Mediawiki: >> Mediawiki >> 1.3.3 Security Vulnerabilities
MediaWiki before 1.18.5, and 1.19.x before 1.19.2 saves passwords in the local database, (1) which could make it easier for context-dependent attackers to obtain cleartext passwords via a brute-force attack or, (2) when an authentication plugin returns a false in the strict function, could allow remote attackers to use old passwords for non-existing accounts in an external authentication system via unspecified vectors.
CVSS Score
8.1
EPSS Score
0.031
Published
2020-02-08
The CentralNotice extension for MediaWiki before 1.19.9, 1.20.x before 1.20.8, and 1.21.x before 1.21.3 sets the Cache-Control header to cache session cookies when a user is autocreated, which allows remote attackers to authenticate as the created user.
CVSS Score
7.5
EPSS Score
0.013
Published
2020-02-06
The CentralAuth extension for MediaWiki before 1.19.10, 1.2x before 1.21.4, and 1.22.x before 1.22.1 allows remote attackers to obtain usernames via vectors related to writing the names to the DOM of a page.
CVSS Score
5.3
EPSS Score
0.004
Published
2020-01-28
The Scribunto extension for MediaWiki allows remote attackers to obtain the rollback token and possibly other sensitive information via a crafted module, related to unstripping special page HTML.
CVSS Score
5.9
EPSS Score
0.006
Published
2020-01-27
MediaWiki through 1.33.1 allows attackers to bypass the Title_blacklist protection mechanism by starting with an arbitrary title, establishing a non-resolvable redirect for the associated page, and using redirect=1 in the action API when editing that page.
CVSS Score
6.1
EPSS Score
0.003
Published
2019-12-11
MediaWiki before 1.19.4 and 1.20.x before 1.20.3 contains an error in the api.php script which allows remote attackers to obtain sensitive information.
CVSS Score
7.5
EPSS Score
0.016
Published
2019-11-20
MediaWiki before 1.19.4 and 1.20.x before 1.20.3 allows remote attackers to cause a denial of service (application crash) by sending a specially crafted request.
CVSS Score
7.5
EPSS Score
0.041
Published
2019-11-20
A cross-site scripting (XSS) vulnerability in MediaWiki before 1.19.5 and 1.20.x before 1.20.4 and allows remote attackers to inject arbitrary web script or HTML via Lua function names.
CVSS Score
6.1
EPSS Score
0.02
Published
2019-10-31
mediawiki allows deleted text to be exposed
CVSS Score
7.5
EPSS Score
0.004
Published
2019-10-29
In MediaWiki through 1.33.0, Special:Redirect allows information disclosure of suppressed usernames via a User ID Lookup.
CVSS Score
5.3
EPSS Score
0.004
Published
2019-09-26