Filtered by vendor Mediawiki
Subscribe
Total
383 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2015-6733 | 1 Mediawiki | 1 Mediawiki | 2016-12-07 | 5.0 MEDIUM | N/A |
| GeSHi, as used in the SyntaxHighlight_GeSHi extension and MediaWiki before 1.23.10, 1.24.x before 1.24.3, and 1.25.x before 1.25.2, allows remote attackers to cause a denial of service (resource consumption) via unspecified vectors. | |||||
| CVE-2015-6730 | 1 Mediawiki | 1 Mediawiki | 2016-12-07 | 4.3 MEDIUM | N/A |
| Cross-site scripting (XSS) vulnerability in thumb.php in MediaWiki before 1.23.10, 1.24.x before 1.24.3, and 1.25.x before 1.25.2 allows remote attackers to inject arbitrary web script or HTML via the f parameter, which is not properly handled in an error page, related to "ForeignAPI images." | |||||
| CVE-2015-6729 | 1 Mediawiki | 1 Mediawiki | 2016-12-07 | 4.3 MEDIUM | N/A |
| Cross-site scripting (XSS) vulnerability in thumb.php in MediaWiki before 1.23.10, 1.24.x before 1.24.3, and 1.25.x before 1.25.2 allows remote attackers to inject arbitrary web script or HTML via the rel404 parameter, which is not properly handled in an error page. | |||||
| CVE-2015-6728 | 1 Mediawiki | 1 Mediawiki | 2016-12-07 | 7.5 HIGH | N/A |
| The ApiBase::getWatchlistUser function in MediaWiki before 1.23.10, 1.24.x before 1.24.3, and 1.25.x before 1.25.2 does not perform token comparison in constant time, which allows remote attackers to guess the watchlist token and bypass CSRF protection via a timing attack. | |||||
| CVE-2015-2942 | 1 Mediawiki | 1 Mediawiki | 2016-12-07 | 7.1 HIGH | N/A |
| MediaWiki before 1.19.24, 1.2x before 1.23.9, and 1.24.x before 1.24.2, when using HHVM, allows remote attackers to cause a denial of service (CPU and memory consumption) via a large number of nested entity references in an (1) SVG file or (2) XMP metadata in a PDF file, aka a "billion laughs attack," a different vulnerability than CVE-2015-2937. | |||||
| CVE-2015-2941 | 1 Mediawiki | 1 Mediawiki | 2016-12-07 | 4.3 MEDIUM | N/A |
| Cross-site scripting (XSS) vulnerability in MediaWiki before 1.19.24, 1.2x before 1.23.9, and 1.24.x before 1.24.2, when using HHVM, allows remote attackers to inject arbitrary web script or HTML via an invalid parameter in a wddx format request to api.php, which is not properly handled in an error message, related to unsafe calls to wddx_serialize_value. | |||||
| CVE-2015-2940 | 1 Mediawiki | 1 Checkuser | 2016-12-07 | 6.8 MEDIUM | N/A |
| Cross-site request forgery (CSRF) vulnerability in the CheckUser extension for MediaWiki allows remote attackers to hijack the authentication of certain users for requests that retrieve sensitive user information via unspecified vectors. | |||||
| CVE-2015-2939 | 1 Mediawiki | 1 Scribunto | 2016-12-07 | 4.3 MEDIUM | N/A |
| Cross-site scripting (XSS) vulnerability in the Scribunto extension for MediaWiki allows remote attackers to inject arbitrary web script or HTML via a function name, which is not properly handled in a Lua error backtrace. | |||||
| CVE-2015-2938 | 1 Mediawiki | 1 Mediawiki | 2016-12-07 | 4.3 MEDIUM | N/A |
| Cross-site scripting (XSS) vulnerability in MediaWiki before 1.19.24, 1.2x before 1.23.9, and 1.24.x before 1.24.2 allows remote attackers to inject arbitrary web script or HTML via a custom JavaScript file, which is not properly handled when previewing the file. | |||||
| CVE-2015-2937 | 1 Mediawiki | 1 Mediawiki | 2016-12-07 | 7.1 HIGH | N/A |
| MediaWiki before 1.19.24, 1.2x before 1.23.9, and 1.24.x before 1.24.2, when using HHVM or Zend PHP, allows remote attackers to cause a denial of service ("quadratic blowup" and memory consumption) via an XML file containing an entity declaration with long replacement text and many references to this entity, a different vulnerability than CVE-2015-2942. | |||||
| CVE-2015-2936 | 1 Mediawiki | 1 Mediawiki | 2016-12-07 | 7.1 HIGH | N/A |
| MediaWiki 1.24.x before 1.24.2, when using PBKDF2 for password hashing, allows remote attackers to cause a denial of service (CPU consumption) via a long password. | |||||
| CVE-2015-2935 | 1 Mediawiki | 1 Mediawiki | 2016-12-07 | 5.0 MEDIUM | N/A |
| MediaWiki before 1.19.24, 1.2x before 1.23.9, and 1.24.x before 1.24.2 allows remote attackers to bypass the SVG filtering and obtain sensitive user information via a mixed case @import in a style element in an SVG file, as demonstrated by "@imporT." | |||||
| CVE-2015-2934 | 1 Mediawiki | 1 Mediawiki | 2016-12-07 | 4.3 MEDIUM | N/A |
| MediaWiki before 1.19.24, 1.2x before 1.23.9, and 1.24.x before 1.24.2 does not properly handle when the Zend interpreter xml_parse function does not expand entities, which allows remote attackers to inject arbitrary web script or HTML via a crafted SVG file. | |||||
| CVE-2015-2933 | 1 Mediawiki | 1 Mediawiki | 2016-12-07 | 4.3 MEDIUM | N/A |
| Cross-site scripting (XSS) vulnerability in the Html class in MediaWiki before 1.19.24, 1.2x before 1.23.9, and 1.24.x before 1.24.2 allows remote attackers to inject arbitrary web script or HTML via a LanguageConverter substitution string when using a language variant. | |||||
| CVE-2015-2932 | 1 Mediawiki | 1 Mediawiki | 2016-12-07 | 4.3 MEDIUM | N/A |
| Incomplete blacklist vulnerability in MediaWiki before 1.19.24, 1.2x before 1.23.9, and 1.24.x before 1.24.2 allows remote attackers to inject arbitrary web script or HTML via an animated href XLink element. | |||||
| CVE-2015-2931 | 1 Mediawiki | 1 Mediawiki | 2016-12-07 | 4.3 MEDIUM | N/A |
| Incomplete blacklist vulnerability in includes/upload/UploadBase.php in MediaWiki before 1.19.24, 1.2x before 1.23.9, and 1.24.x before 1.24.2 allows remote attackers to inject arbitrary web script or HTML via an application/xml MIME type for a nested SVG with a data: URI. | |||||
| CVE-2013-2032 | 3 Fedoraproject, Gentoo, Mediawiki | 3 Fedora, Linux, Mediawiki | 2016-10-18 | 5.0 MEDIUM | N/A |
| MediaWiki before 1.19.6 and 1.20.x before 1.20.5 does not allow extensions to prevent password changes without using both Special:PasswordReset and Special:ChangePassword, which allows remote attackers to bypass the intended restrictions of an extension that only implements one of these blocks. | |||||
| CVE-2004-1405 | 1 Mediawiki | 1 Mediawiki | 2016-10-18 | 7.5 HIGH | N/A |
| MediaWiki 1.3.8 and earlier, when used with Apache mod_mime, does not properly handle files with two file extensions, such as .php.rar, which allows remote attackers to upload and execute arbitrary code. | |||||
| CVE-2014-1610 | 1 Mediawiki | 1 Mediawiki | 2016-05-25 | 6.0 MEDIUM | N/A |
| MediaWiki 1.22.x before 1.22.2, 1.21.x before 1.21.5, and 1.19.x before 1.19.11, when DjVu or PDF file upload support is enabled, allows remote attackers to execute arbitrary commands via shell metacharacters in (1) the page parameter to includes/media/DjVu.php; (2) the w parameter (aka width field) to thumb.php, which is not properly handled by includes/media/PdfHandler_body.php; and possibly unspecified vectors in (3) includes/media/Bitmap.php and (4) includes/media/ImageHandler.php. | |||||
| CVE-2015-8002 | 1 Mediawiki | 1 Mediawiki | 2015-11-10 | 6.8 MEDIUM | N/A |
| The chunked upload API (ApiUpload) in MediaWiki before 1.23.11, 1.24.x before 1.24.4, and 1.25.x before 1.25.3 allows remote authenticated users to cause a denial of service (disk consumption) via a file upload using one byte chunks. | |||||