Search Results (Refine Search)

Search Parameters:
  • Results Type: Overview
  • Keyword (text search): cpe:2.3:a:mediawiki:mediawiki:1.17.1:*:*:*:*:*:*:*
There are 141 matching records.
Displaying matches 121 through 140.
Vuln ID Summary CVSS Severity
CVE-2013-4570

The zend_inline_hash_func function in php-luasandbox in the Scribuntu extension for MediaWiki before 1.19.10, 1.2x before 1.21.4, and 1.22.x before 1.22.1 allows remote attackers to cause a denial of service (NULL pointer dereference and crash) via vectors related to converting Lua data structures to PHP, as demonstrated by passing { [{}] = 1 } to a module function.

Published: May 12, 2014; 10:55:04 AM -0400
V3.x:(not available)
V2.0: 5.0 MEDIUM
CVE-2014-2853

Cross-site scripting (XSS) vulnerability in includes/actions/InfoAction.php in MediaWiki before 1.21.9 and 1.22.x before 1.22.6 allows remote attackers to inject arbitrary web script or HTML via the sort key in an info action.

Published: April 29, 2014; 2:55:08 PM -0400
V3.x:(not available)
V2.0: 4.3 MEDIUM
CVE-2014-2665

includes/specials/SpecialChangePassword.php in MediaWiki before 1.19.14, 1.20.x and 1.21.x before 1.21.8, and 1.22.x before 1.22.5 does not properly handle a correctly authenticated but unintended login attempt, which makes it easier for remote authenticated users to obtain sensitive information by arranging for a victim to login to the attacker's account, as demonstrated by tracking the victim's activity, related to a "login CSRF" issue.

Published: April 19, 2014; 9:55:06 PM -0400
V3.x:(not available)
V2.0: 4.0 MEDIUM
CVE-2014-2244

Cross-site scripting (XSS) vulnerability in the formatHTML function in includes/api/ApiFormatBase.php in MediaWiki before 1.19.12, 1.20.x and 1.21.x before 1.21.6, and 1.22.x before 1.22.3 allows remote attackers to inject arbitrary web script or HTML via a crafted string located after http:// in the text parameter to api.php.

Published: March 01, 2014; 11:57:25 PM -0500
V3.x:(not available)
V2.0: 4.3 MEDIUM
CVE-2014-2243

includes/User.php in MediaWiki before 1.19.12, 1.20.x and 1.21.x before 1.21.6, and 1.22.x before 1.22.3 terminates validation of a user token upon encountering the first incorrect character, which makes it easier for remote attackers to obtain access via a brute-force attack that relies on timing differences in responses to incorrect token guesses.

Published: March 01, 2014; 11:57:25 PM -0500
V3.x:(not available)
V2.0: 5.8 MEDIUM
CVE-2014-2242

includes/upload/UploadBase.php in MediaWiki before 1.19.12, 1.20.x and 1.21.x before 1.21.6, and 1.22.x before 1.22.3 does not prevent use of invalid namespaces in SVG files, which allows remote attackers to conduct cross-site scripting (XSS) attacks via an SVG upload, as demonstrated by use of a W3C XHTML namespace in conjunction with an IFRAME element.

Published: March 01, 2014; 11:57:25 PM -0500
V3.x:(not available)
V2.0: 4.3 MEDIUM
CVE-2013-4569

The CleanChanges extension for MediaWiki before 1.19.9, 1.20.x before 1.20.8, and 1.21.x before 1.21.3, when "Group changes by page in recent changes and watchlist" is enabled, allows remote attackers to obtain sensitive information (revision-deleted IPs) via the Recent Changes page.

Published: December 13, 2013; 1:07:54 PM -0500
V3.x:(not available)
V2.0: 4.3 MEDIUM
CVE-2013-4568

Incomplete blacklist vulnerability in Sanitizer::checkCss in MediaWiki before 1.19.9, 1.20.x before 1.20.8, and 1.21.x before 1.21.3 allows remote attackers to conduct cross-site scripting (XSS) attacks via certain non-ASCII characters in CSS, as demonstrated using variations of "expression" containing (1) full width characters or (2) IPA extensions, which are converted and rendered by Internet Explorer.

Published: December 13, 2013; 1:07:54 PM -0500
V3.x:(not available)
V2.0: 4.3 MEDIUM
CVE-2013-4567

Incomplete blacklist vulnerability in Sanitizer::checkCss in MediaWiki before 1.19.9, 1.20.x before 1.20.8, and 1.21.x before 1.21.3 allows remote attackers to conduct cross-site scripting (XSS) attacks via a \b (backspace) character in CSS.

Published: December 13, 2013; 1:07:54 PM -0500
V3.x:(not available)
V2.0: 4.3 MEDIUM
CVE-2012-5394

Cross-site request forgery (CSRF) vulnerability in the CentralAuth extension for MediaWiki before 1.19.9, 1.20.x before 1.20.8, and 1.21.x before 1.21.3 allows remote attackers to hijack the authentication of users for requests that login via vectors involving image loading.

Published: December 13, 2013; 1:07:53 PM -0500
V3.x:(not available)
V2.0: 6.8 MEDIUM
CVE-2013-2032

MediaWiki before 1.19.6 and 1.20.x before 1.20.5 does not allow extensions to prevent password changes without using both Special:PasswordReset and Special:ChangePassword, which allows remote attackers to bypass the intended restrictions of an extension that only implements one of these blocks.

Published: November 17, 2013; 9:55:07 PM -0500
V3.x:(not available)
V2.0: 5.0 MEDIUM
CVE-2013-2031

MediaWiki before 1.19.6 and 1.20.x before 1.20.5 allows remote attackers to conduct cross-site scripting (XSS) attacks, as demonstrated by a CDATA section containing valid UTF-7 encoded sequences in a SVG file, which is then incorrectly interpreted as UTF-8 by Chrome and Firefox.

Published: November 17, 2013; 9:55:07 PM -0500
V3.x:(not available)
V2.0: 4.3 MEDIUM
CVE-2012-4885

The wikitext parser in MediaWiki 1.17.x before 1.17.3 and 1.18.x before 1.18.2 allows remote attackers to cause a denial of service (infinite loop) via certain input, as demonstrated by the padleft function.

Published: September 09, 2012; 5:55:07 PM -0400
V3.x:(not available)
V2.0: 5.0 MEDIUM
CVE-2012-1582

Cross-site scripting (XSS) vulnerability in the wikitext parser in MediaWiki 1.17.x before 1.17.3 and 1.18.x before 1.18.2 allows remote attackers to inject arbitrary web script or HTML via a crafted page with "forged strip item markers," as demonstrated using the CharInsert extension.

Published: September 09, 2012; 5:55:06 PM -0400
V3.x:(not available)
V2.0: 4.3 MEDIUM
CVE-2012-1581

MediaWiki 1.17.x before 1.17.3 and 1.18.x before 1.18.2 uses weak random numbers for password reset tokens, which makes it easier for remote attackers to change the passwords of arbitrary users.

Published: September 09, 2012; 5:55:06 PM -0400
V3.x:(not available)
V2.0: 5.0 MEDIUM
CVE-2012-1580

Cross-site request forgery (CSRF) vulnerability in Special:Upload in MediaWiki 1.17.x before 1.17.3 and 1.18.x before 1.18.2 allows remote attackers to hijack the authentication of unspecified victims for requests that upload files.

Published: September 09, 2012; 5:55:06 PM -0400
V3.x:(not available)
V2.0: 6.8 MEDIUM
CVE-2012-1579

The resource loader in MediaWiki 1.17.x before 1.17.3 and 1.18.x before 1.18.2 includes private data such as CSRF tokens in a JavaScript file, which allows remote attackers to obtain sensitive information.

Published: September 09, 2012; 5:55:06 PM -0400
V3.x:(not available)
V2.0: 5.0 MEDIUM
CVE-2012-1578

Multiple cross-site request forgery (CSRF) vulnerabilities in MediaWiki 1.17.x before 1.17.3 and 1.18.x before 1.18.2 allow remote attackers to hijack the authentication of users with the block permission for requests that (1) block a user via a request to the Block module or (2) unblock a user via a request to the Unblock module.

Published: September 09, 2012; 5:55:05 PM -0400
V3.x:(not available)
V2.0: 6.8 MEDIUM
CVE-2012-2698

Cross-site scripting (XSS) vulnerability in the outputPage function in includes/SkinTemplate.php in MediaWiki before 1.17.5, 1.18.x before 1.18.4, and 1.19.x before 1.19.1 allows remote attackers to inject arbitrary web script or HTML via the uselang parameter to index.php/Main_page.

Published: June 29, 2012; 3:55:05 PM -0400
V3.x:(not available)
V2.0: 4.3 MEDIUM
CVE-2011-4361

MediaWiki before 1.17.1 does not check for read permission before handling action=ajax requests, which allows remote attackers to obtain sensitive information by (1) leveraging the SpecialUpload::ajaxGetExistsWarning function, or by (2) leveraging an extension, as demonstrated by the CategoryTree, ExtTab, and InlineEditor extensions.

Published: January 08, 2012; 6:55:19 AM -0500
V3.x:(not available)
V2.0: 5.0 MEDIUM