Vulnerabilities > Mediawiki
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2018-04-13 | CVE-2017-0369 | Incorrect Default Permissions vulnerability in multiple products Mediawiki before 1.28.1 / 1.27.2 / 1.23.16 contains a flaw, allowing a sysops to undelete pages, although the page is protected against it. | 6.5 |
2018-04-13 | CVE-2017-0368 | Improper Input Validation vulnerability in multiple products Mediawiki before 1.28.1 / 1.27.2 / 1.23.16 contains a flaw making rawHTML mode apply to system messages. | 5.3 |
2018-04-13 | CVE-2017-0367 | Exposure of Resource to Wrong Sphere vulnerability in multiple products Mediawiki before 1.28.1 / 1.27.2 contains an unsafe use of temporary directory, where having LocalisationCache directory default to system tmp directory is insecure. | 8.8 |
2018-04-13 | CVE-2017-0366 | Improper Input Validation vulnerability in multiple products Mediawiki before 1.28.1 / 1.27.2 / 1.23.16 contains a flaw allowing to evade SVG filter using default attribute values in DTD declaration. | 5.4 |
2018-04-13 | CVE-2017-0365 | Cross-site Scripting vulnerability in multiple products Mediawiki before 1.28.1 / 1.27.2 / 1.23.16 contains a XSS vulnerability in SearchHighlighter::highlightText() with non-default configurations. | 4.7 |
2018-04-13 | CVE-2017-0364 | Open Redirect vulnerability in multiple products Mediawiki before 1.28.1 / 1.27.2 / 1.23.16 contains a flaw where Special:Search allows redirects to any interwiki link. | 6.1 |
2018-04-13 | CVE-2017-0363 | Open Redirect vulnerability in multiple products Mediawiki before 1.28.1 / 1.27.2 / 1.23.16 has a flaw where Special:UserLogin?returnto=interwiki:foo will redirect to external sites. | 6.1 |
2018-04-13 | CVE-2017-0362 | Cross-Site Request Forgery (CSRF) vulnerability in multiple products Mediawiki before 1.28.1 / 1.27.2 / 1.23.16 contains a flaw where the "Mark all pages visited" on the watchlist does not require a CSRF token. | 8.8 |
2018-04-13 | CVE-2017-0361 | Information Exposure vulnerability in multiple products Mediawiki before 1.28.1 / 1.27.2 / 1.23.16 contains an information disclosure flaw, where the api.log might contain passwords in plaintext. | 7.8 |
2017-12-29 | CVE-2015-8008 | Improper Access Control vulnerability in multiple products The OAuth extension for MediaWiki improperly negotiates a new client token only over Special:OAuth/initiate, which allows attackers to bypass intended IP address access restrictions by making an API request with an existing token. | 7.5 |