Total
365 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-34500 | 2 Fedoraproject, Mediawiki | 2 Fedora, Mediawiki | 2025-06-11 | N/A | 6.1 MEDIUM |
| An issue was discovered in the UnlinkedWikibase extension in MediaWiki before 1.39.6, 1.40.x before 1.40.2, and 1.41.x before 1.41.1. XSS can occur through an interface message. Error messages (in the $err var) are not escaped before being passed to Html::rawElement() in the getError() function in the Hooks class. | |||||
| CVE-2024-23172 | 1 Mediawiki | 1 Mediawiki | 2025-06-04 | N/A | 5.4 MEDIUM |
| An issue was discovered in the CheckUser extension in MediaWiki before 1.35.14, 1.36.x through 1.39.x before 1.39.6, and 1.40.x before 1.40.2. XSS can occur via message definitions. e.g., in SpecialCheckUserLog. | |||||
| CVE-2024-23178 | 1 Mediawiki | 1 Mediawiki | 2025-06-03 | N/A | 5.4 MEDIUM |
| An issue was discovered in the Phonos extension in MediaWiki before 1.40.2. PhonosButton.js allows i18n-based XSS via the phonos-purge-needed-error message. | |||||
| CVE-2024-23177 | 1 Mediawiki | 1 Mediawiki | 2025-06-03 | N/A | 6.1 MEDIUM |
| An issue was discovered in the WatchAnalytics extension in MediaWiki before 1.40.2. XSS can occur via the Special:PageStatistics page parameter. | |||||
| CVE-2024-23173 | 1 Mediawiki | 1 Mediawiki | 2025-06-03 | N/A | 6.1 MEDIUM |
| An issue was discovered in the Cargo extension in MediaWiki before 1.35.14, 1.36.x through 1.39.x before 1.39.6, and 1.40.x before 1.40.2. The Special:Drilldown page allows XSS via artist, album, and position parameters because of applied filter values in drilldown/CargoAppliedFilter.php. | |||||
| CVE-2022-28204 | 1 Mediawiki | 1 Mediawiki | 2025-05-29 | N/A | 7.5 HIGH |
| A denial-of-service issue was discovered in MediaWiki 1.37.x before 1.37.2. Rendering of w/index.php?title=Special%3AWhatLinksHere&target=Property%3AP31&namespace=1&invert=1 can take more than thirty seconds. There is a DDoS risk. | |||||
| CVE-2012-4378 | 1 Mediawiki | 1 Mediawiki | 2025-04-20 | 4.3 MEDIUM | 6.1 MEDIUM |
| Multiple cross-site scripting (XSS) vulnerabilities in MediaWiki before 1.18.5 and 1.19.x before 1.19.2, when unspecified JavaScript gadgets are used, allow remote attackers to inject arbitrary web script or HTML via the userlang parameter to w/index.php. | |||||
| CVE-2017-8814 | 2 Debian, Mediawiki | 2 Debian Linux, Mediawiki | 2025-04-20 | 5.0 MEDIUM | 7.5 HIGH |
| The language converter in MediaWiki before 1.27.4, 1.28.x before 1.28.3, and 1.29.x before 1.29.2 allows attackers to replace text inside tags via a rule definition followed by "a lot of junk." | |||||
| CVE-2012-4380 | 1 Mediawiki | 1 Mediawiki | 2025-04-20 | 5.0 MEDIUM | 7.5 HIGH |
| MediaWiki before 1.18.5, and 1.19.x before 1.19.2 allows remote attackers to bypass GlobalBlocking extension IP address blocking and create an account via unspecified vectors. | |||||
| CVE-2017-8811 | 2 Debian, Mediawiki | 2 Debian Linux, Mediawiki | 2025-04-20 | 4.3 MEDIUM | 6.1 MEDIUM |
| The implementation of raw message parameter expansion in MediaWiki before 1.27.4, 1.28.x before 1.28.3, and 1.29.x before 1.29.2 allows HTML mangling attacks. | |||||
| CVE-2015-8628 | 1 Mediawiki | 1 Mediawiki | 2025-04-20 | 4.3 MEDIUM | 5.3 MEDIUM |
| The (1) Special:MyPage, (2) Special:MyTalk, (3) Special:MyContributions, (4) Special:MyUploads, and (5) Special:AllMyUploads pages in MediaWiki before 1.23.12, 1.24.x before 1.24.5, 1.25.x before 1.25.4, and 1.26.x before 1.26.1 allow remote attackers to obtain sensitive user login information via crafted links combined with page view statistics. | |||||
| CVE-2017-8808 | 2 Debian, Mediawiki | 2 Debian Linux, Mediawiki | 2025-04-20 | 4.3 MEDIUM | 6.1 MEDIUM |
| MediaWiki before 1.27.4, 1.28.x before 1.28.3, and 1.29.x before 1.29.2 has XSS when the $wgShowExceptionDetails setting is false and the browser sends non-standard URL escaping. | |||||
| CVE-2016-6333 | 1 Mediawiki | 1 Mediawiki | 2025-04-20 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting (XSS) vulnerability in the CSS user subpage preview feature in MediaWiki before 1.23.15, 1.26.x before 1.26.4, and 1.27.x before 1.27.1 allows remote attackers to inject arbitrary web script or HTML via the edit box in Special:MyPage/common.css. | |||||
| CVE-2015-8625 | 1 Mediawiki | 1 Mediawiki | 2025-04-20 | 5.0 MEDIUM | 7.5 HIGH |
| MediaWiki before 1.23.12, 1.24.x before 1.24.5, 1.25.x before 1.25.4, and 1.26.x before 1.26.1 do not properly sanitize parameters when calling the cURL library, which allows remote attackers to read arbitrary files via an @ (at sign) character in unspecified POST array parameters. | |||||
| CVE-2016-6336 | 1 Mediawiki | 1 Mediawiki | 2025-04-20 | 4.0 MEDIUM | 6.5 MEDIUM |
| MediaWiki before 1.23.15, 1.26.x before 1.26.4, and 1.27.x before 1.27.1 allows remote authenticated users with undelete permissions to bypass intended suppressrevision and deleterevision restrictions and remove the revision deletion status of arbitrary file revisions by using Special:Undelete. | |||||
| CVE-2012-4377 | 1 Mediawiki | 1 Mediawiki | 2025-04-20 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting (XSS) vulnerability in MediaWiki before 1.18.5 and 1.19.x before 1.19.2 allows remote attackers to inject arbitrary web script or HTML via a File: link to a nonexistent image. | |||||
| CVE-2017-8809 | 2 Debian, Mediawiki | 2 Debian Linux, Mediawiki | 2025-04-20 | 7.5 HIGH | 9.8 CRITICAL |
| api.php in MediaWiki before 1.27.4, 1.28.x before 1.28.3, and 1.29.x before 1.29.2 has a Reflected File Download vulnerability. | |||||
| CVE-2014-9487 | 1 Mediawiki | 1 Mediawiki | 2025-04-20 | 7.5 HIGH | 9.8 CRITICAL |
| The getid3 library in MediaWiki before 1.24.1, 1.23.8, 1.22.15 and 1.19.23 allows remote attackers to read arbitrary files, cause a denial of service, or possibly have other impact via an XML External Entity (XXE) attack. NOTE: Related to CVE-2014-2053. | |||||
| CVE-2012-4382 | 1 Mediawiki | 1 Mediawiki | 2025-04-20 | 4.0 MEDIUM | 4.9 MEDIUM |
| MediaWiki before 1.18.5, and 1.19.x before 1.19.2 does not properly protect user block metadata, which allows remote administrators to read a user block reason via a reblock attempt. | |||||
| CVE-2016-6337 | 1 Mediawiki | 1 Mediawiki | 2025-04-20 | 5.0 MEDIUM | 7.5 HIGH |
| MediaWiki 1.27.x before 1.27.1 might allow remote attackers to bypass intended session access restrictions by leveraging a call to the UserGetRights function after Session::getAllowedUserRights. | |||||