Total
333 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2023-29141 | 2 Fedoraproject, Mediawiki | 2 Fedora, Mediawiki | 2024-02-04 | N/A | 9.8 CRITICAL |
An issue was discovered in MediaWiki before 1.35.10, 1.36.x through 1.38.x before 1.38.6, and 1.39.x before 1.39.3. An auto-block can occur for an untrusted X-Forwarded-For header. | |||||
CVE-2021-30153 | 1 Mediawiki | 1 Mediawiki | 2024-02-04 | N/A | 4.3 MEDIUM |
An issue was discovered in the VisualEditor extension in MediaWiki before 1.31.13, and 1.32.x through 1.35.x before 1.35.2. . When using VisualEditor to edit a MediaWiki user page belonging to an existing, but hidden, user, VisualEditor will disclose that the user exists. (It shouldn't because they are hidden.) This is related to ApiVisualEditor. | |||||
CVE-2023-37304 | 1 Mediawiki | 1 Mediawiki | 2024-02-04 | N/A | 5.4 MEDIUM |
An issue was discovered in the DoubleWiki extension for MediaWiki through 1.39.3. includes/DoubleWiki.php allows XSS via the column alignment feature. | |||||
CVE-2023-37303 | 1 Mediawiki | 1 Mediawiki | 2024-02-04 | N/A | 9.8 CRITICAL |
An issue was discovered in the CheckUser extension for MediaWiki through 1.39.3. In certain situations, an attempt to block a user fails after a temporary browser hang and a DBQueryDisconnectedError error message. | |||||
CVE-2023-37255 | 1 Mediawiki | 1 Mediawiki | 2024-02-04 | N/A | 6.1 MEDIUM |
An issue was discovered in the CheckUser extension for MediaWiki through 1.39.3. In Special:CheckUser, a check of the "get edits" type is vulnerable to HTML injection through the User-Agent HTTP request header. | |||||
CVE-2023-22911 | 2 Fedoraproject, Mediawiki | 2 Fedora, Mediawiki | 2024-02-04 | N/A | 6.1 MEDIUM |
An issue was discovered in MediaWiki before 1.35.9, 1.36.x through 1.38.x before 1.38.5, and 1.39.x before 1.39.1. E-Widgets does widget replacement in HTML attributes, which can lead to XSS, because widget authors often do not expect that their widget is executed in an HTML attribute context. | |||||
CVE-2023-22945 | 2 Fedoraproject, Mediawiki | 2 Fedora, Mediawiki | 2024-02-04 | N/A | 4.3 MEDIUM |
In the GrowthExperiments extension for MediaWiki through 1.39, the growthmanagementorlist API allows blocked users (blocked in ApiManageMentorList) to enroll as mentors or edit any of their mentorship-related properties. | |||||
CVE-2022-41767 | 1 Mediawiki | 1 Mediawiki | 2024-02-04 | N/A | 5.3 MEDIUM |
An issue was discovered in MediaWiki before 1.35.8, 1.36.x and 1.37.x before 1.37.5, and 1.38.x before 1.38.3. When changes made by an IP address are reassigned to a user (using reassignEdits.php), the changes will still be attributed to the IP address on Special:Contributions when doing a range lookup. | |||||
CVE-2023-22909 | 2 Fedoraproject, Mediawiki | 2 Fedora, Mediawiki | 2024-02-04 | N/A | 5.3 MEDIUM |
An issue was discovered in MediaWiki before 1.35.9, 1.36.x through 1.38.x before 1.38.5, and 1.39.x before 1.39.1. SpecialMobileHistory allows remote attackers to cause a denial of service because database queries are slow. | |||||
CVE-2022-41765 | 1 Mediawiki | 1 Mediawiki | 2024-02-04 | N/A | 5.3 MEDIUM |
An issue was discovered in MediaWiki before 1.35.8, 1.36.x and 1.37.x before 1.37.5, and 1.38.x before 1.38.3. HTMLUserTextField exposes the existence of hidden users. | |||||
CVE-2021-44856 | 1 Mediawiki | 1 Mediawiki | 2024-02-04 | N/A | 5.3 MEDIUM |
An issue was discovered in MediaWiki before 1.35.5, 1.36.x before 1.36.3, and 1.37.x before 1.37.1. A title blocked by AbuseFilter can be created via Special:ChangeContentModel due to the mishandling of the EditFilterMergedContent hook return value. | |||||
CVE-2022-39193 | 1 Mediawiki | 1 Mediawiki | 2024-02-04 | N/A | 5.3 MEDIUM |
An issue was discovered in the CheckUser extension for MediaWiki through 1.39.x. Various components of this extension can expose information on the performer of edits and logged actions. This information should not allow public viewing: it is supposed to be viewable only by users with suppression rights. | |||||
CVE-2021-44855 | 1 Mediawiki | 1 Mediawiki | 2024-02-04 | N/A | 5.4 MEDIUM |
An issue was discovered in MediaWiki before 1.35.5, 1.36.x before 1.36.3, and 1.37.x before 1.37.1. There is Blind Stored XSS via a URL to the Upload Image feature. | |||||
CVE-2022-47927 | 2 Fedoraproject, Mediawiki | 2 Fedora, Mediawiki | 2024-02-04 | N/A | 5.5 MEDIUM |
An issue was discovered in MediaWiki before 1.35.9, 1.36.x through 1.38.x before 1.38.5, and 1.39.x before 1.39.1. When installing with a pre-existing data directory that has weak permissions, the SQLite files are created with file mode 0644, i.e., world readable to local users. These files include credentials data. | |||||
CVE-2021-44854 | 1 Mediawiki | 1 Mediawiki | 2024-02-04 | N/A | 5.3 MEDIUM |
An issue was discovered in MediaWiki before 1.35.5, 1.36.x before 1.36.3, and 1.37.x before 1.37.1. The REST API publicly caches results from private wikis. | |||||
CVE-2022-28201 | 2 Debian, Mediawiki | 2 Debian Linux, Mediawiki | 2024-02-04 | N/A | 4.4 MEDIUM |
An issue was discovered in MediaWiki before 1.35.6, 1.36.x before 1.36.4, and 1.37.x before 1.37.2. Users with the editinterface permission can trigger infinite recursion, because a bare local interwiki is mishandled for the mainpage message. | |||||
CVE-2022-28203 | 2 Debian, Mediawiki | 2 Debian Linux, Mediawiki | 2024-02-04 | N/A | 7.5 HIGH |
A denial-of-service issue was discovered in MediaWiki before 1.35.6, 1.36.x before 1.36.4, and 1.37.x before 1.37.2. When many files exist, requesting Special:NewFiles with actor as a condition can result in a very long running query. | |||||
CVE-2022-34911 | 2 Fedoraproject, Mediawiki | 2 Fedora, Mediawiki | 2024-02-04 | 4.3 MEDIUM | 6.1 MEDIUM |
An issue was discovered in MediaWiki before 1.35.7, 1.36.x and 1.37.x before 1.37.3, and 1.38.x before 1.38.1. XSS can occur in configurations that allow a JavaScript payload in a username. After account creation, when it sets the page title to "Welcome" followed by the username, the username is not escaped: SpecialCreateAccount::successfulAction() calls ::showSuccessPage() with a message as second parameter, and OutputPage::setPageTitle() uses text(). | |||||
CVE-2022-34912 | 2 Fedoraproject, Mediawiki | 2 Fedora, Mediawiki | 2024-02-04 | 4.3 MEDIUM | 6.1 MEDIUM |
An issue was discovered in MediaWiki before 1.37.3 and 1.38.x before 1.38.1. The contributions-title, used on Special:Contributions, is used as page title without escaping. Hence, in a non-default configuration where a username contains HTML entities, it won't be escaped. | |||||
CVE-2022-28206 | 1 Mediawiki | 1 Mediawiki | 2024-02-04 | 7.5 HIGH | 9.8 CRITICAL |
An issue was discovered in MediaWiki through 1.37.1. ImportPlanValidator.php in the FileImporter extension mishandles the check for edit rights. |