19.x before 1.19.8, 1.20.x before 1.20.7, and 1.21.x before 1.21.2 allow remote attackers to obtain CSRF tokens and bypass the cross-site request forgery (CSRF) protection mechanism via a JSONP request to wiki/api.php.
network
low complexity
mediawiki CWE-264
5.0
5.0
2013-10-27 CVE-2013-4301 Information Exposure vulnerability in Mediawiki
includes/resourceloader/ResourceLoaderContext.php in MediaWiki 1.19.x before 1.19.8, 1.20.x before 1.20.7, and 1.21.x before 1.21.2 allows remote attackers to obtain sensitive information via a "<" (open angle bracket) character in the lang parameter to w/load.php, which reveals the installation path in an error message.
network
low complexity
mediawiki CWE-200
5.0
5.0
2013-10-11 CVE-2013-4306 Cross-Site Request Forgery (CSRF) vulnerability in Mediawiki
Cross-site request forgery (CSRF) vulnerability in api/ApiQueryCheckUser.php in the CheckUser extension for MediaWiki, possibly Checkuser before 2.3, allows remote attackers to hijack the authentication of arbitrary users for requests that "perform sensitive write actions" via unspecified vectors.
network
mediawiki CWE-352
6.8
6.8
2013-10-11 CVE-2013-4305 Cross-Site Scripting vulnerability in Mediawiki 1.19.7/1.20.6/1.21.1
Cross-site scripting (XSS) vulnerability in contrib/example.php in the SyntaxHighlight GeSHi extension for MediaWiki, possibly as downloaded before September 2013, allows remote attackers to inject arbitrary web script or HTML via the PATH_INFO.
network
mediawiki CWE-79
4.3
4.3
2013-09-12 CVE-2013-4308 Cross-Site Scripting vulnerability in Liquidthreads Project Liquidthreads 2.0/2.1
Cross-site scripting (XSS) vulnerability in pages/TalkpageHistoryView.php in the LiquidThreads (LQT) extension 2.x and possibly 3.x for MediaWiki 1.19.x before 1.19.8, 1.20.x before 1.20.7, and 1.21.x before 1.21.2 allows remote attackers to inject arbitrary web script or HTML via a thread subject. 		4.3
4.3