Vulnerabilities > Mediawiki

DATE CVE VULNERABILITY TITLE RISK
2014-10-07 CVE-2014-7295 Cross-Site Scripting vulnerability in Mediawiki
The (1) Special:Preferences and (2) Special:UserLogin pages in MediaWiki before 1.19.20, 1.22.x before 1.22.12 and 1.23.x before 1.23.5 allows remote authenticated users to conduct cross-site scripting (XSS) attacks or have unspecified other impact via crafted CSS, as demonstrated by modifying MediaWiki:Common.css.
network
mediawiki CWE-79
3.5
3.5
2014-09-30 CVE-2014-7199 Cross-Site Scripting vulnerability in Mediawiki
Cross-site scripting (XSS) vulnerability in MediaWiki before 1.19.19, 1.22.x before 1.22.11, and 1.23.x before 1.23.4 allows remote attackers to inject arbitrary web script or HTML via a crafted SVG file.
network
mediawiki CWE-79
4.3
4.3
2014-08-22 CVE-2014-5243 Improper Input Validation vulnerability in Mediawiki
MediaWiki before 1.19.18, 1.20.x through 1.22.x before 1.22.9, and 1.23.x before 1.23.2 does not enforce an IFRAME protection mechanism for transcluded pages, which makes it easier for remote attackers to conduct clickjacking attacks via a crafted web site.
network
mediawiki CWE-20
4.3
4.3
2014-08-22 CVE-2014-5242 Cross-Site Scripting vulnerability in Mediawiki
Cross-site scripting (XSS) vulnerability in mediawiki.page.image.pagination.js in MediaWiki 1.22.x before 1.22.9 and 1.23.x before 1.23.2 allows remote attackers to inject arbitrary web script or HTML via vectors involving the multipageimagenavbox class in conjunction with an action=raw value.
network
mediawiki CWE-79
4.3
4.3
2014-08-22 CVE-2014-5241 Cross-Site Request Forgery (CSRF) vulnerability in Mediawiki
The JSONP endpoint in includes/api/ApiFormatJson.php in MediaWiki before 1.19.18, 1.20.x through 1.22.x before 1.22.9, and 1.23.x before 1.23.2 accepts certain long callback values and does not restrict the initial bytes of a JSONP response, which allows remote attackers to conduct cross-site request forgery (CSRF) attacks, and obtain sensitive information, via a crafted OBJECT element with SWF content consistent with a restricted character set.
network
mediawiki CWE-352
6.8
6.8
2014-06-06 CVE-2014-3966 Cross-Site Scripting vulnerability in Mediawiki
Cross-site scripting (XSS) vulnerability in Special:PasswordReset in MediaWiki before 1.19.16, 1.21.x before 1.21.10, and 1.22.x before 1.22.7, when wgRawHtml is enabled, allows remote attackers to inject arbitrary web script or HTML via an invalid username.
network
high complexity
mediawiki CWE-79
2.6
2.6
2014-06-02 CVE-2013-1818 Information Exposure vulnerability in Mediawiki
maintenance/mwdoc-filter.php in MediaWiki before 1.20.3 allows remote attackers to read arbitrary files via unspecified vectors.
network
low complexity
mediawiki CWE-200
5.0
5.0
2014-06-02 CVE-2012-5395 Session Fixation vulnerability in MediaWiki CentralAuth Extension
Session fixation vulnerability in the CentralAuth extension for MediaWiki before 1.18.6, 1.19.x before 1.19.3, and 1.20.x before 1.20.1 allows remote attackers to hijack web sessions via the centralauth_Session cookie.
network
mediawiki
6.8
6.8
2014-06-02 CVE-2012-5391 Session Fixation vulnerability in MediaWiki
Session fixation vulnerability in Special:UserLogin in MediaWiki before 1.18.6, 1.19.x before 1.19.3, and 1.20.x before 1.20.1 allows remote attackers to hijack web sessions via the session_id.
network
mediawiki
6.8
6.8
2014-05-12 CVE-2014-3455 Cross-Site Request Forgery (CSRF) vulnerability in Mediawiki
Multiple cross-site request forgery (CSRF) vulnerabilities in the (1) CreateProperty, (2) CreateTemplate, (3) CreateForm, and (4) CreateClass special pages in the SemanticForms extension for MediaWiki before 1.19.10, 1.2x before 1.21.4, and 1.22.x before 1.22.1 allow remote attackers to hijack the authentication of users for requests that have unspecified impact and vectors.
network
mediawiki CWE-352
6.8
6.8