Mediawiki: >> Mediawiki >> 1.35.9 Security Vulnerabilities
The SemanticDrilldown extension for MediaWiki through 1.37.2 (before e688bdba6434591b5dff689a45e4d53459954773) allows SQL injection with certain '-' and '_' constraints.
CVSS Score
9.8
EPSS Score
0.009
Published
2022-04-29
The FanBoxes extension for MediaWiki through 1.37.2 (before 027ffb0b9d6fe0d823810cf03f5b562a212162d4) allows Special:UserBoxes CSRF.
CVSS Score
4.3
EPSS Score
0.001
Published
2022-04-29
The admin API module in the QuizGame extension for MediaWiki through 1.37.2 (before 665e33a68f6fa1167df99c0aa18ed0157cdf9f66) omits a check for the quizadmin user.
CVSS Score
9.8
EPSS Score
0.004
Published
2022-04-29
The Nimbus skin for MediaWiki through 1.37.2 (before 6f9c8fb868345701d9544a54d9752515aace39df) allows XSS in Advertise link messages.
CVSS Score
6.1
EPSS Score
0.004
Published
2022-04-29
An issue was discovered in MediaWiki through 1.37.1. The CentralAuth extension mishandles a ttl issue for groups expiring in the future.
CVSS Score
9.8
EPSS Score
0.003
Published
2022-03-30
An issue was discovered in MediaWiki through 1.37.1. ImportPlanValidator.php in the FileImporter extension mishandles the check for edit rights.
CVSS Score
9.8
EPSS Score
0.004
Published
2022-03-30
An issue was discovered in Mediawiki through 1.37.1. The check for the override-antispoof permission in the AntiSpoof extension is incorrect.
CVSS Score
9.8
EPSS Score
0.004
Published
2022-03-30
In MediaWiki through 1.37, blocked IP addresses are allowed to edit EntitySchema items.
CVSS Score
5.3
EPSS Score
0.003
Published
2021-12-24
In MediaWiki through 1.37, XSS can occur in Wikibase because an external identifier property can have a URL format that includes a $1 formatter substitution marker, and the javascript: URL scheme (among others) can be used.
CVSS Score
6.1
EPSS Score
0.003
Published
2021-12-24
In MediaWiki through 1.37, the Special:ImportFile URI (aka FileImporter) allows XSS, as demonstrated by the clientUrl parameter.
CVSS Score
6.1
EPSS Score
0.003
Published
2021-12-24