U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

Search Results (Refine Search)

Search Parameters:
  • Results Type: Overview
  • Keyword (text search): cpe:2.3:a:mediawiki:mediawiki:1.17.3:*:*:*:*:*:*:*
There are 242 matching records.
Displaying matches 41 through 60.
Vuln ID Summary CVSS Severity
CVE-2023-22911

An issue was discovered in MediaWiki before 1.35.9, 1.36.x through 1.38.x before 1.38.5, and 1.39.x before 1.39.1. E-Widgets does widget replacement in HTML attributes, which can lead to XSS, because widget authors often do not expect that their widget is executed in an HTML attribute context.

Published: January 10, 2023; 3:15:10 AM -0500
V3.1: 6.1 MEDIUM
V2.0:(not available)
CVE-2023-22909

An issue was discovered in MediaWiki before 1.35.9, 1.36.x through 1.38.x before 1.38.5, and 1.39.x before 1.39.1. SpecialMobileHistory allows remote attackers to cause a denial of service because database queries are slow.

Published: January 10, 2023; 3:15:10 AM -0500
V3.1: 5.3 MEDIUM
V2.0:(not available)
CVE-2022-41767

An issue was discovered in MediaWiki before 1.35.8, 1.36.x and 1.37.x before 1.37.5, and 1.38.x before 1.38.3. When changes made by an IP address are reassigned to a user (using reassignEdits.php), the changes will still be attributed to the IP address on Special:Contributions when doing a range lookup.

Published: December 26, 2022; 1:15:11 AM -0500
V3.1: 5.3 MEDIUM
V2.0:(not available)
CVE-2022-41765

An issue was discovered in MediaWiki before 1.35.8, 1.36.x and 1.37.x before 1.37.5, and 1.38.x before 1.38.3. HTMLUserTextField exposes the existence of hidden users.

Published: December 26, 2022; 1:15:11 AM -0500
V3.1: 5.3 MEDIUM
V2.0:(not available)
CVE-2021-44856

An issue was discovered in MediaWiki before 1.35.5, 1.36.x before 1.36.3, and 1.37.x before 1.37.1. A title blocked by AbuseFilter can be created via Special:ChangeContentModel due to the mishandling of the EditFilterMergedContent hook return value.

Published: December 26, 2022; 1:15:10 AM -0500
V3.1: 5.3 MEDIUM
V2.0:(not available)
CVE-2021-44855

An issue was discovered in MediaWiki before 1.35.5, 1.36.x before 1.36.3, and 1.37.x before 1.37.1. There is Blind Stored XSS via a URL to the Upload Image feature.

Published: December 26, 2022; 12:15:10 AM -0500
V3.1: 5.4 MEDIUM
V2.0:(not available)
CVE-2021-44854

An issue was discovered in MediaWiki before 1.35.5, 1.36.x before 1.36.3, and 1.37.x before 1.37.1. The REST API publicly caches results from private wikis.

Published: December 26, 2022; 12:15:10 AM -0500
V3.1: 5.3 MEDIUM
V2.0:(not available)
CVE-2021-42049

An issue was discovered in the Translate extension in MediaWiki through 1.36.2. Oversighters cannot undo revisions or oversight on pages where they suppressed information (such as PII). This allows oversighters to whitewash revisions.

Published: September 28, 2022; 11:15:14 PM -0400
V3.1: 6.5 MEDIUM
V2.0:(not available)
CVE-2021-42048

An issue was discovered in the Growth extension in MediaWiki through 1.36.2. Any admin can add arbitrary JavaScript code to the Newcomer home page footer, which can be executed by viewers with zero edits.

Published: September 28, 2022; 11:15:14 PM -0400
V3.1: 4.8 MEDIUM
V2.0:(not available)
CVE-2021-42047

An issue was discovered in the Growth extension in MediaWiki through 1.36.2. On any Wiki with the Mentor Dashboard feature enabled, users can login with a mentor account and trigger an XSS payload (such as alert) via Growthexperiments-mentor-dashboard-mentee-overview-no-js-fallback.

Published: September 28, 2022; 11:15:14 PM -0400
V3.1: 5.4 MEDIUM
V2.0:(not available)
CVE-2021-42046

An issue was discovered in the GlobalWatchlist extension in MediaWiki through 1.36.2. The rev-deleted-user and ntimes messages were not properly escaped and allowed for users to inject HTML and JavaScript.

Published: September 28, 2022; 11:15:14 PM -0400
V3.1: 6.1 MEDIUM
V2.0:(not available)
CVE-2021-42045

An issue was discovered in SecurePoll in the Growth extension in MediaWiki through 1.36.2. Simple polls allow users to create alerts by changing their User-Agent HTTP header and submitting a vote.

Published: September 28, 2022; 11:15:14 PM -0400
V3.1: 5.4 MEDIUM
V2.0:(not available)
CVE-2022-28203

A denial-of-service issue was discovered in MediaWiki before 1.35.6, 1.36.x before 1.36.4, and 1.37.x before 1.37.2. When many files exist, requesting Special:NewFiles with actor as a condition can result in a very long running query.

Published: September 19, 2022; 5:15:09 PM -0400
V3.1: 7.5 HIGH
V2.0:(not available)
CVE-2022-28201

An issue was discovered in MediaWiki before 1.35.6, 1.36.x before 1.36.4, and 1.37.x before 1.37.2. Users with the editinterface permission can trigger infinite recursion, because a bare local interwiki is mishandled for the mainpage message.

Published: September 19, 2022; 5:15:09 PM -0400
V3.1: 4.4 MEDIUM
V2.0:(not available)
CVE-2022-39194

An issue was discovered in the MediaWiki through 1.38.2. The community configuration pages for the GrowthExperiments extension could cause a site to become unavailable due to insufficient validation when certain actions (including page moves) were performed.

Published: September 02, 2022; 1:15:07 AM -0400
V3.1: 4.9 MEDIUM
V2.0:(not available)
CVE-2022-34912

An issue was discovered in MediaWiki before 1.37.3 and 1.38.x before 1.38.1. The contributions-title, used on Special:Contributions, is used as page title without escaping. Hence, in a non-default configuration where a username contains HTML entities, it won't be escaped.

Published: July 02, 2022; 4:15:08 PM -0400
V3.1: 6.1 MEDIUM
V2.0: 4.3 MEDIUM
CVE-2022-34911

An issue was discovered in MediaWiki before 1.35.7, 1.36.x and 1.37.x before 1.37.3, and 1.38.x before 1.38.1. XSS can occur in configurations that allow a JavaScript payload in a username. After account creation, when it sets the page title to "Welcome" followed by the username, the username is not escaped: SpecialCreateAccount::successfulAction() calls ::showSuccessPage() with a message as second parameter, and OutputPage::setPageTitle() uses text().

Published: July 02, 2022; 4:15:08 PM -0400
V3.1: 6.1 MEDIUM
V2.0: 4.3 MEDIUM
CVE-2022-34750

An issue was discovered in MediaWiki through 1.38.1. The lemma length of a Wikibase lexeme is currently capped at a thousand characters. Unfortunately, this length is not validated, allowing much larger lexemes to be created, which introduces various denial-of-service attack vectors within the Wikibase and WikibaseLexeme extensions. This is related to Special:NewLexeme and Special:NewProperty.

Published: June 28, 2022; 9:15:12 AM -0400
V3.1: 7.5 HIGH
V2.0: 5.0 MEDIUM
CVE-2022-28323

An issue was discovered in MediaWiki through 1.37.2. The SecurePoll extension allows a leak because sorting by timestamp is supported,

Published: April 30, 2022; 12:15:07 PM -0400
V3.1: 7.5 HIGH
V2.0: 5.0 MEDIUM
CVE-2022-29907

The Nimbus skin for MediaWiki through 1.37.2 (before 6f9c8fb868345701d9544a54d9752515aace39df) allows XSS in Advertise link messages.

Published: April 29, 2022; 12:15:10 AM -0400
V3.1: 6.1 MEDIUM
V2.0: 4.3 MEDIUM