Vulnerabilities > Mediawiki > Medium

DATE CVE VULNERABILITY TITLE RISK
2018-04-13 CVE-2017-0363 Open Redirect vulnerability in multiple products
Mediawiki before 1.28.1 / 1.27.2 / 1.23.16 has a flaw where Special:UserLogin?returnto=interwiki:foo will redirect to external sites.
network
low complexity
mediawiki debian CWE-601
6.1
6.1
2017-11-15 CVE-2017-8812 MediaWiki before 1.27.4, 1.28.x before 1.28.3, and 1.29.x before 1.29.2 allows remote attackers to inject > (greater than) characters via the id attribute of a headline.
network
low complexity
mediawiki debian
5.3
5.3
2017-11-15 CVE-2017-8811 Improper Input Validation vulnerability in multiple products
The implementation of raw message parameter expansion in MediaWiki before 1.27.4, 1.28.x before 1.28.3, and 1.29.x before 1.29.2 allows HTML mangling attacks.
network
low complexity
mediawiki debian CWE-20
6.1
6.1
2017-11-15 CVE-2017-8808 Cross-site Scripting vulnerability in multiple products
MediaWiki before 1.27.4, 1.28.x before 1.28.3, and 1.29.x before 1.29.2 has XSS when the $wgShowExceptionDetails setting is false and the browser sends non-standard URL escaping.
network
low complexity
mediawiki debian CWE-79
6.1
6.1
2017-10-26 CVE-2012-4378 Cross-site Scripting vulnerability in Mediawiki
Multiple cross-site scripting (XSS) vulnerabilities in MediaWiki before 1.18.5 and 1.19.x before 1.19.2, when unspecified JavaScript gadgets are used, allow remote attackers to inject arbitrary web script or HTML via the userlang parameter to w/index.php.
network
low complexity
mediawiki CWE-79
6.1
6.1
2017-10-26 CVE-2012-4377 Cross-site Scripting vulnerability in Mediawiki
Cross-site scripting (XSS) vulnerability in MediaWiki before 1.18.5 and 1.19.x before 1.19.2 allows remote attackers to inject arbitrary web script or HTML via a File: link to a nonexistent image.
network
low complexity
mediawiki CWE-79
6.1
6.1
2017-10-19 CVE-2012-4382 Information Exposure vulnerability in Mediawiki
MediaWiki before 1.18.5, and 1.19.x before 1.19.2 does not properly protect user block metadata, which allows remote administrators to read a user block reason via a reblock attempt.
network
low complexity
mediawiki CWE-200
4.9
4.9
2017-10-19 CVE-2012-4379 Improper Access Control vulnerability in Mediawiki
MediaWiki before 1.18.5, and 1.19.x before 1.19.2 does not send a restrictive X-Frame-Options HTTP header, which allows remote attackers to conduct clickjacking attacks via an embedded API response in an IFRAME element.
network
low complexity
mediawiki CWE-284
6.5
6.5
2017-04-20 CVE-2016-6336 Improper Access Control vulnerability in Mediawiki
MediaWiki before 1.23.15, 1.26.x before 1.26.4, and 1.27.x before 1.27.1 allows remote authenticated users with undelete permissions to bypass intended suppressrevision and deleterevision restrictions and remove the revision deletion status of arbitrary file revisions by using Special:Undelete.
network
low complexity
mediawiki CWE-284
6.5
6.5
2017-04-20 CVE-2016-6334 Cross-site Scripting vulnerability in Mediawiki
Cross-site scripting (XSS) vulnerability in the Parser::replaceInternalLinks2 method in MediaWiki before 1.23.15, 1.26.x before 1.26.4, and 1.27.x before 1.27.1 allows remote attackers to inject arbitrary web script or HTML via vectors involving replacement of percent encoding in unclosed internal links.
network
low complexity
mediawiki CWE-79
6.1
6.1