Vulnerabilities > Mediawiki > Mediawiki > 1.24.1
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2015-09-01 | CVE-2015-6733 | Resource Management Errors vulnerability in Mediawiki GeSHi, as used in the SyntaxHighlight_GeSHi extension and MediaWiki before 1.23.10, 1.24.x before 1.24.3, and 1.25.x before 1.25.2, allows remote attackers to cause a denial of service (resource consumption) via unspecified vectors. | 5.0 |
| 2015-09-01 | CVE-2015-6730 | Cross-site Scripting vulnerability in Mediawiki Cross-site scripting (XSS) vulnerability in thumb.php in MediaWiki before 1.23.10, 1.24.x before 1.24.3, and 1.25.x before 1.25.2 allows remote attackers to inject arbitrary web script or HTML via the f parameter, which is not properly handled in an error page, related to "ForeignAPI images." | 4.3 |
| 2015-09-01 | CVE-2015-6729 | Cross-site Scripting vulnerability in Mediawiki Cross-site scripting (XSS) vulnerability in thumb.php in MediaWiki before 1.23.10, 1.24.x before 1.24.3, and 1.25.x before 1.25.2 allows remote attackers to inject arbitrary web script or HTML via the rel404 parameter, which is not properly handled in an error page. | 4.3 |
| 2015-09-01 | CVE-2015-6728 | Cross-Site Request Forgery (CSRF) vulnerability in Mediawiki The ApiBase::getWatchlistUser function in MediaWiki before 1.23.10, 1.24.x before 1.24.3, and 1.25.x before 1.25.2 does not perform token comparison in constant time, which allows remote attackers to guess the watchlist token and bypass CSRF protection via a timing attack. | 7.5 |
| 2015-09-01 | CVE-2015-6727 | Information Exposure vulnerability in multiple products The Special:DeletedContributions page in MediaWiki before 1.23.10, 1.24.x before 1.24.3, and 1.25.x before 1.25.2 allows remote attackers to determine if an IP is autoblocked via the "Change block" text. | 5.0 |
| 2015-04-13 | CVE-2015-2942 | Resource Management Errors vulnerability in Mediawiki MediaWiki before 1.19.24, 1.2x before 1.23.9, and 1.24.x before 1.24.2, when using HHVM, allows remote attackers to cause a denial of service (CPU and memory consumption) via a large number of nested entity references in an (1) SVG file or (2) XMP metadata in a PDF file, aka a "billion laughs attack," a different vulnerability than CVE-2015-2937. | 7.1 |
| 2015-04-13 | CVE-2015-2941 | Cross-site Scripting vulnerability in Mediawiki Cross-site scripting (XSS) vulnerability in MediaWiki before 1.19.24, 1.2x before 1.23.9, and 1.24.x before 1.24.2, when using HHVM, allows remote attackers to inject arbitrary web script or HTML via an invalid parameter in a wddx format request to api.php, which is not properly handled in an error message, related to unsafe calls to wddx_serialize_value. | 4.3 |
| 2015-04-13 | CVE-2015-2938 | Cross-site Scripting vulnerability in Mediawiki Cross-site scripting (XSS) vulnerability in MediaWiki before 1.19.24, 1.2x before 1.23.9, and 1.24.x before 1.24.2 allows remote attackers to inject arbitrary web script or HTML via a custom JavaScript file, which is not properly handled when previewing the file. | 4.3 |
| 2015-04-13 | CVE-2015-2937 | Resource Management Errors vulnerability in Mediawiki MediaWiki before 1.19.24, 1.2x before 1.23.9, and 1.24.x before 1.24.2, when using HHVM or Zend PHP, allows remote attackers to cause a denial of service ("quadratic blowup" and memory consumption) via an XML file containing an entity declaration with long replacement text and many references to this entity, a different vulnerability than CVE-2015-2942. | 7.1 |
| 2015-04-13 | CVE-2015-2936 | Resource Management Errors vulnerability in Mediawiki 1.24.0/1.24.1 MediaWiki 1.24.x before 1.24.2, when using PBKDF2 for password hashing, allows remote attackers to cause a denial of service (CPU consumption) via a long password. | 7.1 |