Mediawiki: Security Vulnerabilities
Mediawiki 1.31 before 1.31.1 misses .htaccess files in the provided tarball used to protect some directories that shouldn't be web accessible.
CVSS Score
5.3
EPSS Score
0.001
Published
2018-10-04
MediaWiki 1.18.0 allows remote attackers to obtain the installation path via vectors related to thumbnail creation.
CVSS Score
5.3
EPSS Score
0.004
Published
2018-04-16
Mediawiki before 1.28.1 / 1.27.2 / 1.23.16 contains an information disclosure flaw, where the api.log might contain passwords in plaintext.
CVSS Score
7.8
EPSS Score
0.001
Published
2018-04-13
Mediawiki before 1.28.1 / 1.27.2 / 1.23.16 contains a flaw where the "Mark all pages visited" on the watchlist does not require a CSRF token.
CVSS Score
8.8
EPSS Score
0.002
Published
2018-04-13
Mediawiki before 1.28.1 / 1.27.2 / 1.23.16 has a flaw where Special:UserLogin?returnto=interwiki:foo will redirect to external sites.
CVSS Score
6.1
EPSS Score
0.002
Published
2018-04-13
Mediawiki before 1.28.1 / 1.27.2 / 1.23.16 contains a flaw where Special:Search allows redirects to any interwiki link.
CVSS Score
6.1
EPSS Score
0.002
Published
2018-04-13
Mediawiki before 1.28.1 / 1.27.2 / 1.23.16 contains a XSS vulnerability in SearchHighlighter::highlightText() with non-default configurations.
CVSS Score
4.7
EPSS Score
0.003
Published
2018-04-13
Mediawiki before 1.28.1 / 1.27.2 / 1.23.16 contains a flaw allowing to evade SVG filter using default attribute values in DTD declaration.
CVSS Score
5.4
EPSS Score
0.004
Published
2018-04-13
Mediawiki before 1.28.1 / 1.27.2 contains an unsafe use of temporary directory, where having LocalisationCache directory default to system tmp directory is insecure.
CVSS Score
8.8
EPSS Score
0.005
Published
2018-04-13
Mediawiki before 1.28.1 / 1.27.2 / 1.23.16 contains a flaw making rawHTML mode apply to system messages.
CVSS Score
5.3
EPSS Score
0.002
Published
2018-04-13