Vulnerabilities > Mediawiki

DATE CVE VULNERABILITY TITLE RISK
2013-10-27 CVE-2013-4302 Permissions, Privileges, and Access Controls vulnerability in Mediawiki
(1) ApiBlock.php, (2) ApiCreateAccount.php, (3) ApiLogin.php, (4) ApiMain.php, (5) ApiQueryDeletedrevs.php, (6) ApiTokens.php, and (7) ApiUnblock.php in includes/api/ in MediaWiki 1.19.x before 1.19.8, 1.20.x before 1.20.7, and 1.21.x before 1.21.2 allow remote attackers to obtain CSRF tokens and bypass the cross-site request forgery (CSRF) protection mechanism via a JSONP request to wiki/api.php.
network
low complexity
mediawiki CWE-264
5.0
5.0
2013-10-27 CVE-2013-4301 Information Exposure vulnerability in Mediawiki
includes/resourceloader/ResourceLoaderContext.php in MediaWiki 1.19.x before 1.19.8, 1.20.x before 1.20.7, and 1.21.x before 1.21.2 allows remote attackers to obtain sensitive information via a "<" (open angle bracket) character in the lang parameter to w/load.php, which reveals the installation path in an error message.
network
low complexity
mediawiki CWE-200
5.0
5.0
2013-10-11 CVE-2013-4306 Cross-Site Request Forgery (CSRF) vulnerability in Mediawiki
Cross-site request forgery (CSRF) vulnerability in api/ApiQueryCheckUser.php in the CheckUser extension for MediaWiki, possibly Checkuser before 2.3, allows remote attackers to hijack the authentication of arbitrary users for requests that "perform sensitive write actions" via unspecified vectors.
network
mediawiki CWE-352
6.8
6.8
2013-10-11 CVE-2013-4305 Cross-Site Scripting vulnerability in Mediawiki 1.19.7/1.20.6/1.21.1
Cross-site scripting (XSS) vulnerability in contrib/example.php in the SyntaxHighlight GeSHi extension for MediaWiki, possibly as downloaded before September 2013, allows remote attackers to inject arbitrary web script or HTML via the PATH_INFO.
network
mediawiki CWE-79
4.3
4.3
2013-09-12 CVE-2013-4308 Cross-Site Scripting vulnerability in Liquidthreads Project Liquidthreads 2.0/2.1
Cross-site scripting (XSS) vulnerability in pages/TalkpageHistoryView.php in the LiquidThreads (LQT) extension 2.x and possibly 3.x for MediaWiki 1.19.x before 1.19.8, 1.20.x before 1.20.7, and 1.21.x before 1.21.2 allows remote attackers to inject arbitrary web script or HTML via a thread subject. 		4.3
4.3
2013-09-12 CVE-2013-4307 Cross-Site Scripting vulnerability in Mediawiki
Multiple cross-site scripting (XSS) vulnerabilities in repo/includes/EntityView.php in the Wikibase extension for MediaWiki 1.19.x before 1.19.8, 1.20.x before 1.20.7, and 1.21.x before 1.21.2 allow (1) remote attackers to inject arbitrary web script or HTML via a label in the "In other languages" section or (2) remote administrators to inject arbitrary web script or HTML via a description.
network
mediawiki CWE-79
4.3
4.3
2012-12-31 CVE-2012-6453 Cross-Site Scripting vulnerability in Mediawiki Rssreader
Cross-site scripting (XSS) vulnerability in the RSS Reader extension before 0.2.6 for MediaWiki allows remote attackers to inject arbitrary web script or HTML via a crafted feed.
network
mediawiki CWE-79
4.3
4.3
2012-09-09 CVE-2012-4885 Multiple Security vulnerability in MediaWiki
The wikitext parser in MediaWiki 1.17.x before 1.17.3 and 1.18.x before 1.18.2 allows remote attackers to cause a denial of service (infinite loop) via certain input, as demonstrated by the padleft function.
network
low complexity
mediawiki
5.0
5.0
2012-09-09 CVE-2012-1582 Cross-Site Scripting vulnerability in Mediawiki
Cross-site scripting (XSS) vulnerability in the wikitext parser in MediaWiki 1.17.x before 1.17.3 and 1.18.x before 1.18.2 allows remote attackers to inject arbitrary web script or HTML via a crafted page with "forged strip item markers," as demonstrated using the CharInsert extension.
network
mediawiki CWE-79
4.3
4.3
2012-09-09 CVE-2012-1581 Permissions, Privileges, and Access Controls vulnerability in Mediawiki
MediaWiki 1.17.x before 1.17.3 and 1.18.x before 1.18.2 uses weak random numbers for password reset tokens, which makes it easier for remote attackers to change the passwords of arbitrary users.
network
low complexity
mediawiki CWE-264
5.0
5.0