Summary
Detail | |||
---|---|---|---|
Vendor | Mediawiki | First view | 2004-12-31 |
Product | Mediawiki | Last view | 2024-10-04 |
Version | Type | Application | |
Update | |||
Edition | |||
Language | |||
Sofware Edition | |||
Target Software | |||
Target Hardware | |||
Other |
Activity : Overall
COMMON PLATFORM ENUMERATION: Repartition per Version
Related : CVE
Date | Alert | Description | |
---|---|---|---|
0 | 2024-10-04 | CVE-2024-47913 | An issue was discovered in the AbuseFilter extension for MediaWiki before 1.39.9, 1.40.x and 1.41.x before 1.41.3, and 1.42.x before 1.42.2. An API caller can match a filter condition against AbuseFilter logs even if the caller is not authorized to view the log details for the filter. |
4.8 | 2024-07-07 | CVE-2024-40605 | An issue was discovered in the Foreground skin for MediaWiki through 1.42.1. There is stored XSS via MediaWiki:Sidebar top-level menu entries. |
4.8 | 2024-07-07 | CVE-2024-40604 | An issue was discovered in the Nimbus skin for MediaWiki through 1.42.1. There is Stored XSS via MediaWiki:Nimbus-sidebar menu and submenu entries. |
4.3 | 2024-07-07 | CVE-2024-40603 | An issue was discovered in the ArticleRatings extension for MediaWiki through 1.42.1. Special:ChangeRating allows CSRF to alter data via a GET request. |
4.8 | 2024-07-07 | CVE-2024-40602 | An issue was discovered in the Tempo skin for MediaWiki through 1.42.1. There is stored XSS via MediaWiki:Sidebar top-level menu entries. |
6.5 | 2024-07-07 | CVE-2024-40601 | An issue was discovered in the MediaWikiChat extension for MediaWiki through 1.42.1. CSRF can occur in API modules. |
4.8 | 2024-07-07 | CVE-2024-40600 | An issue was discovered in the Metrolook skin for MediaWiki through 1.42.1. There is stored XSS via MediaWiki:Sidebar top-level menu entries. |
4.8 | 2024-07-07 | CVE-2024-40599 | An issue was discovered in the GuMaxDD skin for MediaWiki through 1.42.1. There is stored XSS via MediaWiki:Sidebar top-level menu entries. |
4.3 | 2024-07-07 | CVE-2024-40598 | An issue was discovered in the CheckUser extension for MediaWiki through 1.42.1. The API can expose suppressed information for log events. (The log_deleted attribute is not applied to entries.) |
0 | 2024-07-07 | CVE-2024-40597 | An issue was discovered in the CheckUser extension for MediaWiki through 1.42.1. It can expose suppressed information for log events. (The log_deleted attribute is not respected.) |
4.3 | 2024-07-07 | CVE-2024-40596 | An issue was discovered in the CheckUser extension for MediaWiki through 1.42.1. The Special:Investigate feature can expose suppressed information for log events. (TimelineService does not support properly suppressing.) |
0 | 2024-05-05 | CVE-2024-34507 | An issue was discovered in includes/CommentFormatter/CommentParser.php in MediaWiki before 1.39.7, 1.40.x before 1.40.3, and 1.41.x before 1.41.1. XSS can occur because of mishandling of the 0x1b character, as demonstrated by Special:RecentChanges#%1b0000000. |
0 | 2024-05-05 | CVE-2024-34506 | An issue was discovered in includes/specials/SpecialMovePage.php in MediaWiki before 1.39.7, 1.40.x before 1.40.3, and 1.41.x before 1.41.1. If a user with the necessary rights to move the page opens Special:MovePage for a page with tens of thousands of subpages, then the page will exceed the maximum request time, leading to a denial of service. |
0 | 2024-05-05 | CVE-2024-34502 | An issue was discovered in WikibaseLexeme in MediaWiki before 1.39.6, 1.40.x before 1.40.2, and 1.41.x before 1.41.1. Loading Special:MergeLexemes will (attempt to) make an edit that merges the from-id to the to-id, even if the request was not a POST request, and even if it does not contain an edit token. |
0 | 2024-05-05 | CVE-2024-34500 | An issue was discovered in the UnlinkedWikibase extension in MediaWiki before 1.39.6, 1.40.x before 1.40.2, and 1.41.x before 1.41.1. XSS can occur through an interface message. Error messages (in the $err var) are not escaped before being passed to Html::rawElement() in the getError() function in the Hooks class. |
6.1 | 2024-01-12 | CVE-2024-23179 | An issue was discovered in the GlobalBlocking extension in MediaWiki before 1.40.2. For a Special:GlobalBlock?uselang=x-xss URI, i18n-based XSS can occur via the parentheses message. This affects subtitle links in buildSubtitleLinks. |
5.4 | 2024-01-12 | CVE-2024-23178 | An issue was discovered in the Phonos extension in MediaWiki before 1.40.2. PhonosButton.js allows i18n-based XSS via the phonos-purge-needed-error message. |
6.1 | 2024-01-12 | CVE-2024-23177 | An issue was discovered in the WatchAnalytics extension in MediaWiki before 1.40.2. XSS can occur via the Special:PageStatistics page parameter. |
5.4 | 2024-01-12 | CVE-2024-23174 | An issue was discovered in the PageTriage extension in MediaWiki before 1.35.14, 1.36.x through 1.39.x before 1.39.6, and 1.40.x before 1.40.2. XSS can occur via the rev-deleted-user, pagetriage-tags-quickfilter-label, pagetriage-triage, pagetriage-filter-date-range-format-placeholder, pagetriage-filter-date-range-to, pagetriage-filter-date-range-from, pagetriage-filter-date-range-heading, pagetriage-filter-set-button, or pagetriage-filter-reset-button message. |
6.1 | 2024-01-12 | CVE-2024-23173 | An issue was discovered in the Cargo extension in MediaWiki before 1.35.14, 1.36.x through 1.39.x before 1.39.6, and 1.40.x before 1.40.2. The Special:Drilldown page allows XSS via artist, album, and position parameters because of applied filter values in drilldown/CargoAppliedFilter.php. |
5.4 | 2024-01-12 | CVE-2024-23172 | An issue was discovered in the CheckUser extension in MediaWiki before 1.35.14, 1.36.x through 1.39.x before 1.39.6, and 1.40.x before 1.40.2. XSS can occur via message definitions. e.g., in SpecialCheckUserLog. |
5.4 | 2024-01-12 | CVE-2024-23171 | An issue was discovered in the CampaignEvents extension in MediaWiki before 1.35.14, 1.36.x through 1.39.x before 1.39.6, and 1.40.x before 1.40.2. The Special:EventDetails page allows XSS via the x-xss language setting for internationalization (i18n). |
6.1 | 2023-12-22 | CVE-2023-51704 | An issue was discovered in MediaWiki before 1.35.14, 1.36.x through 1.39.x before 1.39.6, and 1.40.x before 1.40.2. In includes/logging/RightsLogFormatter.php, group-*-member messages can result in XSS on Special:log/rights. |
4.3 | 2023-11-03 | CVE-2023-45362 | An issue was discovered in DifferenceEngine.php in MediaWiki before 1.35.12, 1.36.x through 1.39.x before 1.39.5, and 1.40.x before 1.40.1. diff-multi-sameuser (aka "X intermediate revisions by the same user not shown") ignores username suppression. This is an information leak. |
5.4 | 2023-11-03 | CVE-2023-45360 | An issue was discovered in MediaWiki before 1.35.12, 1.36.x through 1.39.x before 1.39.5, and 1.40.x before 1.40.1. There is XSS in youhavenewmessagesmanyusers and youhavenewmessages i18n messages. This is related to MediaWiki:Youhavenewmessagesfromusers. |
CWE : Common Weakness Enumeration
% | id | Name |
---|---|---|
43% (119) | CWE-79 | Failure to Preserve Web Page Structure ('Cross-site Scripting') |
12% (33) | CWE-200 | Information Exposure |
8% (23) | CWE-352 | Cross-Site Request Forgery (CSRF) |
5% (16) | CWE-20 | Improper Input Validation |
2% (8) | CWE-284 | Access Control (Authorization) Issues |
2% (7) | CWE-264 | Permissions, Privileges, and Access Controls |
2% (6) | CWE-399 | Resource Management Errors |
1% (5) | CWE-732 | Incorrect Permission Assignment for Critical Resource |
1% (5) | CWE-287 | Improper Authentication |
1% (4) | CWE-770 | Allocation of Resources Without Limits or Throttling |
1% (4) | CWE-601 | URL Redirection to Untrusted Site ('Open Redirect') |
1% (4) | CWE-532 | Information Leak Through Log Files |
1% (3) | CWE-276 | Incorrect Default Permissions |
1% (3) | CWE-203 | Information Exposure Through Discrepancy |
1% (3) | CWE-74 | Failure to Sanitize Data into a Different Plane ('Injection') |
0% (2) | CWE-668 | Exposure of Resource to Wrong Sphere |
0% (2) | CWE-400 | Uncontrolled Resource Consumption ('Resource Exhaustion') |
0% (2) | CWE-269 | Improper Privilege Management |
0% (2) | CWE-255 | Credentials Management |
0% (2) | CWE-94 | Failure to Control Generation of Code ('Code Injection') |
0% (1) | CWE-798 | Use of Hard-coded Credentials |
0% (1) | CWE-763 | Release of Invalid Pointer or Reference |
0% (1) | CWE-755 | Improper Handling of Exceptional Conditions |
0% (1) | CWE-754 | Improper Check for Unusual or Exceptional Conditions |
0% (1) | CWE-706 | Use of Incorrectly-Resolved Name or Reference |
CAPEC : Common Attack Pattern Enumeration & Classification
id | Name |
---|---|
CAPEC-18 | Embedding Scripts in Nonscript Elements |
CAPEC-19 | Embedding Scripts within Scripts |
CAPEC-32 | Embedding Scripts in HTTP Query Strings |
CAPEC-63 | Simple Script Injection |
CAPEC-85 | Client Network Footprinting (using AJAX/XSS) |
CAPEC-86 | Embedding Script (XSS ) in HTTP Headers |
CAPEC-91 | XSS in IMG Tags |
CAPEC-106 | Cross Site Scripting through Log Files |
CAPEC-198 | Cross-Site Scripting in Error Pages |
CAPEC-199 | Cross-Site Scripting Using Alternate Syntax |
CAPEC-209 | Cross-Site Scripting Using MIME Type Mismatch |
CAPEC-232 | Exploitation of Privilege/Trust |
CAPEC-243 | Cross-Site Scripting in Attributes |
CAPEC-244 | Cross-Site Scripting via Encoded URI Schemes |
CAPEC-245 | Cross-Site Scripting Using Doubled Characters, e.g. %3C%3Cscript |
CAPEC-246 | Cross-Site Scripting Using Flash |
CAPEC-247 | Cross-Site Scripting with Masking through Invalid Characters in Identifiers |
Oval Markup Language : Definitions
OvalID | Name |
---|---|
oval:org.mitre.oval:def:7936 | DSA-1901 mediawiki1.7 -- several vulnerabilities |
oval:org.mitre.oval:def:13704 | DSA-1901-1 mediawiki1.7 -- several vulnerabilities |
oval:org.mitre.oval:def:7264 | DSA-2041 mediawiki -- Cross-Site Request Forgery |
oval:org.mitre.oval:def:13493 | DSA-2041-1 mediawiki -- CSRF |
oval:org.mitre.oval:def:15086 | DSA-2366-1 mediawiki -- multiple |
oval:org.mitre.oval:def:19786 | DSA-2753-1 mediawiki - cross-site request forgery token disclosure |
oval:org.mitre.oval:def:24466 | DSA-2891-1 mediawiki - security update |
oval:org.mitre.oval:def:29092 | DSA-2891-3 -- mediawiki, mediawiki-extensions -- security update |
oval:org.mitre.oval:def:29025 | DSA-2891-2 -- mediawiki, mediawiki-extensions -- security update |
oval:org.mitre.oval:def:25068 | DSA-2957-1 mediawiki - security update |
oval:org.mitre.oval:def:26197 | DSA-3011-1 mediawiki - security update |
oval:org.mitre.oval:def:26938 | DSA-3036-1 mediawiki - security update |
oval:org.mitre.oval:def:26719 | DSA-3046-1 mediawiki - security update |
oval:org.mitre.oval:def:28465 | DSA-3100-1 -- mediawiki security update |
Open Source Vulnerability Database (OSVDB)
id | Description |
---|---|
78260 | MediaWiki includes/api/ApiQueryRevisions.php execute() Function Deleted Cache... |
77365 | MediaWiki Ajax Request Parsing File Existance Disclosure |
77364 | MediaWiki preliminaryChecks() Function curid Parameter Request Parsing Remote... |
74621 | MediaWiki Transwiki Import wgImportSources Crafted POST Request Remote Import... |
74620 | MediaWiki Wikitext Parser includes/Sanitizer.php checkCss Function Hex String... |
74619 | MediaWiki URI Query String %2E Sequence XSS |
74613 | MediaWiki wgBlockDisablesLogin includes/User.php Auth Token Cached Data Multi... |
73157 | MediaWiki MediaWikiParserTest.php Unspecified Parameter Remote File Inclusion |
70799 | MediaWiki includes/StubObject.php Language::factory Function Traversal Local ... |
70798 | MediaWiki languages/Language.php Language::factory Function Traversal Local F... |
70770 | MediaWiki CSS Comments XSS |
70272 | MediaWiki Multiple Unspecified Function Clickjacking |
66652 | MediaWiki profileinfo.php filter Parameter XSS |
66651 | MediaWiki api.php Cache-Control HTTP Header Information Disclosure |
64983 | MediaWiki Arbitrary User Creation CSRF |
64982 | MediaWiki CSS Handling XSS |
63570 | MediaWiki Unspecified CSRF |
62799 | MediaWiki thumb.php Permission Check Weakness Restricted Image Disclosure |
62798 | MediaWiki CSS Validation Function External Image Information Disclosure |
59519 | MediaWiki Double File Extension File Upload Arbitrary Code Execution |
55824 | MediaWiki Special:Blocks Page SpecialBlockip.php ip Parameter XSS |
52034 | MediaWiki Installer config/index.php Unspecified Parameter XSS |
51480 | MediaWiki wgShowExceptionDetails Function Debug Message Path Disclosure |
51114 | MediaWiki images/deleted/ Direct Request Remote Information Disclosure |
50957 | MediaWiki Wiki Page Editing XSS |
ExploitDB Exploits
id | Description |
---|---|
31767 | MediaWiki Thumb.php Remote Command Execution |
31329 | MediaWiki <= 1.22.1 PdfHandler Remote Code Execution Exploit (CVE-2014-1610) |
OpenVAS Exploits
id | Description |
---|---|
2012-09-07 | Name : FreeBSD Ports: mediawiki File : nvt/freebsd_mediawiki8.nasl |
2012-08-10 | Name : Gentoo Security Advisory GLSA 201206-09 (MediaWiki) File : nvt/glsa_201206_09.nasl |
2012-07-09 | Name : MediaWiki 'uselang' Parameter Cross Site Scripting Vulnerability File : nvt/gb_mediawiki_uselang_param_xss_vuln.nasl |
2012-02-11 | Name : Debian Security Advisory DSA 2366-1 (mediawiki) File : nvt/deb_2366_1.nasl |
2011-06-02 | Name : MediaWiki Cross-Site Scripting Vulnerability File : nvt/secpod_mediawiki_xss_vuln.nasl |
2011-05-23 | Name : Fedora Update for mediawiki FEDORA-2011-6775 File : nvt/gb_fedora_2011_6775_mediawiki_fc13.nasl |
2011-05-23 | Name : Fedora Update for mediawiki FEDORA-2011-6774 File : nvt/gb_fedora_2011_6774_mediawiki_fc14.nasl |
2011-05-11 | Name : MediaWiki 'profileinfo.php' Cross Site Scripting Vulnerability File : nvt/gb_mediawiki_profileinfo_xss_vuln.nasl |
2011-05-05 | Name : Fedora Update for mediawiki FEDORA-2011-5812 File : nvt/gb_fedora_2011_5812_mediawiki_fc14.nasl |
2011-05-05 | Name : Fedora Update for mediawiki FEDORA-2011-5807 File : nvt/gb_fedora_2011_5807_mediawiki_fc13.nasl |
2011-03-05 | Name : FreeBSD Ports: mediawiki File : nvt/freebsd_mediawiki6.nasl |
2011-03-04 | Name : MediaWiki Frames Processing Clickjacking Information Disclosure Vulnerability File : nvt/gb_mediawiki_clickjacking_vuln.nasl |
2011-02-03 | Name : MediaWiki CSS Comments Cross Site Scripting Vulnerability File : nvt/gb_mediawiki_46108.nasl |
2010-08-02 | Name : MediaWiki 'api.php' Information Disclosure Vulnerability File : nvt/gb_MediaWiki_42019.nasl |
2010-08-02 | Name : MediaWiki 'profileinfo.php' Cross Site Scripting Vulnerability File : nvt/gb_MediaWiki_42024.nasl |
2010-07-12 | Name : Fedora Update for mediawiki FEDORA-2010-10848 File : nvt/gb_fedora_2010_10848_mediawiki_fc12.nasl |
2010-07-12 | Name : Fedora Update for mediawiki FEDORA-2010-10779 File : nvt/gb_fedora_2010_10779_mediawiki_fc13.nasl |
2010-07-12 | Name : Fedora Update for mediawiki FEDORA-2010-6335 File : nvt/gb_fedora_2010_6335_mediawiki_fc12.nasl |
2010-06-16 | Name : MediaWiki Cross-site Scripting (XSS) and Cross-site Request Forgery (CSRF) Vu... File : nvt/secpod_mediawiki_xss_n_csrf_vuln.nasl |
2010-06-03 | Name : FreeBSD Ports: mediawiki File : nvt/freebsd_mediawiki4.nasl |
2010-05-14 | Name : FreeBSD Ports: mediawiki File : nvt/freebsd_mediawiki3.nasl |
2010-04-29 | Name : MediaWiki Login CSRF Vulnerability File : nvt/secpod_mediawiki_login_csrf_vuln.nasl |
2010-03-30 | Name : Debian Security Advisory DSA 2022-1 (mediawiki) File : nvt/deb_2022_1.nasl |
2010-03-15 | Name : MediaWiki 'CSS validation' Information Disclosure Vulnerability File : nvt/gb_mediawiki_38621.nasl |
2010-01-16 | Name : MediaWiki XSS Vulnerability File : nvt/gb_mediawiki_xss_vuln.nasl |
Snort® IPS/IDS
Date | Description |
---|---|
2018-05-22 | MediaWiki index.php rs cross site scripting attempt RuleID : 46347 - Type : SERVER-WEBAPP - Revision : 2 |
2018-01-04 | MediaWiki arbitrary file write attempt RuleID : 45094 - Type : SERVER-WEBAPP - Revision : 2 |
2014-03-06 | Mediawiki DjVu and PDF handling code execution attempt RuleID : 29582 - Type : SERVER-OTHER - Revision : 4 |
2014-01-10 | Media Wiki script injection attempt RuleID : 26298 - Type : SERVER-WEBAPP - Revision : 2 |
2014-01-10 | uselang code injection RuleID : 16079 - Type : SERVER-WEBAPP - Revision : 15 |
Nessus® Vulnerability Scanner
id | Description |
---|---|
2019-01-03 | Name: The remote Fedora host is missing a security update. File: fedora_2018-e022ecbc52.nasl - Type: ACT_GATHER_INFO |
2019-01-03 | Name: The remote Fedora host is missing a security update. File: fedora_2018-f4b65fc7cd.nasl - Type: ACT_GATHER_INFO |
2018-10-09 | Name: The remote Fedora host is missing a security update. File: fedora_2018-edf90410ea.nasl - Type: ACT_GATHER_INFO |
2018-09-24 | Name: The remote Debian host is missing a security-related update. File: debian_DSA-4301.nasl - Type: ACT_GATHER_INFO |
2018-09-24 | Name: The remote FreeBSD host is missing one or more security-related updates. File: freebsd_pkg_be1aada2be6c11e88fc6000c29434208.nasl - Type: ACT_GATHER_INFO |
2017-11-20 | Name: The remote FreeBSD host is missing one or more security-related updates. File: freebsd_pkg_298829e2ccce11e792e4000c29649f92.nasl - Type: ACT_GATHER_INFO |
2017-11-16 | Name: The remote Debian host is missing a security-related update. File: debian_DSA-4036.nasl - Type: ACT_GATHER_INFO |
2017-05-16 | Name: The remote Fedora host is missing a security update. File: fedora_2017-2643ef1cad.nasl - Type: ACT_GATHER_INFO |
2017-04-17 | Name: The remote Fedora host is missing a security update. File: fedora_2017-3fb95ed01f.nasl - Type: ACT_GATHER_INFO |
2016-11-15 | Name: The remote Fedora host is missing a security update. File: fedora_2016-9299ce1c7d.nasl - Type: ACT_GATHER_INFO |
2016-09-08 | Name: The remote Fedora host is missing a security update. File: fedora_2016-af3b0af887.nasl - Type: ACT_GATHER_INFO |
2016-09-08 | Name: The remote Fedora host is missing a security update. File: fedora_2016-ce1678471e.nasl - Type: ACT_GATHER_INFO |
2016-08-29 | Name: An application running on the remote web server is affected by multiple vulne... File: mediawiki_1_27_1.nasl - Type: ACT_GATHER_INFO |
2016-07-14 | Name: The remote Fedora host is missing a security update. File: fedora_2015-122a831a05.nasl - Type: ACT_GATHER_INFO |
2016-03-04 | Name: The remote Fedora host is missing a security update. File: fedora_2015-24fe8b66c9.nasl - Type: ACT_GATHER_INFO |
2016-03-04 | Name: The remote Fedora host is missing a security update. File: fedora_2015-97fe05f788.nasl - Type: ACT_GATHER_INFO |
2016-03-04 | Name: The remote Fedora host is missing a security update. File: fedora_2015-ec6d598d3d.nasl - Type: ACT_GATHER_INFO |
2015-12-29 | Name: The remote FreeBSD host is missing one or more security-related updates. File: freebsd_pkg_f36bbd66aa4411e58f5c002590263bf5.nasl - Type: ACT_GATHER_INFO |
2015-11-02 | Name: The remote Gentoo host is missing one or more security-related patches. File: gentoo_GLSA-201510-05.nasl - Type: ACT_GATHER_INFO |
2015-10-23 | Name: The remote FreeBSD host is missing one or more security-related updates. File: freebsd_pkg_b973a763793611e5a2a1002590263bf5.nasl - Type: ACT_GATHER_INFO |
2015-08-31 | Name: The remote Fedora host is missing a security update. File: fedora_2015-13920.nasl - Type: ACT_GATHER_INFO |
2015-08-17 | Name: The remote FreeBSD host is missing one or more security-related updates. File: freebsd_pkg_6241b5df42a111e593ad002590263bf5.nasl - Type: ACT_GATHER_INFO |
2015-06-12 | Name: The remote web server contains an application that is affected by multiple vu... File: mediawiki_1_24_2.nasl - Type: ACT_GATHER_INFO |
2015-04-10 | Name: The remote Mandriva Linux host is missing one or more security updates. File: mandriva_MDVSA-2015-200.nasl - Type: ACT_GATHER_INFO |
2015-02-09 | Name: The remote Gentoo host is missing one or more security-related patches. File: gentoo_GLSA-201502-04.nasl - Type: ACT_GATHER_INFO |