National Vulnerability Database

National Vulnerability Database

National Vulnerability
Database

Search Results (Refine Search)

Search Parameters:
  • Contains Software Flaws (CVE)
  • CPE Product Version: cpe:/a:mediawiki:mediawiki:1.3.0:beta4
There are 113 matching records.
Displaying matches 61 through 80.
Vuln ID Summary CVSS Severity
CVE-2014-3966

Cross-site scripting (XSS) vulnerability in Special:PasswordReset in MediaWiki before 1.19.16, 1.21.x before 1.21.10, and 1.22.x before 1.22.7, when wgRawHtml is enabled, allows remote attackers to inject arbitrary web script or HTML via an invalid username.

Published: June 06, 2014; 10:55:05 AM -04:00
V2: 2.6 LOW
CVE-2013-1818

maintenance/mwdoc-filter.php in MediaWiki before 1.20.3 allows remote attackers to read arbitrary files via unspecified vectors.

Published: June 02, 2014; 11:55:09 AM -04:00
V2: 5.0 MEDIUM
CVE-2012-5395

Session fixation vulnerability in the CentralAuth extension for MediaWiki before 1.18.6, 1.19.x before 1.19.3, and 1.20.x before 1.20.1 allows remote attackers to hijack web sessions via the centralauth_Session cookie.

Published: June 02, 2014; 11:55:08 AM -04:00
V2: 6.8 MEDIUM
CVE-2012-5391

Session fixation vulnerability in Special:UserLogin in MediaWiki before 1.18.6, 1.19.x before 1.19.3, and 1.20.x before 1.20.1 allows remote attackers to hijack web sessions via the session_id.

Published: June 02, 2014; 11:55:08 AM -04:00
V2: 6.8 MEDIUM
CVE-2014-3455

Multiple cross-site request forgery (CSRF) vulnerabilities in the (1) CreateProperty, (2) CreateTemplate, (3) CreateForm, and (4) CreateClass special pages in the SemanticForms extension for MediaWiki before 1.19.10, 1.2x before 1.21.4, and 1.22.x before 1.22.1 allow remote attackers to hijack the authentication of users for requests that have unspecified impact and vectors.

Published: May 12, 2014; 10:55:07 AM -04:00
V2: 6.8 MEDIUM
CVE-2014-3454

Cross-site request forgery (CSRF) vulnerability in Special:CreateCategory in the SemanticForms extension for MediaWiki before 1.19.10, 1.2x before 1.21.4, and 1.22.x before 1.22.1 allows remote attackers to hijack the authentication of users for requests that create categories via unspecified vectors.

Published: May 12, 2014; 10:55:07 AM -04:00
V2: 6.8 MEDIUM
CVE-2013-6472

MediaWiki before 1.19.10, 1.2x before 1.21.4, and 1.22.x before 1.22.1 allows remote attackers to obtain information about deleted page via the (1) log API, (2) enhanced RecentChanges, and (3) user watchlists.

Published: May 12, 2014; 10:55:06 AM -04:00
V2: 5.0 MEDIUM
CVE-2013-6454

Cross-site scripting (XSS) vulnerability in MediaWiki before 1.19.10, 1.2x before 1.21.4, and 1.22.x before 1.22.1 allows remote attackers to inject arbitrary web script or HTML via a -o-link attribute.

Published: May 12, 2014; 10:55:06 AM -04:00
V2: 4.3 MEDIUM
CVE-2013-6453

MediaWiki before 1.19.10, 1.2x before 1.21.4, and 1.22.x before 1.22.1 does not properly sanitize SVG files, which allows remote attackers to have unspecified impact via invalid XML.

Published: May 12, 2014; 10:55:06 AM -04:00
V2: 7.5 HIGH
CVE-2013-6452

Cross-site scripting (XSS) vulnerability in MediaWiki before 1.19.10, 1.2x before 1.21.4, and 1.22.x before 1.22.1 allows remote attackers to inject arbitrary web script or HTML via crafted XSL in an SVG file.

Published: May 12, 2014; 10:55:06 AM -04:00
V2: 4.3 MEDIUM
CVE-2013-4574

Cross-site scripting (XSS) vulnerability in the TimeMediaHandler extension for MediaWiki before 1.19.10, 1.2x before 1.21.4, and 1.22.x before 1.22.1 allows remote attackers to inject arbitrary web script or HTML via vectors related to videos.

Published: May 12, 2014; 10:55:04 AM -04:00
V2: 4.3 MEDIUM
CVE-2013-4571

Buffer overflow in php-luasandbox in the Scribuntu extension for MediaWiki before 1.19.10, 1.2x before 1.21.4, and 1.22.x before 1.22.1 has unspecified impact and remote vectors.

Published: May 12, 2014; 10:55:04 AM -04:00
V2: 7.5 HIGH
CVE-2013-4570

The zend_inline_hash_func function in php-luasandbox in the Scribuntu extension for MediaWiki before 1.19.10, 1.2x before 1.21.4, and 1.22.x before 1.22.1 allows remote attackers to cause a denial of service (NULL pointer dereference and crash) via vectors related to converting Lua data structures to PHP, as demonstrated by passing { [{}] = 1 } to a module function.

Published: May 12, 2014; 10:55:04 AM -04:00
V2: 5.0 MEDIUM
CVE-2014-2853

Cross-site scripting (XSS) vulnerability in includes/actions/InfoAction.php in MediaWiki before 1.21.9 and 1.22.x before 1.22.6 allows remote attackers to inject arbitrary web script or HTML via the sort key in an info action.

Published: April 29, 2014; 02:55:08 PM -04:00
V2: 4.3 MEDIUM
CVE-2014-2665

includes/specials/SpecialChangePassword.php in MediaWiki before 1.19.14, 1.20.x and 1.21.x before 1.21.8, and 1.22.x before 1.22.5 does not properly handle a correctly authenticated but unintended login attempt, which makes it easier for remote authenticated users to obtain sensitive information by arranging for a victim to login to the attacker's account, as demonstrated by tracking the victim's activity, related to a "login CSRF" issue.

Published: April 19, 2014; 09:55:06 PM -04:00
V2: 4.0 MEDIUM
CVE-2014-2244

Cross-site scripting (XSS) vulnerability in the formatHTML function in includes/api/ApiFormatBase.php in MediaWiki before 1.19.12, 1.20.x and 1.21.x before 1.21.6, and 1.22.x before 1.22.3 allows remote attackers to inject arbitrary web script or HTML via a crafted string located after http:// in the text parameter to api.php.

Published: March 01, 2014; 11:57:25 PM -05:00
V2: 4.3 MEDIUM
CVE-2014-2243

includes/User.php in MediaWiki before 1.19.12, 1.20.x and 1.21.x before 1.21.6, and 1.22.x before 1.22.3 terminates validation of a user token upon encountering the first incorrect character, which makes it easier for remote attackers to obtain access via a brute-force attack that relies on timing differences in responses to incorrect token guesses.

Published: March 01, 2014; 11:57:25 PM -05:00
V2: 5.8 MEDIUM
CVE-2014-2242

includes/upload/UploadBase.php in MediaWiki before 1.19.12, 1.20.x and 1.21.x before 1.21.6, and 1.22.x before 1.22.3 does not prevent use of invalid namespaces in SVG files, which allows remote attackers to conduct cross-site scripting (XSS) attacks via an SVG upload, as demonstrated by use of a W3C XHTML namespace in conjunction with an IFRAME element.

Published: March 01, 2014; 11:57:25 PM -05:00
V2: 4.3 MEDIUM
CVE-2013-4569

The CleanChanges extension for MediaWiki before 1.19.9, 1.20.x before 1.20.8, and 1.21.x before 1.21.3, when "Group changes by page in recent changes and watchlist" is enabled, allows remote attackers to obtain sensitive information (revision-deleted IPs) via the Recent Changes page.

Published: December 13, 2013; 01:07:54 PM -05:00
V2: 4.3 MEDIUM
CVE-2013-4568

Incomplete blacklist vulnerability in Sanitizer::checkCss in MediaWiki before 1.19.9, 1.20.x before 1.20.8, and 1.21.x before 1.21.3 allows remote attackers to conduct cross-site scripting (XSS) attacks via certain non-ASCII characters in CSS, as demonstrated using variations of "expression" containing (1) full width characters or (2) IPA extensions, which are converted and rendered by Internet Explorer.

Published: December 13, 2013; 01:07:54 PM -05:00
V2: 4.3 MEDIUM