Filtered by vendor Mediawiki
Subscriptions
Total
389 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2023-37254 | 1 Mediawiki | 1 Mediawiki | 2024-11-27 | 6.1 Medium |
| An issue was discovered in the Cargo extension for MediaWiki through 1.39.3. XSS can occur in Special:CargoQuery via a crafted page item when using the default format. | ||||
| CVE-2023-37256 | 1 Mediawiki | 1 Mediawiki | 2024-11-26 | 6.1 Medium |
| An issue was discovered in the Cargo extension for MediaWiki through 1.39.3. It allows one to store javascript: URLs in URL fields, and automatically links these URLs. | ||||
| CVE-2023-37251 | 1 Mediawiki | 1 Mediawiki | 2024-11-26 | 6.1 Medium |
| An issue was discovered in the GoogleAnalyticsMetrics extension for MediaWiki through 1.39.3. The googleanalyticstrackurl parser function does not properly escape JavaScript in the onclick handler and does not prevent use of javascript: URLs. | ||||
| CVE-2023-37255 | 1 Mediawiki | 1 Mediawiki | 2024-11-26 | 6.1 Medium |
| An issue was discovered in the CheckUser extension for MediaWiki through 1.39.3. In Special:CheckUser, a check of the "get edits" type is vulnerable to HTML injection through the User-Agent HTTP request header. | ||||
| CVE-2023-37305 | 1 Mediawiki | 1 Mediawiki | 2024-11-26 | 5.3 Medium |
| An issue was discovered in the ProofreadPage (aka Proofread Page) extension for MediaWiki through 1.39.3. In includes/Page/PageContentHandler.php and includes/Page/PageDisplayHandler.php, hidden users can be exposed via public interfaces. | ||||
| CVE-2023-37302 | 1 Mediawiki | 1 Mediawiki | 2024-11-26 | 6.1 Medium |
| An issue was discovered in SiteLinksView.php in Wikibase in MediaWiki through 1.39.3. There is XSS via a crafted badge title attribute. This is also related to lack of escaping in wbTemplate (from resources/wikibase/templates.js) for quotes (which can be in a title attribute). | ||||
| CVE-2023-37304 | 1 Mediawiki | 1 Mediawiki | 2024-11-26 | 5.4 Medium |
| An issue was discovered in the DoubleWiki extension for MediaWiki through 1.39.3. includes/DoubleWiki.php allows XSS via the column alignment feature. | ||||
| CVE-2024-40601 | 1 Mediawiki | 1 Mediawiki | 2024-11-21 | 6.3 Medium |
| An issue was discovered in the MediaWikiChat extension for MediaWiki through 1.42.1. CSRF can occur in API modules. | ||||
| CVE-2024-40600 | 1 Mediawiki | 2 Mediawiki, Metrolook Skin | 2024-11-21 | 6.1 Medium |
| An issue was discovered in the Metrolook skin for MediaWiki through 1.42.1. There is stored XSS via MediaWiki:Sidebar top-level menu entries. | ||||
| CVE-2024-40597 | 1 Mediawiki | 1 Mediawiki | 2024-11-21 | 7.5 High |
| An issue was discovered in the CheckUser extension for MediaWiki through 1.42.1. It can expose suppressed information for log events. (The log_deleted attribute is not respected.) | ||||
| CVE-2024-23179 | 1 Mediawiki | 1 Mediawiki | 2024-11-21 | 6.1 Medium |
| An issue was discovered in the GlobalBlocking extension in MediaWiki before 1.40.2. For a Special:GlobalBlock?uselang=x-xss URI, i18n-based XSS can occur via the parentheses message. This affects subtitle links in buildSubtitleLinks. | ||||
| CVE-2024-23178 | 1 Mediawiki | 1 Mediawiki | 2024-11-21 | 5.4 Medium |
| An issue was discovered in the Phonos extension in MediaWiki before 1.40.2. PhonosButton.js allows i18n-based XSS via the phonos-purge-needed-error message. | ||||
| CVE-2024-23177 | 1 Mediawiki | 1 Mediawiki | 2024-11-21 | 6.1 Medium |
| An issue was discovered in the WatchAnalytics extension in MediaWiki before 1.40.2. XSS can occur via the Special:PageStatistics page parameter. | ||||
| CVE-2024-23174 | 1 Mediawiki | 1 Mediawiki | 2024-11-21 | 5.4 Medium |
| An issue was discovered in the PageTriage extension in MediaWiki before 1.35.14, 1.36.x through 1.39.x before 1.39.6, and 1.40.x before 1.40.2. XSS can occur via the rev-deleted-user, pagetriage-tags-quickfilter-label, pagetriage-triage, pagetriage-filter-date-range-format-placeholder, pagetriage-filter-date-range-to, pagetriage-filter-date-range-from, pagetriage-filter-date-range-heading, pagetriage-filter-set-button, or pagetriage-filter-reset-button message. | ||||
| CVE-2024-23173 | 1 Mediawiki | 1 Mediawiki | 2024-11-21 | 6.1 Medium |
| An issue was discovered in the Cargo extension in MediaWiki before 1.35.14, 1.36.x through 1.39.x before 1.39.6, and 1.40.x before 1.40.2. The Special:Drilldown page allows XSS via artist, album, and position parameters because of applied filter values in drilldown/CargoAppliedFilter.php. | ||||
| CVE-2024-23172 | 1 Mediawiki | 1 Mediawiki | 2024-11-21 | 5.4 Medium |
| An issue was discovered in the CheckUser extension in MediaWiki before 1.35.14, 1.36.x through 1.39.x before 1.39.6, and 1.40.x before 1.40.2. XSS can occur via message definitions. e.g., in SpecialCheckUserLog. | ||||
| CVE-2024-23171 | 1 Mediawiki | 1 Mediawiki | 2024-11-21 | 5.4 Medium |
| An issue was discovered in the CampaignEvents extension in MediaWiki before 1.35.14, 1.36.x through 1.39.x before 1.39.6, and 1.40.x before 1.40.2. The Special:EventDetails page allows XSS via the x-xss language setting for internationalization (i18n). | ||||
| CVE-2023-51704 | 1 Mediawiki | 1 Mediawiki | 2024-11-21 | 6.1 Medium |
| An issue was discovered in MediaWiki before 1.35.14, 1.36.x through 1.39.x before 1.39.6, and 1.40.x before 1.40.2. In includes/logging/RightsLogFormatter.php, group-*-member messages can result in XSS on Special:log/rights. | ||||
| CVE-2023-45374 | 1 Mediawiki | 1 Mediawiki | 2024-11-21 | 5.3 Medium |
| An issue was discovered in the SportsTeams extension for MediaWiki before 1.35.12, 1.36.x through 1.39.x before 1.39.5, and 1.40.x before 1.40.1. It does not check for the anti-CSRF edit token in Special:SportsTeamsManager and Special:UpdateFavoriteTeams. | ||||
| CVE-2023-45373 | 1 Mediawiki | 1 Mediawiki | 2024-11-21 | 6.1 Medium |
| An issue was discovered in the ProofreadPage extension for MediaWiki before 1.35.12, 1.36.x through 1.39.x before 1.39.5, and 1.40.x before 1.40.1. XSS can occur via formatNumNoSeparators. | ||||