Mediawiki: >> Mediawiki >> 1.20.7 Security Vulnerabilities
An issue was discovered in MediaWiki before 1.35.5, 1.36.x before 1.36.3, and 1.37.x before 1.37.1. A denial of service (resource consumption) can be accomplished by searching for a very long key in a Language Name Search.
CVSS Score
7.5
EPSS Score
0.003
Published
2022-01-10
An issue was discovered in MediaWiki before 1.35.5, 1.36.x before 1.36.3, and 1.37.x before 1.37.1. The WikibaseMediaInfo component is vulnerable to XSS via the caption fields for a given media file.
CVSS Score
5.4
EPSS Score
0.002
Published
2022-01-10
An issue was discovered in MediaWiki before 1.35.5, 1.36.x before 1.36.3, and 1.37.x before 1.37.1. MassEditRegex allows CSRF.
CVSS Score
8.8
EPSS Score
0.001
Published
2022-01-10
In MediaWiki through 1.37, blocked IP addresses are allowed to edit EntitySchema items.
CVSS Score
5.3
EPSS Score
0.003
Published
2021-12-24
In MediaWiki through 1.37, XSS can occur in Wikibase because an external identifier property can have a URL format that includes a $1 formatter substitution marker, and the javascript: URL scheme (among others) can be used.
CVSS Score
6.1
EPSS Score
0.002
Published
2021-12-24
In MediaWiki through 1.37, the Special:ImportFile URI (aka FileImporter) allows XSS, as demonstrated by the clientUrl parameter.
CVSS Score
6.1
EPSS Score
0.002
Published
2021-12-24
An issue was discovered in MediaWiki before 1.35.5, 1.36.x before 1.36.3, and 1.37.x before 1.37.1. It is possible to use action=edit&undo= followed by action=mcrundo and action=mcrrestore to view private pages on a private wiki that has at least one page set in $wgWhitelistRead.
CVSS Score
7.5
EPSS Score
0.002
Published
2021-12-20
An issue was discovered in MediaWiki before 1.35.5, 1.36.x before 1.36.3, and 1.37.x before 1.37.1. It is possible to use action=mcrundo followed by action=mcrrestore to replace the content of any arbitrary page (that the user doesn't have edit rights for). This applies to any public wiki, or a private wiki that has at least one page set in $wgWhitelistRead.
CVSS Score
6.5
EPSS Score
0.001
Published
2021-12-17
An issue was discovered in MediaWiki before 1.35.5, 1.36.x before 1.36.3, and 1.37.x before 1.37.1. By using an action=rollback query, attackers can view private wiki contents.
CVSS Score
5.3
EPSS Score
0.003
Published
2021-12-17
MediaWiki before 1.36.2 allows XSS. Month related MediaWiki messages are not escaped before being used on the Special:Search results page.
CVSS Score
6.1
EPSS Score
0.001
Published
2021-10-11