Mediawiki: >> Mediawiki >> 1.23.1 Security Vulnerabilities
In MediaWiki before 1.34.1, users can add various Cascading Style Sheets (CSS) classes (which can affect what content is shown or hidden in the user interface) to arbitrary DOM nodes via HTML content within a MediaWiki page. This occurs because jquery.makeCollapsible allows applying an event handler to any Cascading Style Sheets (CSS) selector. There is no known way to exploit this for cross-site scripting (XSS).
CVSS Score
5.3
EPSS Score
0.003
Published
2020-04-03
In the GlobalBlocking extension before 2020-03-10 for MediaWiki through 1.34.0, an issue related to IP range evaluation resulted in blocked users re-gaining escalated privileges. This is related to the case in which an IP address is contained in two ranges, one of which is locally disabled.
CVSS Score
9.8
EPSS Score
0.003
Published
2020-03-12
The Scribunto extension for MediaWiki allows remote attackers to obtain the rollback token and possibly other sensitive information via a crafted module, related to unstripping special page HTML.
CVSS Score
5.9
EPSS Score
0.005
Published
2020-01-27
MediaWiki through 1.33.1 allows attackers to bypass the Title_blacklist protection mechanism by starting with an arbitrary title, establishing a non-resolvable redirect for the associated page, and using redirect=1 in the action API when editing that page.
CVSS Score
6.1
EPSS Score
0.003
Published
2019-12-11
In MediaWiki through 1.33.0, Special:Redirect allows information disclosure of suppressed usernames via a User ID Lookup.
CVSS Score
5.3
EPSS Score
0.004
Published
2019-09-26
MediaWiki through 1.32.1 has Incorrect Access Control. Suppressed username or log in Special:EditTags are exposed. Fixed in 1.32.2, 1.31.2, 1.30.2 and 1.27.6.
CVSS Score
6.5
EPSS Score
0.002
Published
2019-07-10
Wikimedia MediaWiki through 1.32.1 has Incorrect Access Control. Suppressed log in RevisionDelete page is exposed. Fixed in 1.32.2, 1.31.2, 1.30.2 and 1.27.6.
CVSS Score
6.5
EPSS Score
0.002
Published
2019-07-10
Wikimedia MediaWiki through 1.32.1 allows CSRF.
CVSS Score
8.8
EPSS Score
0.002
Published
2019-07-10
An Incorrect Access Control vulnerability was found in Wikimedia MediaWiki 1.18.0 through 1.32.1. It is possible to bypass the limits on IP range blocks ($wgBlockCIDRLimit) by using the API. Fixed in 1.32.2, 1.31.2, 1.30.2 and 1.27.6.
CVSS Score
7.5
EPSS Score
0.002
Published
2019-07-10
Wikimedia MediaWiki 1.23.0 through 1.32.1 has an information leak. Privileged API responses that include whether a recent change has been patrolled may be cached publicly. Fixed in 1.32.2, 1.31.2, 1.30.2 and 1.27.6.
CVSS Score
7.5
EPSS Score
0.003
Published
2019-07-10