Vulnerabilities > Mediawiki > Mediawiki > 1.25.1
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2015-09-01 | CVE-2015-6730 | Cross-site Scripting vulnerability in Mediawiki Cross-site scripting (XSS) vulnerability in thumb.php in MediaWiki before 1.23.10, 1.24.x before 1.24.3, and 1.25.x before 1.25.2 allows remote attackers to inject arbitrary web script or HTML via the f parameter, which is not properly handled in an error page, related to "ForeignAPI images." | 4.3 |
2015-09-01 | CVE-2015-6729 | Cross-site Scripting vulnerability in Mediawiki Cross-site scripting (XSS) vulnerability in thumb.php in MediaWiki before 1.23.10, 1.24.x before 1.24.3, and 1.25.x before 1.25.2 allows remote attackers to inject arbitrary web script or HTML via the rel404 parameter, which is not properly handled in an error page. | 4.3 |
2015-09-01 | CVE-2015-6728 | Cross-Site Request Forgery (CSRF) vulnerability in Mediawiki The ApiBase::getWatchlistUser function in MediaWiki before 1.23.10, 1.24.x before 1.24.3, and 1.25.x before 1.25.2 does not perform token comparison in constant time, which allows remote attackers to guess the watchlist token and bypass CSRF protection via a timing attack. | 7.5 |
2015-09-01 | CVE-2015-6727 | Information Exposure vulnerability in multiple products The Special:DeletedContributions page in MediaWiki before 1.23.10, 1.24.x before 1.24.3, and 1.25.x before 1.25.2 allows remote attackers to determine if an IP is autoblocked via the "Change block" text. | 5.0 |