Vulnerabilities > Mediawiki
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2015-04-13 | CVE-2015-2941 | Cross-site Scripting vulnerability in Mediawiki Cross-site scripting (XSS) vulnerability in MediaWiki before 1.19.24, 1.2x before 1.23.9, and 1.24.x before 1.24.2, when using HHVM, allows remote attackers to inject arbitrary web script or HTML via an invalid parameter in a wddx format request to api.php, which is not properly handled in an error message, related to unsafe calls to wddx_serialize_value. | 4.3 |
| 2015-04-13 | CVE-2015-2940 | Cross-Site Request Forgery (CSRF) vulnerability in Mediawiki Checkuser Cross-site request forgery (CSRF) vulnerability in the CheckUser extension for MediaWiki allows remote attackers to hijack the authentication of certain users for requests that retrieve sensitive user information via unspecified vectors. | 6.8 |
| 2015-04-13 | CVE-2015-2939 | Cross-site Scripting vulnerability in Mediawiki Scribunto Cross-site scripting (XSS) vulnerability in the Scribunto extension for MediaWiki allows remote attackers to inject arbitrary web script or HTML via a function name, which is not properly handled in a Lua error backtrace. | 4.3 |
| 2015-04-13 | CVE-2015-2938 | Cross-site Scripting vulnerability in Mediawiki Cross-site scripting (XSS) vulnerability in MediaWiki before 1.19.24, 1.2x before 1.23.9, and 1.24.x before 1.24.2 allows remote attackers to inject arbitrary web script or HTML via a custom JavaScript file, which is not properly handled when previewing the file. | 4.3 |
| 2015-04-13 | CVE-2015-2937 | Resource Management Errors vulnerability in Mediawiki MediaWiki before 1.19.24, 1.2x before 1.23.9, and 1.24.x before 1.24.2, when using HHVM or Zend PHP, allows remote attackers to cause a denial of service ("quadratic blowup" and memory consumption) via an XML file containing an entity declaration with long replacement text and many references to this entity, a different vulnerability than CVE-2015-2942. | 7.1 |
| 2015-04-13 | CVE-2015-2936 | Resource Management Errors vulnerability in Mediawiki 1.24.0/1.24.1 MediaWiki 1.24.x before 1.24.2, when using PBKDF2 for password hashing, allows remote attackers to cause a denial of service (CPU consumption) via a long password. | 7.1 |
| 2015-04-13 | CVE-2015-2935 | Information Exposure vulnerability in Mediawiki MediaWiki before 1.19.24, 1.2x before 1.23.9, and 1.24.x before 1.24.2 allows remote attackers to bypass the SVG filtering and obtain sensitive user information via a mixed case @import in a style element in an SVG file, as demonstrated by "@imporT." | 5.0 |
| 2015-04-13 | CVE-2015-2934 | Cross-site Scripting vulnerability in Mediawiki MediaWiki before 1.19.24, 1.2x before 1.23.9, and 1.24.x before 1.24.2 does not properly handle when the Zend interpreter xml_parse function does not expand entities, which allows remote attackers to inject arbitrary web script or HTML via a crafted SVG file. | 4.3 |
| 2015-04-13 | CVE-2015-2933 | Cross-site Scripting vulnerability in Mediawiki Cross-site scripting (XSS) vulnerability in the Html class in MediaWiki before 1.19.24, 1.2x before 1.23.9, and 1.24.x before 1.24.2 allows remote attackers to inject arbitrary web script or HTML via a LanguageConverter substitution string when using a language variant. | 4.3 |
| 2015-04-13 | CVE-2015-2932 | Cross-site Scripting vulnerability in Mediawiki Incomplete blacklist vulnerability in MediaWiki before 1.19.24, 1.2x before 1.23.9, and 1.24.x before 1.24.2 allows remote attackers to inject arbitrary web script or HTML via an animated href XLink element. | 4.3 |