Vulnerabilities > Mediawiki

DATE CVE VULNERABILITY TITLE RISK
2015-04-13 CVE-2015-2931 Cross-site Scripting vulnerability in Mediawiki
Incomplete blacklist vulnerability in includes/upload/UploadBase.php in MediaWiki before 1.19.24, 1.2x before 1.23.9, and 1.24.x before 1.24.2 allows remote attackers to inject arbitrary web script or HTML via an application/xml MIME type for a nested SVG with a data: URI.
network
mediawiki CWE-79
4.3
4.3
2015-01-16 CVE-2014-9480 Cross-site Scripting vulnerability in Mediawiki
Cross-site scripting (XSS) vulnerability in the Hovercards extension for MediaWiki allows remote attackers to inject arbitrary web script or HTML via vectors related to text extracts.
network
mediawiki CWE-79
4.3
4.3
2015-01-16 CVE-2014-9479 Cross-site Scripting vulnerability in Mediawiki
Cross-site scripting (XSS) vulnerability in the preview in the TemplateSandbox extension for MediaWiki allows remote attackers to inject arbitrary web script or HTML via the text parameter to Special:TemplateSandbox.
network
mediawiki CWE-79
4.3
4.3
2015-01-16 CVE-2014-9478 Cross-site Scripting vulnerability in Mediawiki
Cross-site scripting (XSS) vulnerability in the preview in the ExpandTemplates extension for MediaWiki, when $wgRawHTML is set to true, allows remote attackers to inject arbitrary web script or HTML via the wpInput parameter to the Special:ExpandTemplates page.
network
high complexity
mediawiki CWE-79
2.6
2.6
2015-01-16 CVE-2014-9477 Cross-site Scripting vulnerability in Mediawiki
Multiple cross-site scripting (XSS) vulnerabilities in the Listings extension for MediaWiki allow remote attackers to inject arbitrary web script or HTML via the (1) name or (2) url parameter.
network
mediawiki CWE-79
4.3
4.3
2015-01-16 CVE-2014-9476 Permissions, Privileges, and Access Controls vulnerability in Mediawiki
MediaWiki 1.2x before 1.22.15, 1.23.x before 1.23.8, and 1.24.x before 1.24.1 allows remote attackers to bypass CORS restrictions in $wgCrossSiteAJAXdomains via a domain that has a partial match to an allowed origin, as demonstrated by "http://en.wikipedia.org.evilsite.example/."
network
low complexity
mediawiki CWE-264
5.0
5.0
2015-01-16 CVE-2014-9475 Cross-site Scripting vulnerability in Mediawiki
Cross-site scripting (XSS) vulnerability in thumb.php in MediaWiki before 1.19.23, 1.2x before 1.22.15, 1.23.x before 1.23.8, and 1.24.x before 1.24.1 allows remote authenticated users to inject arbitrary web script or HTML via a wikitext message.
network
mediawiki CWE-79
3.5
3.5
2015-01-04 CVE-2014-9507 Cross-site Scripting vulnerability in Mediawiki
MediaWiki 1.21.x, 1.22.x before 1.22.14, and 1.23.x before 1.23.7, when $wgContentHandlerUseDB is enabled, allows remote attackers to conduct cross-site scripting (XSS) attacks by setting the content model for a revision to JS.
network
high complexity
mediawiki CWE-79
2.6
2.6
2015-01-04 CVE-2014-9277 Command Injection vulnerability in Mediawiki
The wfMangleFlashPolicy function in OutputHandler.php in MediaWiki before 1.19.22, 1.20.x through 1.22.x before 1.22.14, and 1.23.x before 1.23.7 allows remote attackers to conduct PHP object injection attacks via a crafted string containing <cross-domain-policy> in a PHP format request, which causes the string length to change when converting the request to <NOT-cross-domain-policy>.
network
low complexity
mediawiki CWE-77
7.5
7.5
2015-01-04 CVE-2014-9276 Cross-Site Request Forgery (CSRF) vulnerability in Mediawiki
Cross-site request forgery (CSRF) vulnerability in the Special:ExpandedTemplates page in MediaWiki before 1.19.22, 1.20.x through 1.22.x before 1.22.14, and 1.23.x before 1.23.7, when $wgRawHTML is set to true, allows remote attackers to hijack the authentication of users with edit permissions for requests that cross-site scripting (XSS) attacks via the wpInput parameter, which is not properly handled in the preview.
network
high complexity
mediawiki CWE-352
5.1
5.1