Vulnerabilities > Mediawiki

DATE CVE VULNERABILITY TITLE RISK
2017-10-19 CVE-2012-4380 Improper Access Control vulnerability in Mediawiki
MediaWiki before 1.18.5, and 1.19.x before 1.19.2 allows remote attackers to bypass GlobalBlocking extension IP address blocking and create an account via unspecified vectors.
network
low complexity
mediawiki CWE-284
7.5
2017-10-19 CVE-2012-4379 Improper Access Control vulnerability in Mediawiki
MediaWiki before 1.18.5, and 1.19.x before 1.19.2 does not send a restrictive X-Frame-Options HTTP header, which allows remote attackers to conduct clickjacking attacks via an embedded API response in an IFRAME element.
network
low complexity
mediawiki CWE-284
6.5
2017-10-17 CVE-2014-9487 XXE vulnerability in Mediawiki
The getid3 library in MediaWiki before 1.24.1, 1.23.8, 1.22.15 and 1.19.23 allows remote attackers to read arbitrary files, cause a denial of service, or possibly have other impact via an XML External Entity (XXE) attack.
network
low complexity
mediawiki CWE-611
critical
9.8
2017-07-25 CVE-2015-8009 Credentials Management vulnerability in Mediawiki
The MWOAuthDataStore::lookup_token function in Extension:OAuth for MediaWiki 1.25.x before 1.25.3, 1.24.x before 1.24.4, and before 1.23.11 does not properly validate the signature when checking the authorization signature, which allows remote registered Consumers to use another Consumer's credentials by leveraging knowledge of the credentials.
network
low complexity
mediawiki CWE-255
critical
9.8
2017-04-20 CVE-2016-6337 Improper Access Control vulnerability in Mediawiki 1.27.0
MediaWiki 1.27.x before 1.27.1 might allow remote attackers to bypass intended session access restrictions by leveraging a call to the UserGetRights function after Session::getAllowedUserRights.
network
low complexity
mediawiki CWE-284
7.5
2017-04-20 CVE-2016-6336 Improper Access Control vulnerability in Mediawiki
MediaWiki before 1.23.15, 1.26.x before 1.26.4, and 1.27.x before 1.27.1 allows remote authenticated users with undelete permissions to bypass intended suppressrevision and deleterevision restrictions and remove the revision deletion status of arbitrary file revisions by using Special:Undelete.
network
low complexity
mediawiki CWE-284
6.5
2017-04-20 CVE-2016-6335 Information Exposure vulnerability in Mediawiki
MediaWiki before 1.23.15, 1.26.x before 1.26.4, and 1.27.x before 1.27.1 does not generate head items in the context of a given title, which allows remote attackers to obtain sensitive information via a parse action to api.php.
network
low complexity
mediawiki CWE-200
7.5
2017-04-20 CVE-2016-6334 Cross-site Scripting vulnerability in Mediawiki
Cross-site scripting (XSS) vulnerability in the Parser::replaceInternalLinks2 method in MediaWiki before 1.23.15, 1.26.x before 1.26.4, and 1.27.x before 1.27.1 allows remote attackers to inject arbitrary web script or HTML via vectors involving replacement of percent encoding in unclosed internal links.
network
low complexity
mediawiki CWE-79
6.1
2017-04-20 CVE-2016-6333 Cross-site Scripting vulnerability in Mediawiki
Cross-site scripting (XSS) vulnerability in the CSS user subpage preview feature in MediaWiki before 1.23.15, 1.26.x before 1.26.4, and 1.27.x before 1.27.1 allows remote attackers to inject arbitrary web script or HTML via the edit box in Special:MyPage/common.css.
network
low complexity
mediawiki CWE-79
6.1
2017-04-20 CVE-2016-6332 Information Exposure vulnerability in Mediawiki
MediaWiki before 1.23.15, 1.26.x before 1.26.4, and 1.27.x before 1.27.1, when $wgBlockDisablesLogin is true, might allow remote attackers to obtain sensitive information by leveraging failure to terminate sessions when a user account is blocked.
network
low complexity
mediawiki CWE-200
7.5