) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.
Search Results (Refine Search)
- Results Type: Overview
- Keyword (text search): cpe:2.3:a:mediawiki:mediawiki:1.19.19:*:*:*:*:*:*:*
| Vuln ID | Summary | CVSS Severity |
|---|---|---|
| CVE-2014-9476 |
MediaWiki 1.2x before 1.22.15, 1.23.x before 1.23.8, and 1.24.x before 1.24.1 allows remote attackers to bypass CORS restrictions in $wgCrossSiteAJAXdomains via a domain that has a partial match to an allowed origin, as demonstrated by "http://en.wikipedia.org.evilsite.example/." Published: January 16, 2015; 11:59:10 AM -0500 |
V3.x:(not available) V2.0: 5.0 MEDIUM |
| CVE-2014-9475 |
Cross-site scripting (XSS) vulnerability in thumb.php in MediaWiki before 1.19.23, 1.2x before 1.22.15, 1.23.x before 1.23.8, and 1.24.x before 1.24.1 allows remote authenticated users to inject arbitrary web script or HTML via a wikitext message. Published: January 16, 2015; 11:59:09 AM -0500 |
V3.x:(not available) V2.0: 3.5 LOW |
| CVE-2014-9507 |
MediaWiki 1.21.x, 1.22.x before 1.22.14, and 1.23.x before 1.23.7, when $wgContentHandlerUseDB is enabled, allows remote attackers to conduct cross-site scripting (XSS) attacks by setting the content model for a revision to JS. Published: January 04, 2015; 4:59:04 PM -0500 |
V3.x:(not available) V2.0: 2.6 LOW |
| CVE-2014-9277 |
The wfMangleFlashPolicy function in OutputHandler.php in MediaWiki before 1.19.22, 1.20.x through 1.22.x before 1.22.14, and 1.23.x before 1.23.7 allows remote attackers to conduct PHP object injection attacks via a crafted string containing <cross-domain-policy> in a PHP format request, which causes the string length to change when converting the request to <NOT-cross-domain-policy>. Published: January 04, 2015; 4:59:02 PM -0500 |
V3.x:(not available) V2.0: 7.5 HIGH |
| CVE-2014-9276 |
Cross-site request forgery (CSRF) vulnerability in the Special:ExpandedTemplates page in MediaWiki before 1.19.22, 1.20.x through 1.22.x before 1.22.14, and 1.23.x before 1.23.7, when $wgRawHTML is set to true, allows remote attackers to hijack the authentication of users with edit permissions for requests that cross-site scripting (XSS) attacks via the wpInput parameter, which is not properly handled in the preview. Published: January 04, 2015; 4:59:01 PM -0500 |
V3.x:(not available) V2.0: 5.1 MEDIUM |
| CVE-2014-7295 |
The (1) Special:Preferences and (2) Special:UserLogin pages in MediaWiki before 1.19.20, 1.22.x before 1.22.12 and 1.23.x before 1.23.5 allows remote authenticated users to conduct cross-site scripting (XSS) attacks or have unspecified other impact via crafted CSS, as demonstrated by modifying MediaWiki:Common.css. Published: October 07, 2014; 10:55:09 AM -0400 |
V3.x:(not available) V2.0: 3.5 LOW |
| CVE-2013-1818 |
maintenance/mwdoc-filter.php in MediaWiki before 1.20.3 allows remote attackers to read arbitrary files via unspecified vectors. Published: June 02, 2014; 11:55:09 AM -0400 |
V3.x:(not available) V2.0: 5.0 MEDIUM |
| CVE-2014-2853 |
Cross-site scripting (XSS) vulnerability in includes/actions/InfoAction.php in MediaWiki before 1.21.9 and 1.22.x before 1.22.6 allows remote attackers to inject arbitrary web script or HTML via the sort key in an info action. Published: April 29, 2014; 2:55:08 PM -0400 |
V3.x:(not available) V2.0: 4.3 MEDIUM |