Vulnerabilities > Mediawiki > Mediawiki > 1.28.0
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2018-04-13 | CVE-2017-0367 | Exposure of Resource to Wrong Sphere vulnerability in multiple products Mediawiki before 1.28.1 / 1.27.2 contains an unsafe use of temporary directory, where having LocalisationCache directory default to system tmp directory is insecure. | 6.5 |
| 2018-04-13 | CVE-2017-0366 | Improper Input Validation vulnerability in multiple products Mediawiki before 1.28.1 / 1.27.2 / 1.23.16 contains a flaw allowing to evade SVG filter using default attribute values in DTD declaration. | 4.0 |
| 2018-04-13 | CVE-2017-0365 | Cross-site Scripting vulnerability in multiple products Mediawiki before 1.28.1 / 1.27.2 / 1.23.16 contains a XSS vulnerability in SearchHighlighter::highlightText() with non-default configurations. | 2.6 |
| 2018-04-13 | CVE-2017-0364 | Open Redirect vulnerability in multiple products Mediawiki before 1.28.1 / 1.27.2 / 1.23.16 contains a flaw where Special:Search allows redirects to any interwiki link. | 5.8 |
| 2018-04-13 | CVE-2017-0363 | Open Redirect vulnerability in multiple products Mediawiki before 1.28.1 / 1.27.2 / 1.23.16 has a flaw where Special:UserLogin?returnto=interwiki:foo will redirect to external sites. | 5.8 |
| 2018-04-13 | CVE-2017-0362 | Cross-Site Request Forgery (CSRF) vulnerability in multiple products Mediawiki before 1.28.1 / 1.27.2 / 1.23.16 contains a flaw where the "Mark all pages visited" on the watchlist does not require a CSRF token. | 6.8 |
| 2018-04-13 | CVE-2017-0361 | Information Exposure vulnerability in multiple products Mediawiki before 1.28.1 / 1.27.2 / 1.23.16 contains an information disclosure flaw, where the api.log might contain passwords in plaintext. | 2.1 |
| 2017-11-15 | CVE-2017-8815 | Improper Input Validation vulnerability in multiple products The language converter in MediaWiki before 1.27.4, 1.28.x before 1.28.3, and 1.29.x before 1.29.2 allows attribute injection attacks via glossary rules. | 5.0 |
| 2017-11-15 | CVE-2017-8814 | Improper Input Validation vulnerability in multiple products The language converter in MediaWiki before 1.27.4, 1.28.x before 1.28.3, and 1.29.x before 1.29.2 allows attackers to replace text inside tags via a rule definition followed by "a lot of junk." | 5.0 |
| 2017-11-15 | CVE-2017-8812 | MediaWiki before 1.27.4, 1.28.x before 1.28.3, and 1.29.x before 1.29.2 allows remote attackers to inject > (greater than) characters via the id attribute of a headline. | 5.0 |