Search Results (Refine Search)

Search Parameters:
  • Results Type: Overview
  • Keyword (text search): cpe:2.3:a:mediawiki:mediawiki:1.19.4:*:*:*:*:*:*:*
There are 129 matching records.
Displaying matches 121 through 129.
Vuln ID Summary CVSS Severity
CVE-2013-2032

MediaWiki before 1.19.6 and 1.20.x before 1.20.5 does not allow extensions to prevent password changes without using both Special:PasswordReset and Special:ChangePassword, which allows remote attackers to bypass the intended restrictions of an extension that only implements one of these blocks.

Published: November 17, 2013; 9:55:07 PM -0500
V3.x:(not available)
V2.0: 5.0 MEDIUM
CVE-2013-2031

MediaWiki before 1.19.6 and 1.20.x before 1.20.5 allows remote attackers to conduct cross-site scripting (XSS) attacks, as demonstrated by a CDATA section containing valid UTF-7 encoded sequences in a SVG file, which is then incorrectly interpreted as UTF-8 by Chrome and Firefox.

Published: November 17, 2013; 9:55:07 PM -0500
V3.x:(not available)
V2.0: 4.3 MEDIUM
CVE-2013-4302

(1) ApiBlock.php, (2) ApiCreateAccount.php, (3) ApiLogin.php, (4) ApiMain.php, (5) ApiQueryDeletedrevs.php, (6) ApiTokens.php, and (7) ApiUnblock.php in includes/api/ in MediaWiki 1.19.x before 1.19.8, 1.20.x before 1.20.7, and 1.21.x before 1.21.2 allow remote attackers to obtain CSRF tokens and bypass the cross-site request forgery (CSRF) protection mechanism via a JSONP request to wiki/api.php.

Published: October 26, 2013; 8:55:03 PM -0400
V3.x:(not available)
V2.0: 5.0 MEDIUM
CVE-2013-4301

includes/resourceloader/ResourceLoaderContext.php in MediaWiki 1.19.x before 1.19.8, 1.20.x before 1.20.7, and 1.21.x before 1.21.2 allows remote attackers to obtain sensitive information via a "<" (open angle bracket) character in the lang parameter to w/load.php, which reveals the installation path in an error message.

Published: October 26, 2013; 8:55:03 PM -0400
V3.x:(not available)
V2.0: 5.0 MEDIUM
CVE-2013-4306

Cross-site request forgery (CSRF) vulnerability in api/ApiQueryCheckUser.php in the CheckUser extension for MediaWiki, possibly Checkuser before 2.3, allows remote attackers to hijack the authentication of arbitrary users for requests that "perform sensitive write actions" via unspecified vectors.

Published: October 11, 2013; 5:55:44 PM -0400
V3.x:(not available)
V2.0: 6.8 MEDIUM
CVE-2013-4308

Cross-site scripting (XSS) vulnerability in pages/TalkpageHistoryView.php in the LiquidThreads (LQT) extension 2.x and possibly 3.x for MediaWiki 1.19.x before 1.19.8, 1.20.x before 1.20.7, and 1.21.x before 1.21.2 allows remote attackers to inject arbitrary web script or HTML via a thread subject.

Published: September 12, 2013; 9:31:13 AM -0400
V3.x:(not available)
V2.0: 4.3 MEDIUM
CVE-2013-4307

Multiple cross-site scripting (XSS) vulnerabilities in repo/includes/EntityView.php in the Wikibase extension for MediaWiki 1.19.x before 1.19.8, 1.20.x before 1.20.7, and 1.21.x before 1.21.2 allow (1) remote attackers to inject arbitrary web script or HTML via a label in the "In other languages" section or (2) remote administrators to inject arbitrary web script or HTML via a description.

Published: September 12, 2013; 9:30:39 AM -0400
V3.x:(not available)
V2.0: 4.3 MEDIUM
CVE-2011-4361

MediaWiki before 1.17.1 does not check for read permission before handling action=ajax requests, which allows remote attackers to obtain sensitive information by (1) leveraging the SpecialUpload::ajaxGetExistsWarning function, or by (2) leveraging an extension, as demonstrated by the CategoryTree, ExtTab, and InlineEditor extensions.

Published: January 08, 2012; 6:55:19 AM -0500
V3.x:(not available)
V2.0: 5.0 MEDIUM
CVE-2011-4360

MediaWiki before 1.17.1 allows remote attackers to obtain the page titles of all restricted pages via a series of requests involving the (1) curid or (2) oldid parameter.

Published: January 08, 2012; 6:55:18 AM -0500
V3.x:(not available)
V2.0: 5.0 MEDIUM