Total
355 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-22910 | 1 Mediawiki | 1 Mediawiki | 2023-01-26 | N/A | 5.4 MEDIUM |
| An issue was discovered in MediaWiki before 1.35.9, 1.36.x through 1.38.x before 1.38.5, and 1.39.x before 1.39.1. There is XSS in Wikibase date formatting via wikibase-time-precision-* fields. This allows JavaScript execution by staff/admin users who do not intentionally have the editsitejs capability. | |||||
| CVE-2023-22912 | 1 Mediawiki | 1 Mediawiki | 2023-01-26 | N/A | 5.3 MEDIUM |
| An issue was discovered in MediaWiki before 1.35.9, 1.36.x through 1.38.x before 1.38.5, and 1.39.x before 1.39.1. CheckUser TokenManager insecurely uses AES-CTR encryption with a repeated (aka re-used) nonce, allowing an adversary to decrypt. | |||||
| CVE-2022-28203 | 2 Debian, Mediawiki | 2 Debian Linux, Mediawiki | 2022-11-03 | N/A | 7.5 HIGH |
| A denial-of-service issue was discovered in MediaWiki before 1.35.6, 1.36.x before 1.36.4, and 1.37.x before 1.37.2. When many files exist, requesting Special:NewFiles with actor as a condition can result in a very long running query. | |||||
| CVE-2022-28201 | 2 Debian, Mediawiki | 2 Debian Linux, Mediawiki | 2022-11-03 | N/A | 4.4 MEDIUM |
| An issue was discovered in MediaWiki before 1.35.6, 1.36.x before 1.36.4, and 1.37.x before 1.37.2. Users with the editinterface permission can trigger infinite recursion, because a bare local interwiki is mishandled for the mainpage message. | |||||
| CVE-2021-42045 | 1 Mediawiki | 1 Mediawiki | 2022-10-03 | N/A | 5.4 MEDIUM |
| An issue was discovered in SecurePoll in the Growth extension in MediaWiki through 1.36.2. Simple polls allow users to create alerts by changing their User-Agent HTTP header and submitting a vote. | |||||
| CVE-2021-42049 | 1 Mediawiki | 1 Mediawiki | 2022-09-30 | N/A | 6.5 MEDIUM |
| An issue was discovered in the Translate extension in MediaWiki through 1.36.2. Oversighters cannot undo revisions or oversight on pages where they suppressed information (such as PII). This allows oversighters to whitewash revisions. | |||||
| CVE-2021-42046 | 1 Mediawiki | 1 Mediawiki | 2022-09-30 | N/A | 6.1 MEDIUM |
| An issue was discovered in the GlobalWatchlist extension in MediaWiki through 1.36.2. The rev-deleted-user and ntimes messages were not properly escaped and allowed for users to inject HTML and JavaScript. | |||||
| CVE-2021-42048 | 1 Mediawiki | 1 Mediawiki | 2022-09-30 | N/A | 4.8 MEDIUM |
| An issue was discovered in the Growth extension in MediaWiki through 1.36.2. Any admin can add arbitrary JavaScript code to the Newcomer home page footer, which can be executed by viewers with zero edits. | |||||
| CVE-2021-42047 | 1 Mediawiki | 1 Mediawiki | 2022-09-30 | N/A | 5.4 MEDIUM |
| An issue was discovered in the Growth extension in MediaWiki through 1.36.2. On any Wiki with the Mentor Dashboard feature enabled, users can login with a mentor account and trigger an XSS payload (such as alert) via Growthexperiments-mentor-dashboard-mentee-overview-no-js-fallback. | |||||
| CVE-2022-28204 | 1 Mediawiki | 1 Mediawiki | 2022-09-21 | N/A | 7.5 HIGH |
| A denial-of-service issue was discovered in MediaWiki 1.37.x before 1.37.2. Rendering of w/index.php?title=Special%3AWhatLinksHere&target=Property%3AP31&namespace=1&invert=1 can take more than thirty seconds. There is a DDoS risk. | |||||
| CVE-2022-39194 | 1 Mediawiki | 1 Mediawiki | 2022-09-07 | N/A | 4.9 MEDIUM |
| An issue was discovered in the MediaWiki through 1.38.2. The community configuration pages for the GrowthExperiments extension could cause a site to become unavailable due to insufficient validation when certain actions (including page moves) were performed. | |||||
| CVE-2021-31547 | 1 Mediawiki | 1 Mediawiki | 2022-07-12 | 4.0 MEDIUM | 4.3 MEDIUM |
| An issue was discovered in the AbuseFilter extension for MediaWiki through 1.35.2. Its AbuseFilterCheckMatch API reveals suppressed edits and usernames to unprivileged users through the iteration of crafted AbuseFilter rules. | |||||
| CVE-2021-31554 | 1 Mediawiki | 1 Mediawiki | 2022-07-12 | 5.5 MEDIUM | 5.4 MEDIUM |
| An issue was discovered in the AbuseFilter extension for MediaWiki through 1.35.2. It improperly handled account blocks for certain automatically created MediaWiki user accounts, thus allowing nefarious users to remain unblocked. | |||||
| CVE-2021-31552 | 1 Mediawiki | 1 Mediawiki | 2022-07-12 | 5.5 MEDIUM | 5.4 MEDIUM |
| An issue was discovered in the AbuseFilter extension for MediaWiki through 1.35.2. It incorrectly executed certain rules related to blocking accounts after account creation. Such rules would allow for user accounts to be created while blocking only the IP address used to create an account (and not the user account itself). Such rules could also be used by a nefarious, unprivileged user to catalog and enumerate any number of IP addresses related to these account creations. | |||||
| CVE-2021-31548 | 1 Mediawiki | 1 Mediawiki | 2022-07-12 | 4.0 MEDIUM | 6.5 MEDIUM |
| An issue was discovered in the AbuseFilter extension for MediaWiki through 1.35.2. A MediaWiki user who is partially blocked or was unsuccessfully blocked could bypass AbuseFilter and have their edits completed. | |||||
| CVE-2021-36128 | 1 Mediawiki | 1 Mediawiki | 2022-07-12 | 7.5 HIGH | 9.8 CRITICAL |
| An issue was discovered in the CentralAuth extension in MediaWiki through 1.36. Autoblocks for CentralAuth-issued suppression blocks are not properly implemented. | |||||
| CVE-2022-34750 | 1 Mediawiki | 1 Mediawiki | 2022-07-07 | 5.0 MEDIUM | 7.5 HIGH |
| An issue was discovered in MediaWiki through 1.38.1. The lemma length of a Wikibase lexeme is currently capped at a thousand characters. Unfortunately, this length is not validated, allowing much larger lexemes to be created, which introduces various denial-of-service attack vectors within the Wikibase and WikibaseLexeme extensions. This is related to Special:NewLexeme and Special:NewProperty. | |||||
| CVE-2021-31546 | 1 Mediawiki | 1 Mediawiki | 2022-06-28 | 4.0 MEDIUM | 4.3 MEDIUM |
| An issue was discovered in the AbuseFilter extension for MediaWiki through 1.35.2. It incorrectly logged sensitive suppression deletions, which should not have been visible to users with access to view AbuseFilter log data. | |||||
| CVE-2022-29905 | 1 Mediawiki | 1 Mediawiki | 2022-05-10 | 4.3 MEDIUM | 4.3 MEDIUM |
| The FanBoxes extension for MediaWiki through 1.37.2 (before 027ffb0b9d6fe0d823810cf03f5b562a212162d4) allows Special:UserBoxes CSRF. | |||||
| CVE-2022-29904 | 1 Mediawiki | 1 Mediawiki | 2022-05-10 | 7.5 HIGH | 9.8 CRITICAL |
| The SemanticDrilldown extension for MediaWiki through 1.37.2 (before e688bdba6434591b5dff689a45e4d53459954773) allows SQL injection with certain '-' and '_' constraints. | |||||