Vulnerabilities > Mediawiki

DATE CVE VULNERABILITY TITLE RISK
2017-04-20 CVE-2016-6331 Improper Access Control vulnerability in Mediawiki
ApiParse in MediaWiki before 1.23.15, 1.26.x before 1.26.4, and 1.27.x before 1.27.1 allows remote attackers to bypass intended per-title read restrictions via a parse action to api.php.
network
low complexity
mediawiki CWE-284
7.5
2017-03-23 CVE-2015-8628 Information Exposure vulnerability in Mediawiki
The (1) Special:MyPage, (2) Special:MyTalk, (3) Special:MyContributions, (4) Special:MyUploads, and (5) Special:AllMyUploads pages in MediaWiki before 1.23.12, 1.24.x before 1.24.5, 1.25.x before 1.25.4, and 1.26.x before 1.26.1 allow remote attackers to obtain sensitive user login information via crafted links combined with page view statistics.
network
high complexity
mediawiki CWE-200
5.3
2017-03-23 CVE-2015-8627 Improper Access Control vulnerability in Mediawiki
MediaWiki before 1.23.12, 1.24.x before 1.24.5, 1.25.x before 1.25.4, and 1.26.x before 1.26.1 do not properly normalize IP addresses containing zero-padded octets, which might allow remote attackers to bypass intended access restrictions by using an IP address that was not supposed to have been allowed.
network
low complexity
mediawiki CWE-284
5.3
2017-03-23 CVE-2015-8626 Credentials Management vulnerability in Mediawiki
The User::randomPassword function in MediaWiki before 1.23.12, 1.24.x before 1.24.5, 1.25.x before 1.25.4, and 1.26.x before 1.26.1 generates passwords smaller than $wgMinimalPasswordLength, which makes it easier for remote attackers to obtain access via a brute-force attack.
network
low complexity
mediawiki CWE-255
critical
9.8
2017-03-23 CVE-2015-8625 Information Exposure vulnerability in Mediawiki
MediaWiki before 1.23.12, 1.24.x before 1.24.5, 1.25.x before 1.25.4, and 1.26.x before 1.26.1 do not properly sanitize parameters when calling the cURL library, which allows remote attackers to read arbitrary files via an @ (at sign) character in unspecified POST array parameters.
network
low complexity
mediawiki CWE-200
7.5
2017-03-23 CVE-2015-8624 Cross-Site Request Forgery (CSRF) vulnerability in Mediawiki
The User::matchEditToken function in includes/User.php in MediaWiki before 1.23.12, 1.24.x before 1.24.5, 1.25.x before 1.25.4, and 1.26.x before 1.26.1 does not perform token comparison in constant time before determining if a debugging message should be logged, which allows remote attackers to guess the edit token and bypass CSRF protection via a timing attack, a different vulnerability than CVE-2015-8623.
network
low complexity
mediawiki CWE-352
8.8
2017-03-23 CVE-2015-8623 Cross-Site Request Forgery (CSRF) vulnerability in Mediawiki
The User::matchEditToken function in includes/User.php in MediaWiki before 1.23.12 and 1.24.x before 1.24.5 does not perform token comparison in constant time before returning, which allows remote attackers to guess the edit token and bypass CSRF protection via a timing attack, a different vulnerability than CVE-2015-8624.
network
low complexity
mediawiki CWE-352
8.8
2017-03-23 CVE-2015-8622 Cross-site Scripting vulnerability in Mediawiki
Cross-site scripting (XSS) vulnerability in MediaWiki before 1.23.12, 1.24.x before 1.24.5, 1.25.x before 1.25.4, and 1.26.x before 1.26.1, when is configured with a relative URL, allows remote authenticated users to inject arbitrary web script or HTML via wikitext, as demonstrated by a wikilink to a page named "javascript:alert('XSS!')."
network
low complexity
mediawiki CWE-79
6.1