Search Results (Refine Search)

Search Parameters:
  • Results Type: Overview
  • Keyword (text search): cpe:2.3:a:mediawiki:mediawiki:1.16.0:*:*:*:*:*:*:*
  • CPE Name Search: true
There are 177 matching records.
Displaying matches 161 through 177.
Vuln ID Summary CVSS Severity
CVE-2013-2032

MediaWiki before 1.19.6 and 1.20.x before 1.20.5 does not allow extensions to prevent password changes without using both Special:PasswordReset and Special:ChangePassword, which allows remote attackers to bypass the intended restrictions of an extension that only implements one of these blocks.

Published: November 17, 2013; 9:55:07 PM -0500
V3.x:(not available)
V2.0: 5.0 MEDIUM
CVE-2013-2031

MediaWiki before 1.19.6 and 1.20.x before 1.20.5 allows remote attackers to conduct cross-site scripting (XSS) attacks, as demonstrated by a CDATA section containing valid UTF-7 encoded sequences in a SVG file, which is then incorrectly interpreted as UTF-8 by Chrome and Firefox.

Published: November 17, 2013; 9:55:07 PM -0500
V3.x:(not available)
V2.0: 4.3 MEDIUM
CVE-2012-2698

Cross-site scripting (XSS) vulnerability in the outputPage function in includes/SkinTemplate.php in MediaWiki before 1.17.5, 1.18.x before 1.18.4, and 1.19.x before 1.19.1 allows remote attackers to inject arbitrary web script or HTML via the uselang parameter to index.php/Main_page.

Published: June 29, 2012; 3:55:05 PM -0400
V3.x:(not available)
V2.0: 4.3 MEDIUM
CVE-2011-4361

MediaWiki before 1.17.1 does not check for read permission before handling action=ajax requests, which allows remote attackers to obtain sensitive information by (1) leveraging the SpecialUpload::ajaxGetExistsWarning function, or by (2) leveraging an extension, as demonstrated by the CategoryTree, ExtTab, and InlineEditor extensions.

Published: January 08, 2012; 6:55:19 AM -0500
V3.x:(not available)
V2.0: 5.0 MEDIUM
CVE-2011-4360

MediaWiki before 1.17.1 allows remote attackers to obtain the page titles of all restricted pages via a series of requests involving the (1) curid or (2) oldid parameter.

Published: January 08, 2012; 6:55:18 AM -0500
V3.x:(not available)
V2.0: 5.0 MEDIUM
CVE-2011-1766

includes/User.php in MediaWiki before 1.16.5, when wgBlockDisablesLogin is enabled, does not clear certain cached data after verification of an auth token fails, which allows remote attackers to bypass authentication by creating crafted wikiUserID and wikiUserName cookies, or by leveraging an unattended workstation.

Published: May 23, 2011; 6:55:01 PM -0400
V3.x:(not available)
V2.0: 5.8 MEDIUM
CVE-2011-1765

Cross-site scripting (XSS) vulnerability in MediaWiki before 1.16.5, when Internet Explorer 6 or earlier is used, allows remote attackers to inject arbitrary web script or HTML via an uploaded file accessed with a dangerous extension such as .shtml at the end of the query string, in conjunction with a modified URI path that has a %2E sequence in place of the . (dot) character. NOTE: this vulnerability exists because of an incomplete fix for CVE-2011-1578 and CVE-2011-1587.

Published: May 23, 2011; 6:55:01 PM -0400
V3.x:(not available)
V2.0: 4.3 MEDIUM
CVE-2011-1587

Cross-site scripting (XSS) vulnerability in MediaWiki before 1.16.4, when Internet Explorer 6 or earlier is used, allows remote attackers to inject arbitrary web script or HTML via an uploaded file accessed with a dangerous extension such as .html located before a ? (question mark) in a query string, in conjunction with a modified URI path that has a %2E sequence in place of the . (dot) character. NOTE: this vulnerability exists because of an incomplete fix for CVE-2011-1578.

Published: April 26, 2011; 8:55:04 PM -0400
V3.x:(not available)
V2.0: 4.3 MEDIUM
CVE-2011-1580

The transwiki import functionality in MediaWiki before 1.16.3 does not properly check privileges, which allows remote authenticated users to perform imports from any wgImportSources wiki via a crafted POST request.

Published: April 26, 2011; 8:55:04 PM -0400
V3.x:(not available)
V2.0: 3.5 LOW
CVE-2011-1579

The checkCss function in includes/Sanitizer.php in the wikitext parser in MediaWiki before 1.16.3 does not properly validate Cascading Style Sheets (CSS) token sequences, which allows remote attackers to conduct cross-site scripting (XSS) attacks or obtain sensitive information by using the \2f\2a and \2a\2f hex strings to surround CSS comments.

Published: April 26, 2011; 8:55:04 PM -0400
V3.x:(not available)
V2.0: 5.8 MEDIUM
CVE-2011-1578

Cross-site scripting (XSS) vulnerability in MediaWiki before 1.16.3, when Internet Explorer 6 or earlier is used, allows remote attackers to inject arbitrary web script or HTML via an uploaded file accessed with a dangerous extension such as .html at the end of the query string, in conjunction with a modified URI path that has a %2E sequence in place of the . (dot) character.

Published: April 26, 2011; 8:55:04 PM -0400
V3.x:(not available)
V2.0: 4.3 MEDIUM
CVE-2011-0537

Multiple directory traversal vulnerabilities in (1) languages/Language.php and (2) includes/StubObject.php in MediaWiki 1.8.0 and other versions before 1.16.2, when running on Windows and possibly Novell Netware, allow remote attackers to include and execute arbitrary local PHP files via vectors related to a crafted language file and the Language::factory function.

Published: February 03, 2011; 8:00:07 PM -0500
V3.x:(not available)
V2.0: 7.5 HIGH
CVE-2011-0047

Cross-site scripting (XSS) vulnerability in MediaWiki before 1.16.2 allows remote attackers to inject arbitrary web script or HTML via crafted Cascading Style Sheets (CSS) comments, aka "CSS injection vulnerability."

Published: February 03, 2011; 8:00:05 PM -0500
V3.x:(not available)
V2.0: 4.3 MEDIUM
CVE-2011-0003

MediaWiki before 1.16.1, when user or site JavaScript or CSS is enabled, allows remote attackers to conduct clickjacking attacks via unspecified vectors.

Published: January 10, 2011; 10:00:05 PM -0500
V3.x:(not available)
V2.0: 5.8 MEDIUM
CVE-2010-1648

Cross-site request forgery (CSRF) vulnerability in the login interface in MediaWiki 1.15 before 1.15.4 and 1.16 before 1.16 beta 3 allows remote attackers to hijack the authentication of users for requests that (1) create accounts or (2) reset passwords, related to the Special:Userlogin form.

Published: June 07, 2010; 8:30:01 PM -0400
V3.x:(not available)
V2.0: 6.8 MEDIUM
CVE-2010-1647

Cross-site scripting (XSS) vulnerability in MediaWiki 1.15 before 1.15.4 and 1.16 before 1.16 beta 3 allows remote attackers to inject arbitrary web script or HTML via crafted Cascading Style Sheets (CSS) strings that are processed as script by Internet Explorer.

Published: June 07, 2010; 8:30:01 PM -0400
V3.x:(not available)
V2.0: 4.3 MEDIUM
CVE-2010-1150

MediaWiki before 1.15.3, and 1.6.x before 1.16.0beta2, does not properly handle a correctly authenticated but unintended login attempt, which makes it easier for remote authenticated users to conduct phishing attacks by arranging for a victim to login to the attacker's account and then execute a crafted user script, related to a "login CSRF" issue.

Published: April 20, 2010; 11:30:00 AM -0400
V3.x:(not available)
V2.0: 6.0 MEDIUM