This CPE summary could be partial or incomplete. Please contact us for a detailed listing.

Summary

Detail
Vendor Mediawiki First view 2005-05-02
Product Mediawiki Last view 2020-06-24
Version 1.4_beta3 Type Application
Update *  
Edition *  
Language *  
Sofware Edition *  
Target Software *  
Target Hardware *  
Other *  
 
CPE Product cpe:2.3:a:mediawiki:mediawiki

Activity : Overall

Related : CVE

This CPE have more than 25 Relations. If you want to see a complete summary for this CPE, please contact us.
  Date Alert Description
3.1 2020-06-24 CVE-2020-15005

In MediaWiki before 1.31.8, 1.32.x and 1.33.x before 1.33.4, and 1.34.x before 1.34.2, private wikis behind a caching server using the img_auth.php image authorization security feature may have had their files cached publicly, so any unauthorized user could view them. This occurs because Cache-Control and Vary headers were mishandled.

6.1 2020-06-02 CVE-2020-10959

resources/src/mediawiki.page.ready/ready.js in MediaWiki before 1.35 allows remote attackers to force a logout and external redirection via HTML content in a MediaWiki page.

5.3 2020-04-03 CVE-2020-10960

In MediaWiki before 1.34.1, users can add various Cascading Style Sheets (CSS) classes (which can affect what content is shown or hidden in the user interface) to arbitrary DOM nodes via HTML content within a MediaWiki page. This occurs because jquery.makeCollapsible allows applying an event handler to any Cascading Style Sheets (CSS) selector. There is no known way to exploit this for cross-site scripting (XSS).

9.8 2020-03-12 CVE-2020-10534

In the GlobalBlocking extension before 2020-03-10 for MediaWiki through 1.34.0, an issue related to IP range evaluation resulted in blocked users re-gaining escalated privileges. This is related to the case in which an IP address is contained in two ranges, one of which is locally disabled.

8.1 2020-02-08 CVE-2012-4381

MediaWiki before 1.18.5, and 1.19.x before 1.19.2 saves passwords in the local database, (1) which could make it easier for context-dependent attackers to obtain cleartext passwords via a brute-force attack or, (2) when an authentication plugin returns a false in the strict function, could allow remote attackers to use old passwords for non-existing accounts in an external authentication system via unspecified vectors.

7.5 2020-02-06 CVE-2013-4572

The CentralNotice extension for MediaWiki before 1.19.9, 1.20.x before 1.20.8, and 1.21.x before 1.21.3 sets the Cache-Control header to cache session cookies when a user is autocreated, which allows remote attackers to authenticate as the created user.

5.3 2020-01-28 CVE-2013-6455

The CentralAuth extension for MediaWiki before 1.19.10, 1.2x before 1.21.4, and 1.22.x before 1.22.1 allows remote attackers to obtain usernames via vectors related to writing the names to the DOM of a page.

6.1 2020-01-28 CVE-2013-6451

Cross-site scripting (XSS) vulnerability in MediaWiki 1.19.9 before 1.19.10, 1.2x before 1.21.4, and 1.22.x before 1.22.1 allows remote attackers to inject arbitrary web script or HTML via unspecified CSS values.

5.9 2020-01-27 CVE-2014-9481

The Scribunto extension for MediaWiki allows remote attackers to obtain the rollback token and possibly other sensitive information via a crafted module, related to unstripping special page HTML.

6.1 2019-12-11 CVE-2019-19709

MediaWiki through 1.33.1 allows attackers to bypass the Title_blacklist protection mechanism by starting with an arbitrary title, establishing a non-resolvable redirect for the associated page, and using redirect=1 in the action API when editing that page.

6.1 2019-12-11 CVE-2013-4303

includes/libs/IEUrlExtension.php in the MediaWiki API in MediaWiki 1.19.x before 1.19.8, 1.20.x before 1.20.7, and 1.21.x before 1.21.2 does not properly detect extensions when there are an even number of "." (period) characters in a string, which allows remote attackers to conduct cross-site scripting (XSS) attacks via the siprop parameter in a query action to wiki/api.php.

7.5 2019-11-20 CVE-2013-1817

MediaWiki before 1.19.4 and 1.20.x before 1.20.3 contains an error in the api.php script which allows remote attackers to obtain sensitive information.

7.5 2019-11-20 CVE-2013-1816

MediaWiki before 1.19.4 and 1.20.x before 1.20.3 allows remote attackers to cause a denial of service (application crash) by sending a specially crafted request.

6.1 2019-10-31 CVE-2013-1951

A cross-site scripting (XSS) vulnerability in MediaWiki before 1.19.5 and 1.20.x before 1.20.4 and allows remote attackers to inject arbitrary web script or HTML via Lua function names.

7.5 2019-10-29 CVE-2012-0046

mediawiki allows deleted text to be exposed

5.3 2019-09-25 CVE-2019-16738

In MediaWiki through 1.33.0, Special:Redirect allows information disclosure of suppressed usernames via a User ID Lookup.

7.5 2019-07-10 CVE-2019-12474

Wikimedia MediaWiki 1.23.0 through 1.32.1 has an information leak. Privileged API responses that include whether a recent change has been patrolled may be cached publicly. Fixed in 1.32.2, 1.31.2, 1.30.2 and 1.27.6.

7.5 2019-07-10 CVE-2019-12473

Wikimedia MediaWiki 1.27.0 through 1.32.1 might allow DoS. Passing invalid titles to the API could cause a DoS by querying the entire watchlist table. Fixed in 1.32.2, 1.31.2, 1.30.2 and 1.27.6.

7.5 2019-07-10 CVE-2019-12472

An Incorrect Access Control vulnerability was found in Wikimedia MediaWiki 1.18.0 through 1.32.1. It is possible to bypass the limits on IP range blocks ($wgBlockCIDRLimit) by using the API. Fixed in 1.32.2, 1.31.2, 1.30.2 and 1.27.6.

6.1 2019-07-10 CVE-2019-12471

Wikimedia MediaWiki 1.30.0 through 1.32.1 has XSS. Loading user JavaScript from a non-existent account allows anyone to create the account, and perform XSS on users loading that script. Fixed in 1.32.2, 1.31.2, 1.30.2 and 1.27.6.

6.5 2019-07-10 CVE-2019-12470

Wikimedia MediaWiki through 1.32.1 has Incorrect Access Control. Suppressed log in RevisionDelete page is exposed. Fixed in 1.32.2, 1.31.2, 1.30.2 and 1.27.6.

6.5 2019-07-10 CVE-2019-12469

MediaWiki through 1.32.1 has Incorrect Access Control. Suppressed username or log in Special:EditTags are exposed. Fixed in 1.32.2, 1.31.2, 1.30.2 and 1.27.6.

9.8 2019-07-10 CVE-2019-12468

An Incorrect Access Control vulnerability was found in Wikimedia MediaWiki 1.27.0 through 1.32.1. Directly POSTing to Special:ChangeEmail would allow for bypassing re-authentication, allowing for potential account takeover.

5.3 2019-07-10 CVE-2019-12467

MediaWiki through 1.32.1 has Incorrect Access Control (issue 1 of 3). A spammer can use Special:ChangeEmail to send out spam with no rate limiting or ability to block them. Fixed in 1.32.2, 1.31.2, 1.30.2 and 1.27.6.

8.8 2019-07-10 CVE-2019-12466

Wikimedia MediaWiki through 1.32.1 allows CSRF.

CWE : Common Weakness Enumeration

%idName
31% (41) CWE-79 Failure to Preserve Web Page Structure ('Cross-site Scripting')
16% (22) CWE-200 Information Exposure
10% (13) CWE-20 Improper Input Validation
9% (12) CWE-352 Cross-Site Request Forgery (CSRF)
5% (7) CWE-284 Access Control (Authorization) Issues
4% (6) CWE-264 Permissions, Privileges, and Access Controls
3% (5) CWE-399 Resource Management Errors
3% (4) CWE-601 URL Redirection to Untrusted Site ('Open Redirect')
2% (3) CWE-287 Improper Authentication
1% (2) CWE-269 Improper Privilege Management
1% (2) CWE-255 Credentials Management
1% (2) CWE-74 Failure to Sanitize Data into a Different Plane ('Injection')
0% (1) CWE-798 Use of Hard-coded Credentials
0% (1) CWE-668 Exposure of Resource to Wrong Sphere
0% (1) CWE-532 Information Leak Through Log Files
0% (1) CWE-384 Session Fixation
0% (1) CWE-362 Race Condition
0% (1) CWE-306 Missing Authentication for Critical Function
0% (1) CWE-276 Incorrect Default Permissions
0% (1) CWE-119 Failure to Constrain Operations within the Bounds of a Memory Buffer
0% (1) CWE-116 Improper Encoding or Escaping of Output
0% (1) CWE-94 Failure to Control Generation of Code ('Code Injection')
0% (1) CWE-77 Improper Sanitization of Special Elements used in a Command ('Comma...

Open Source Vulnerability Database (OSVDB)

This CPE have more than 25 Relations. If you want to see a complete summary for this CPE, please contact us.
id Description
78260 MediaWiki includes/api/ApiQueryRevisions.php execute() Function Deleted Cache...
77365 MediaWiki Ajax Request Parsing File Existance Disclosure
77364 MediaWiki preliminaryChecks() Function curid Parameter Request Parsing Remote...
74621 MediaWiki Transwiki Import wgImportSources Crafted POST Request Remote Import...
74620 MediaWiki Wikitext Parser includes/Sanitizer.php checkCss Function Hex String...
74619 MediaWiki URI Query String %2E Sequence XSS
74613 MediaWiki wgBlockDisablesLogin includes/User.php Auth Token Cached Data Multi...
70770 MediaWiki CSS Comments XSS
70272 MediaWiki Multiple Unspecified Function Clickjacking
66652 MediaWiki profileinfo.php filter Parameter XSS
66651 MediaWiki api.php Cache-Control HTTP Header Information Disclosure
63570 MediaWiki Unspecified CSRF
62799 MediaWiki thumb.php Permission Check Weakness Restricted Image Disclosure
62798 MediaWiki CSS Validation Function External Image Information Disclosure
37343 MediaWiki AJAX Features index.php rs Parameter XSS
33709 MediaWiki wiki/skins/Chick.deps.php Direct Request Path Disclosure
33708 MediaWiki wiki/skins/MySkin.deps.php Direct Request Path Disclosure
33707 MediaWiki wiki/skins/MonoBook.deps.php Direct Request Path Disclosure
33706 MediaWiki wiki/skins/Simple.deps.php Direct Request Path Disclosure
32078 MediaWiki AJAX Support Module UTF-7 XSS
25713 MediaWiki Parser Unspecified XSS
22910 MediaWiki Edit Comment Formatting Crafted URL DoS
21960 MediaWiki Hardcoded Placeholder String Inline Style Attribute Security Bypass...
19956 MediaWiki Crafted Edit Submission Database Corruption DoS
19877 MediaWiki HTML Inline Style Attributes XSS

OpenVAS Exploits

id Description
2012-09-07 Name : FreeBSD Ports: mediawiki
File : nvt/freebsd_mediawiki8.nasl
2012-08-10 Name : Gentoo Security Advisory GLSA 201206-09 (MediaWiki)
File : nvt/glsa_201206_09.nasl
2012-07-09 Name : MediaWiki 'uselang' Parameter Cross Site Scripting Vulnerability
File : nvt/gb_mediawiki_uselang_param_xss_vuln.nasl
2012-02-11 Name : Debian Security Advisory DSA 2366-1 (mediawiki)
File : nvt/deb_2366_1.nasl
2011-06-02 Name : MediaWiki Cross-Site Scripting Vulnerability
File : nvt/secpod_mediawiki_xss_vuln.nasl
2011-05-23 Name : Fedora Update for mediawiki FEDORA-2011-6774
File : nvt/gb_fedora_2011_6774_mediawiki_fc14.nasl
2011-05-23 Name : Fedora Update for mediawiki FEDORA-2011-6775
File : nvt/gb_fedora_2011_6775_mediawiki_fc13.nasl
2011-05-11 Name : MediaWiki 'profileinfo.php' Cross Site Scripting Vulnerability
File : nvt/gb_mediawiki_profileinfo_xss_vuln.nasl
2011-05-05 Name : Fedora Update for mediawiki FEDORA-2011-5807
File : nvt/gb_fedora_2011_5807_mediawiki_fc13.nasl
2011-05-05 Name : Fedora Update for mediawiki FEDORA-2011-5812
File : nvt/gb_fedora_2011_5812_mediawiki_fc14.nasl
2011-03-05 Name : FreeBSD Ports: mediawiki
File : nvt/freebsd_mediawiki6.nasl
2011-03-04 Name : MediaWiki Frames Processing Clickjacking Information Disclosure Vulnerability
File : nvt/gb_mediawiki_clickjacking_vuln.nasl
2011-02-03 Name : MediaWiki CSS Comments Cross Site Scripting Vulnerability
File : nvt/gb_mediawiki_46108.nasl
2010-08-02 Name : MediaWiki 'api.php' Information Disclosure Vulnerability
File : nvt/gb_MediaWiki_42019.nasl
2010-08-02 Name : MediaWiki 'profileinfo.php' Cross Site Scripting Vulnerability
File : nvt/gb_MediaWiki_42024.nasl
2010-07-12 Name : Fedora Update for mediawiki FEDORA-2010-6335
File : nvt/gb_fedora_2010_6335_mediawiki_fc12.nasl
2010-05-14 Name : FreeBSD Ports: mediawiki
File : nvt/freebsd_mediawiki3.nasl
2010-04-29 Name : MediaWiki Login CSRF Vulnerability
File : nvt/secpod_mediawiki_login_csrf_vuln.nasl
2010-03-30 Name : Debian Security Advisory DSA 2022-1 (mediawiki)
File : nvt/deb_2022_1.nasl
2010-03-15 Name : MediaWiki 'CSS validation' Information Disclosure Vulnerability
File : nvt/gb_mediawiki_38621.nasl
2009-02-27 Name : Fedora Update for mediawiki FEDORA-2007-1442
File : nvt/gb_fedora_2007_1442_mediawiki_fc7.nasl
2008-09-24 Name : Gentoo Security Advisory GLSA 200502-33 (mediawiki)
File : nvt/glsa_200502_33.nasl
2008-09-24 Name : Gentoo Security Advisory GLSA 200507-18 (mediawiki)
File : nvt/glsa_200507_18.nasl
2008-09-04 Name : FreeBSD Ports: mediawiki
File : nvt/freebsd_mediawiki.nasl

Snort® IPS/IDS

Date Description
2018-01-04 MediaWiki arbitrary file write attempt
RuleID : 45094 - Type : SERVER-WEBAPP - Revision : 2
2014-01-10 Media Wiki script injection attempt
RuleID : 26298 - Type : SERVER-WEBAPP - Revision : 2

Nessus® Vulnerability Scanner

This CPE have more than 25 Relations. If you want to see a complete summary for this CPE, please contact us.
id Description
2019-01-03 Name: The remote Fedora host is missing a security update.
File: fedora_2018-e022ecbc52.nasl - Type: ACT_GATHER_INFO
2019-01-03 Name: The remote Fedora host is missing a security update.
File: fedora_2018-f4b65fc7cd.nasl - Type: ACT_GATHER_INFO
2018-10-09 Name: The remote Fedora host is missing a security update.
File: fedora_2018-edf90410ea.nasl - Type: ACT_GATHER_INFO
2018-09-24 Name: The remote Debian host is missing a security-related update.
File: debian_DSA-4301.nasl - Type: ACT_GATHER_INFO
2018-09-24 Name: The remote FreeBSD host is missing one or more security-related updates.
File: freebsd_pkg_be1aada2be6c11e88fc6000c29434208.nasl - Type: ACT_GATHER_INFO
2017-11-20 Name: The remote FreeBSD host is missing one or more security-related updates.
File: freebsd_pkg_298829e2ccce11e792e4000c29649f92.nasl - Type: ACT_GATHER_INFO
2017-11-16 Name: The remote Debian host is missing a security-related update.
File: debian_DSA-4036.nasl - Type: ACT_GATHER_INFO
2017-05-16 Name: The remote Fedora host is missing a security update.
File: fedora_2017-2643ef1cad.nasl - Type: ACT_GATHER_INFO
2017-04-17 Name: The remote Fedora host is missing a security update.
File: fedora_2017-3fb95ed01f.nasl - Type: ACT_GATHER_INFO
2016-11-15 Name: The remote Fedora host is missing a security update.
File: fedora_2016-9299ce1c7d.nasl - Type: ACT_GATHER_INFO
2016-09-08 Name: The remote Fedora host is missing a security update.
File: fedora_2016-af3b0af887.nasl - Type: ACT_GATHER_INFO
2016-09-08 Name: The remote Fedora host is missing a security update.
File: fedora_2016-ce1678471e.nasl - Type: ACT_GATHER_INFO
2016-08-29 Name: An application running on the remote web server is affected by multiple vulne...
File: mediawiki_1_27_1.nasl - Type: ACT_GATHER_INFO
2016-07-14 Name: The remote Fedora host is missing a security update.
File: fedora_2015-122a831a05.nasl - Type: ACT_GATHER_INFO
2016-03-04 Name: The remote Fedora host is missing a security update.
File: fedora_2015-24fe8b66c9.nasl - Type: ACT_GATHER_INFO
2016-03-04 Name: The remote Fedora host is missing a security update.
File: fedora_2015-97fe05f788.nasl - Type: ACT_GATHER_INFO
2016-03-04 Name: The remote Fedora host is missing a security update.
File: fedora_2015-ec6d598d3d.nasl - Type: ACT_GATHER_INFO
2015-12-29 Name: The remote FreeBSD host is missing one or more security-related updates.
File: freebsd_pkg_f36bbd66aa4411e58f5c002590263bf5.nasl - Type: ACT_GATHER_INFO
2015-11-02 Name: The remote Gentoo host is missing one or more security-related patches.
File: gentoo_GLSA-201510-05.nasl - Type: ACT_GATHER_INFO
2015-10-23 Name: The remote FreeBSD host is missing one or more security-related updates.
File: freebsd_pkg_b973a763793611e5a2a1002590263bf5.nasl - Type: ACT_GATHER_INFO
2015-08-31 Name: The remote Fedora host is missing a security update.
File: fedora_2015-13920.nasl - Type: ACT_GATHER_INFO
2015-08-17 Name: The remote FreeBSD host is missing one or more security-related updates.
File: freebsd_pkg_6241b5df42a111e593ad002590263bf5.nasl - Type: ACT_GATHER_INFO
2015-06-12 Name: The remote web server contains an application that is affected by multiple vu...
File: mediawiki_1_24_2.nasl - Type: ACT_GATHER_INFO
2015-04-10 Name: The remote Mandriva Linux host is missing one or more security updates.
File: mandriva_MDVSA-2015-200.nasl - Type: ACT_GATHER_INFO
2015-02-09 Name: The remote Gentoo host is missing one or more security-related patches.
File: gentoo_GLSA-201502-04.nasl - Type: ACT_GATHER_INFO