U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

Search Results (Refine Search)

Search Parameters:
  • Results Type: Overview
  • Keyword (text search): MediaWiki
  • Search Type: Search All
  • CPE Name Search: false
There are 380 matching records.
Displaying matches 1 through 20.
Vuln ID Summary CVSS Severity
CVE-2023-22332

Information disclosure vulnerability exists in Pgpool-II 4.4.0 to 4.4.1 (4.4 series), 4.3.0 to 4.3.4 (4.3 series), 4.2.0 to 4.2.11 (4.2 series), 4.1.0 to 4.1.14 (4.1 series), 4.0.0 to 4.0.21 (4.0 series), All versions of 3.7 series, All versions of 3.6 series, All versions of 3.5 series, All versions of 3.4 series, and All versions of 3.3 series. A specific database user's authentication information may be obtained by another database user. As a result, the information stored in the database may be altered and/or database may be suspended by a remote attacker who successfully logged in the product with the obtained credentials.

Published: January 30, 2023; 2:15:10 AM -0500
V3.x:(not available)
V2.0:(not available)
CVE-2023-24612

The PdfBook extension through 2.0.5 before b07b6a64 for MediaWiki allows command injection via an option.

Published: January 29, 2023; 10:15:09 PM -0500
V3.x:(not available)
V2.0:(not available)
CVE-2022-39193

An issue was discovered in the CheckUser extension for MediaWiki through 1.39.x. Various components of this extension can expose information on the performer of edits and logged actions. This information should not allow public viewing: it is supposed to be viewable only by users with checkuser access.

Published: January 20, 2023; 2:15:15 PM -0500
V3.x:(not available)
V2.0:(not available)
CVE-2023-22912

An issue was discovered in MediaWiki before 1.35.9, 1.36.x through 1.38.x before 1.38.5, and 1.39.x before 1.39.1. CheckUser TokenManager insecurely uses AES-CTR encryption with a repeated (aka re-used) nonce, allowing an adversary to decrypt.

Published: January 20, 2023; 1:15:10 PM -0500
V3.1: 5.3 MEDIUM
V2.0:(not available)
CVE-2023-22910

An issue was discovered in MediaWiki before 1.35.9, 1.36.x through 1.38.x before 1.38.5, and 1.39.x before 1.39.1. There is XSS in Wikibase date formatting via wikibase-time-precision-* fields. This allows JavaScript execution by staff/admin users who do not intentionally have the editsitejs capability.

Published: January 20, 2023; 1:15:10 PM -0500
V3.1: 5.4 MEDIUM
V2.0:(not available)
CVE-2022-47927

An issue was discovered in MediaWiki before 1.35.9, 1.36.x through 1.38.x before 1.38.5, and 1.39.x before 1.39.1. When installing with a pre-existing data directory that has weak permissions, the SQLite files are created with file mode 0644, i.e., world readable to local users. These files include credentials data.

Published: January 12, 2023; 1:15:08 AM -0500
V3.1: 5.5 MEDIUM
V2.0:(not available)
CVE-2023-22945

In the GrowthExperiments extension for MediaWiki through 1.39, the growthmanagementorlist API allows blocked users (blocked in ApiManageMentorList) to enroll as mentors or edit any of their mentorship-related properties.

Published: January 10, 2023; 8:15:10 PM -0500
V3.1: 4.3 MEDIUM
V2.0:(not available)
CVE-2023-22911

An issue was discovered in MediaWiki before 1.35.9, 1.36.x through 1.38.x before 1.38.5, and 1.39.x before 1.39.1. E-Widgets does widget replacement in HTML attributes, which can lead to XSS, because widget authors often do not expect that their widget is executed in an HTML attribute context.

Published: January 10, 2023; 3:15:10 AM -0500
V3.1: 6.1 MEDIUM
V2.0:(not available)
CVE-2023-22909

An issue was discovered in MediaWiki before 1.35.9, 1.36.x through 1.38.x before 1.38.5, and 1.39.x before 1.39.1. SpecialMobileHistory allows remote attackers to cause a denial of service because database queries are slow.

Published: January 10, 2023; 3:15:10 AM -0500
V3.1: 5.3 MEDIUM
V2.0:(not available)
CVE-2018-25065

A vulnerability was found in Wikimedia mediawiki-extensions-I18nTags and classified as problematic. This issue affects some unknown processing of the file I18nTags_body.php of the component Unlike Parser. The manipulation leads to cross site scripting. The attack may be initiated remotely. The name of the patch is b4bc3cbbb099eab50cf2b544cf577116f1867b94. It is recommended to apply a patch to fix this issue. The identifier VDB-217445 was assigned to this vulnerability.

Published: January 05, 2023; 5:15:09 AM -0500
V3.1: 6.1 MEDIUM
V2.0:(not available)
CVE-2022-41767

An issue was discovered in MediaWiki before 1.35.8, 1.36.x and 1.37.x before 1.37.5, and 1.38.x before 1.38.3. When changes made by an IP address are reassigned to a user (using reassignEdits.php), the changes will still be attributed to the IP address on Special:Contributions when doing a range lookup.

Published: December 26, 2022; 1:15:11 AM -0500
V3.1: 5.3 MEDIUM
V2.0:(not available)
CVE-2022-41765

An issue was discovered in MediaWiki before 1.35.8, 1.36.x and 1.37.x before 1.37.5, and 1.38.x before 1.38.3. HTMLUserTextField exposes the existence of hidden users.

Published: December 26, 2022; 1:15:11 AM -0500
V3.1: 5.3 MEDIUM
V2.0:(not available)
CVE-2021-44856

An issue was discovered in MediaWiki before 1.35.5, 1.36.x before 1.36.3, and 1.37.x before 1.37.1. A title blocked by AbuseFilter can be created via Special:ChangeContentModel due to the mishandling of the EditFilterMergedContent hook return value.

Published: December 26, 2022; 1:15:10 AM -0500
V3.1: 5.3 MEDIUM
V2.0:(not available)
CVE-2021-44855

An issue was discovered in MediaWiki before 1.35.5, 1.36.x before 1.36.3, and 1.37.x before 1.37.1. There is Blind Stored XSS via a URL to the Upload Image feature.

Published: December 26, 2022; 12:15:10 AM -0500
V3.1: 5.4 MEDIUM
V2.0:(not available)
CVE-2021-44854

An issue was discovered in MediaWiki before 1.35.5, 1.36.x before 1.36.3, and 1.37.x before 1.37.1. The REST API publicly caches results from private wikis.

Published: December 26, 2022; 12:15:10 AM -0500
V3.1: 5.3 MEDIUM
V2.0:(not available)
CVE-2022-4561

A vulnerability classified as problematic has been found in SemanticDrilldown Extension. Affected is the function printFilterLine of the file includes/specials/SDBrowseDataPage.php of the component GET Parameter Handler. The manipulation of the argument value leads to cross site scripting. It is possible to launch the attack remotely. The name of the patch is 6e18cf740a4548166c1d95f6d3a28541d298a3aa. It is recommended to apply a patch to fix this issue. The identifier of this vulnerability is VDB-215964.

Published: December 16, 2022; 12:15:09 PM -0500
V3.1: 6.1 MEDIUM
V2.0:(not available)
CVE-2022-23473

Tuleap is an Open Source Suite to improve management of software developments and collaboration. In versions prior to 14.2.99.148, Authorizations are not properly verified when accessing MediaWiki standalone resources. Users with read only permissions for pages are able to also edit them. This only affects the MediaWiki standalone plugin. This issue is patched in versions Tuleap Community Edition 14.2.99.148, Tuleap Enterprise Edition 14.2-5, and Tuleap Enterprise Edition 14.1-6.

Published: December 13, 2022; 2:15:09 AM -0500
V3.1: 4.3 MEDIUM
V2.0:(not available)
CVE-2022-42985

The ScratchLogin extension through 1.1 for MediaWiki does not escape verification failure messages, which allows users with administrator privileges to perform cross-site scripting (XSS).

Published: November 17, 2022; 12:15:15 AM -0500
V3.1: 4.8 MEDIUM
V2.0:(not available)
CVE-2021-42049

An issue was discovered in the Translate extension in MediaWiki through 1.36.2. Oversighters cannot undo revisions or oversight on pages where they suppressed information (such as PII). This allows oversighters to whitewash revisions.

Published: September 28, 2022; 11:15:14 PM -0400
V3.1: 6.5 MEDIUM
V2.0:(not available)
CVE-2021-42048

An issue was discovered in the Growth extension in MediaWiki through 1.36.2. Any admin can add arbitrary JavaScript code to the Newcomer home page footer, which can be executed by viewers with zero edits.

Published: September 28, 2022; 11:15:14 PM -0400
V3.1: 4.8 MEDIUM
V2.0:(not available)