Vulnerabilities > Mediawiki

DATE CVE VULNERABILITY TITLE RISK
2017-12-29 CVE-2015-8008 Improper Access Control vulnerability in multiple products
The OAuth extension for MediaWiki improperly negotiates a new client token only over Special:OAuth/initiate, which allows attackers to bypass intended IP address access restrictions by making an API request with an existing token.
network
low complexity
mediawiki fedoraproject CWE-284
7.5
7.5
2017-11-15 CVE-2017-8815 Improper Input Validation vulnerability in multiple products
The language converter in MediaWiki before 1.27.4, 1.28.x before 1.28.3, and 1.29.x before 1.29.2 allows attribute injection attacks via glossary rules.
network
low complexity
mediawiki debian CWE-20
7.5
7.5
2017-11-15 CVE-2017-8814 Improper Input Validation vulnerability in multiple products
The language converter in MediaWiki before 1.27.4, 1.28.x before 1.28.3, and 1.29.x before 1.29.2 allows attackers to replace text inside tags via a rule definition followed by "a lot of junk."
network
low complexity
mediawiki debian CWE-20
7.5
7.5
2017-11-15 CVE-2017-8812 MediaWiki before 1.27.4, 1.28.x before 1.28.3, and 1.29.x before 1.29.2 allows remote attackers to inject > (greater than) characters via the id attribute of a headline.
network
low complexity
mediawiki debian
5.3
5.3
2017-11-15 CVE-2017-8811 Improper Input Validation vulnerability in multiple products
The implementation of raw message parameter expansion in MediaWiki before 1.27.4, 1.28.x before 1.28.3, and 1.29.x before 1.29.2 allows HTML mangling attacks.
network
low complexity
mediawiki debian CWE-20
6.1
6.1
2017-11-15 CVE-2017-8810 Information Exposure vulnerability in multiple products
MediaWiki before 1.27.4, 1.28.x before 1.28.3, and 1.29.x before 1.29.2, when a private wiki is configured, provides different error messages for failed login attempts depending on whether the username exists, which allows remote attackers to enumerate account names and conduct brute-force attacks via a series of requests.
network
low complexity
mediawiki debian CWE-200
7.5
7.5
2017-11-15 CVE-2017-8809 Injection vulnerability in multiple products
api.php in MediaWiki before 1.27.4, 1.28.x before 1.28.3, and 1.29.x before 1.29.2 has a Reflected File Download vulnerability.
network
low complexity
mediawiki debian CWE-74
critical
 9.8
9.8
2017-11-15 CVE-2017-8808 Cross-site Scripting vulnerability in multiple products
MediaWiki before 1.27.4, 1.28.x before 1.28.3, and 1.29.x before 1.29.2 has XSS when the $wgShowExceptionDetails setting is false and the browser sends non-standard URL escaping.
network
low complexity
mediawiki debian CWE-79
6.1
6.1
2017-10-26 CVE-2012-4378 Cross-site Scripting vulnerability in Mediawiki
Multiple cross-site scripting (XSS) vulnerabilities in MediaWiki before 1.18.5 and 1.19.x before 1.19.2, when unspecified JavaScript gadgets are used, allow remote attackers to inject arbitrary web script or HTML via the userlang parameter to w/index.php.
network
low complexity
mediawiki CWE-79
6.1
6.1
2017-10-26 CVE-2012-4377 Cross-site Scripting vulnerability in Mediawiki
Cross-site scripting (XSS) vulnerability in MediaWiki before 1.18.5 and 1.19.x before 1.19.2 allows remote attackers to inject arbitrary web script or HTML via a File: link to a nonexistent image.
network
low complexity
mediawiki CWE-79
6.1
6.1