Vulnerabilities > Mediawiki

DATE CVE VULNERABILITY TITLE RISK
2018-04-13 CVE-2017-0369 Incorrect Default Permissions vulnerability in multiple products
Mediawiki before 1.28.1 / 1.27.2 / 1.23.16 contains a flaw, allowing a sysops to undelete pages, although the page is protected against it.
network
low complexity
mediawiki debian CWE-276
6.5
2018-04-13 CVE-2017-0368 Improper Input Validation vulnerability in multiple products
Mediawiki before 1.28.1 / 1.27.2 / 1.23.16 contains a flaw making rawHTML mode apply to system messages.
network
low complexity
mediawiki debian CWE-20
5.3
2018-04-13 CVE-2017-0367 Exposure of Resource to Wrong Sphere vulnerability in multiple products
Mediawiki before 1.28.1 / 1.27.2 contains an unsafe use of temporary directory, where having LocalisationCache directory default to system tmp directory is insecure.
network
low complexity
mediawiki debian CWE-668
8.8
2018-04-13 CVE-2017-0366 Improper Input Validation vulnerability in multiple products
Mediawiki before 1.28.1 / 1.27.2 / 1.23.16 contains a flaw allowing to evade SVG filter using default attribute values in DTD declaration.
network
low complexity
mediawiki debian CWE-20
5.4
2018-04-13 CVE-2017-0365 Cross-site Scripting vulnerability in multiple products
Mediawiki before 1.28.1 / 1.27.2 / 1.23.16 contains a XSS vulnerability in SearchHighlighter::highlightText() with non-default configurations.
network
high complexity
mediawiki debian CWE-79
4.7
2018-04-13 CVE-2017-0364 Open Redirect vulnerability in multiple products
Mediawiki before 1.28.1 / 1.27.2 / 1.23.16 contains a flaw where Special:Search allows redirects to any interwiki link.
network
low complexity
mediawiki debian CWE-601
6.1
2018-04-13 CVE-2017-0363 Open Redirect vulnerability in multiple products
Mediawiki before 1.28.1 / 1.27.2 / 1.23.16 has a flaw where Special:UserLogin?returnto=interwiki:foo will redirect to external sites.
network
low complexity
mediawiki debian CWE-601
6.1
2018-04-13 CVE-2017-0362 Cross-Site Request Forgery (CSRF) vulnerability in multiple products
Mediawiki before 1.28.1 / 1.27.2 / 1.23.16 contains a flaw where the "Mark all pages visited" on the watchlist does not require a CSRF token.
network
low complexity
mediawiki debian CWE-352
8.8
2018-04-13 CVE-2017-0361 Information Exposure vulnerability in multiple products
Mediawiki before 1.28.1 / 1.27.2 / 1.23.16 contains an information disclosure flaw, where the api.log might contain passwords in plaintext.
local
low complexity
mediawiki debian CWE-200
7.8
2017-12-29 CVE-2015-8008 Improper Access Control vulnerability in multiple products
The OAuth extension for MediaWiki improperly negotiates a new client token only over Special:OAuth/initiate, which allows attackers to bypass intended IP address access restrictions by making an API request with an existing token.
network
low complexity
mediawiki fedoraproject CWE-284
7.5