Mediawiki: >> Mediawiki >> 1.10.1 Security Vulnerabilities
MediaWiki before 1.23.16, 1.24.x through 1.27.x before 1.27.2, and 1.28.x before 1.28.1 allows remote attackers to discover the IP addresses of Wiki visitors via a style="background-image: attr(title url);" attack within a DIV element that has an attacker-controlled URL in the title attribute.
CVSS Score
7.5
EPSS Score
0.002
Published
2022-02-18
An issue was discovered in MediaWiki before 1.35.5, 1.36.x before 1.36.3, and 1.37.x before 1.37.1. Special:CheckUserLog allows CheckUser XSS because of date mishandling, as demonstrated by an XSS payload in MediaWiki:October.
CVSS Score
4.8
EPSS Score
0.002
Published
2022-01-10
An issue was discovered in MediaWiki before 1.35.5, 1.36.x before 1.36.3, and 1.37.x before 1.37.1. Some unprivileged users can view confidential information (e.g., IP addresses and User-Agent headers for election traffic) on a testwiki SecurePoll instance.
CVSS Score
6.5
EPSS Score
0.002
Published
2022-01-10
An issue was discovered in MediaWiki before 1.35.5, 1.36.x before 1.36.3, and 1.37.x before 1.37.1. A denial of service (resource consumption) can be accomplished by searching for a very long key in a Language Name Search.
CVSS Score
7.5
EPSS Score
0.003
Published
2022-01-10
An issue was discovered in MediaWiki before 1.35.5, 1.36.x before 1.36.3, and 1.37.x before 1.37.1. The WikibaseMediaInfo component is vulnerable to XSS via the caption fields for a given media file.
CVSS Score
5.4
EPSS Score
0.002
Published
2022-01-10
An issue was discovered in MediaWiki before 1.35.5, 1.36.x before 1.36.3, and 1.37.x before 1.37.1. MassEditRegex allows CSRF.
CVSS Score
8.8
EPSS Score
0.001
Published
2022-01-10
In MediaWiki through 1.37, blocked IP addresses are allowed to edit EntitySchema items.
CVSS Score
5.3
EPSS Score
0.003
Published
2021-12-24
In MediaWiki through 1.37, XSS can occur in Wikibase because an external identifier property can have a URL format that includes a $1 formatter substitution marker, and the javascript: URL scheme (among others) can be used.
CVSS Score
6.1
EPSS Score
0.003
Published
2021-12-24
In MediaWiki through 1.37, the Special:ImportFile URI (aka FileImporter) allows XSS, as demonstrated by the clientUrl parameter.
CVSS Score
6.1
EPSS Score
0.003
Published
2021-12-24
An issue was discovered in MediaWiki before 1.35.5, 1.36.x before 1.36.3, and 1.37.x before 1.37.1. It is possible to use action=edit&undo= followed by action=mcrundo and action=mcrrestore to view private pages on a private wiki that has at least one page set in $wgWhitelistRead.
CVSS Score
7.5
EPSS Score
0.004
Published
2021-12-20