Vulnerabilities > Mediawiki > Mediawiki > 1.27.0
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2018-04-13 | CVE-2017-0361 | Information Exposure vulnerability in multiple products Mediawiki before 1.28.1 / 1.27.2 / 1.23.16 contains an information disclosure flaw, where the api.log might contain passwords in plaintext. | 2.1 |
| 2017-11-15 | CVE-2017-8815 | Improper Input Validation vulnerability in multiple products The language converter in MediaWiki before 1.27.4, 1.28.x before 1.28.3, and 1.29.x before 1.29.2 allows attribute injection attacks via glossary rules. | 5.0 |
| 2017-11-15 | CVE-2017-8814 | Improper Input Validation vulnerability in multiple products The language converter in MediaWiki before 1.27.4, 1.28.x before 1.28.3, and 1.29.x before 1.29.2 allows attackers to replace text inside tags via a rule definition followed by "a lot of junk." | 5.0 |
| 2017-11-15 | CVE-2017-8812 | MediaWiki before 1.27.4, 1.28.x before 1.28.3, and 1.29.x before 1.29.2 allows remote attackers to inject > (greater than) characters via the id attribute of a headline. | 5.0 |
| 2017-11-15 | CVE-2017-8811 | Improper Input Validation vulnerability in multiple products The implementation of raw message parameter expansion in MediaWiki before 1.27.4, 1.28.x before 1.28.3, and 1.29.x before 1.29.2 allows HTML mangling attacks. | 4.3 |
| 2017-11-15 | CVE-2017-8810 | Information Exposure vulnerability in multiple products MediaWiki before 1.27.4, 1.28.x before 1.28.3, and 1.29.x before 1.29.2, when a private wiki is configured, provides different error messages for failed login attempts depending on whether the username exists, which allows remote attackers to enumerate account names and conduct brute-force attacks via a series of requests. | 5.0 |
| 2017-11-15 | CVE-2017-8809 | Injection vulnerability in multiple products api.php in MediaWiki before 1.27.4, 1.28.x before 1.28.3, and 1.29.x before 1.29.2 has a Reflected File Download vulnerability. | 7.5 |
| 2017-11-15 | CVE-2017-8808 | Cross-site Scripting vulnerability in multiple products MediaWiki before 1.27.4, 1.28.x before 1.28.3, and 1.29.x before 1.29.2 has XSS when the $wgShowExceptionDetails setting is false and the browser sends non-standard URL escaping. | 4.3 |
| 2017-04-20 | CVE-2016-6337 | Improper Access Control vulnerability in Mediawiki 1.27.0 MediaWiki 1.27.x before 1.27.1 might allow remote attackers to bypass intended session access restrictions by leveraging a call to the UserGetRights function after Session::getAllowedUserRights. | 5.0 |
| 2017-04-20 | CVE-2016-6336 | Improper Access Control vulnerability in Mediawiki MediaWiki before 1.23.15, 1.26.x before 1.26.4, and 1.27.x before 1.27.1 allows remote authenticated users with undelete permissions to bypass intended suppressrevision and deleterevision restrictions and remove the revision deletion status of arbitrary file revisions by using Special:Undelete. | 4.0 |