Vulnerabilities > Mediawiki
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2013-10-27 | CVE-2013-4302 | Permissions, Privileges, and Access Controls vulnerability in Mediawiki (1) ApiBlock.php, (2) ApiCreateAccount.php, (3) ApiLogin.php, (4) ApiMain.php, (5) ApiQueryDeletedrevs.php, (6) ApiTokens.php, and (7) ApiUnblock.php in includes/api/ in MediaWiki 1.19.x before 1.19.8, 1.20.x before 1.20.7, and 1.21.x before 1.21.2 allow remote attackers to obtain CSRF tokens and bypass the cross-site request forgery (CSRF) protection mechanism via a JSONP request to wiki/api.php. | 5.0 |
2013-10-27 | CVE-2013-4301 | Information Exposure vulnerability in Mediawiki includes/resourceloader/ResourceLoaderContext.php in MediaWiki 1.19.x before 1.19.8, 1.20.x before 1.20.7, and 1.21.x before 1.21.2 allows remote attackers to obtain sensitive information via a "<" (open angle bracket) character in the lang parameter to w/load.php, which reveals the installation path in an error message. | 5.0 |
2013-10-11 | CVE-2013-4306 | Cross-Site Request Forgery (CSRF) vulnerability in Mediawiki Cross-site request forgery (CSRF) vulnerability in api/ApiQueryCheckUser.php in the CheckUser extension for MediaWiki, possibly Checkuser before 2.3, allows remote attackers to hijack the authentication of arbitrary users for requests that "perform sensitive write actions" via unspecified vectors. | 6.8 |
2013-10-11 | CVE-2013-4305 | Cross-Site Scripting vulnerability in Mediawiki 1.19.7/1.20.6/1.21.1 Cross-site scripting (XSS) vulnerability in contrib/example.php in the SyntaxHighlight GeSHi extension for MediaWiki, possibly as downloaded before September 2013, allows remote attackers to inject arbitrary web script or HTML via the PATH_INFO. | 4.3 |
2013-09-12 | CVE-2013-4308 | Cross-Site Scripting vulnerability in Liquidthreads Project Liquidthreads 2.0/2.1 Cross-site scripting (XSS) vulnerability in pages/TalkpageHistoryView.php in the LiquidThreads (LQT) extension 2.x and possibly 3.x for MediaWiki 1.19.x before 1.19.8, 1.20.x before 1.20.7, and 1.21.x before 1.21.2 allows remote attackers to inject arbitrary web script or HTML via a thread subject. | 4.3 |
2013-09-12 | CVE-2013-4307 | Cross-Site Scripting vulnerability in Mediawiki Multiple cross-site scripting (XSS) vulnerabilities in repo/includes/EntityView.php in the Wikibase extension for MediaWiki 1.19.x before 1.19.8, 1.20.x before 1.20.7, and 1.21.x before 1.21.2 allow (1) remote attackers to inject arbitrary web script or HTML via a label in the "In other languages" section or (2) remote administrators to inject arbitrary web script or HTML via a description. | 4.3 |
2012-12-31 | CVE-2012-6453 | Cross-Site Scripting vulnerability in Mediawiki Rssreader Cross-site scripting (XSS) vulnerability in the RSS Reader extension before 0.2.6 for MediaWiki allows remote attackers to inject arbitrary web script or HTML via a crafted feed. | 4.3 |
2012-09-09 | CVE-2012-4885 | Multiple Security vulnerability in MediaWiki The wikitext parser in MediaWiki 1.17.x before 1.17.3 and 1.18.x before 1.18.2 allows remote attackers to cause a denial of service (infinite loop) via certain input, as demonstrated by the padleft function. | 5.0 |
2012-09-09 | CVE-2012-1582 | Cross-Site Scripting vulnerability in Mediawiki Cross-site scripting (XSS) vulnerability in the wikitext parser in MediaWiki 1.17.x before 1.17.3 and 1.18.x before 1.18.2 allows remote attackers to inject arbitrary web script or HTML via a crafted page with "forged strip item markers," as demonstrated using the CharInsert extension. | 4.3 |
2012-09-09 | CVE-2012-1581 | Permissions, Privileges, and Access Controls vulnerability in Mediawiki MediaWiki 1.17.x before 1.17.3 and 1.18.x before 1.18.2 uses weak random numbers for password reset tokens, which makes it easier for remote attackers to change the passwords of arbitrary users. | 5.0 |