This CPE summary could be partial or incomplete. Please contact us for a detailed listing.

Summary

Detail
Vendor Mediawiki First view 2006-03-29
Product Mediawiki Last view 2022-09-29
Version 1.5.6 Type Application
Update *  
Edition *  
Language *  
Sofware Edition *  
Target Software *  
Target Hardware *  
Other *  
 
CPE Product cpe:2.3:a:mediawiki:mediawiki

Activity : Overall

Related : CVE

This CPE have more than 25 Relations. If you want to see a complete summary for this CPE, please contact us.
  Date Alert Description
6.5 2022-09-29 CVE-2021-42049

An issue was discovered in the Translate extension in MediaWiki through 1.36.2. Oversighters cannot undo revisions or oversight on pages where they suppressed information (such as PII). This allows oversighters to whitewash revisions.

4.8 2022-09-29 CVE-2021-42048

An issue was discovered in the Growth extension in MediaWiki through 1.36.2. Any admin can add arbitrary JavaScript code to the Newcomer home page footer, which can be executed by viewers with zero edits.

5.4 2022-09-29 CVE-2021-42047

An issue was discovered in the Growth extension in MediaWiki through 1.36.2. On any Wiki with the Mentor Dashboard feature enabled, users can login with a mentor account and trigger an XSS payload (such as alert) via Growthexperiments-mentor-dashboard-mentee-overview-no-js-fallback.

6.1 2022-09-29 CVE-2021-42046

An issue was discovered in the GlobalWatchlist extension in MediaWiki through 1.36.2. The rev-deleted-user and ntimes messages were not properly escaped and allowed for users to inject HTML and JavaScript.

5.4 2022-09-29 CVE-2021-42045

An issue was discovered in SecurePoll in the Growth extension in MediaWiki through 1.36.2. Simple polls allow users to create alerts by changing their User-Agent HTTP header and submitting a vote.

7.5 2022-09-19 CVE-2022-28204

A denial-of-service issue was discovered in MediaWiki 1.37.x before 1.37.2. Rendering of w/index.php?title=Special%3AWhatLinksHere&target=Property%3AP31&namespace=1&invert=1 can take more than thirty seconds. There is a DDoS risk.

7.5 2022-09-19 CVE-2022-28203

A denial-of-service issue was discovered in MediaWiki before 1.35.6, 1.36.x before 1.36.4, and 1.37.x before 1.37.2. When many files exist, requesting Special:NewFiles with actor as a condition can result in a very long running query.

4.4 2022-09-19 CVE-2022-28201

An issue was discovered in MediaWiki before 1.35.6, 1.36.x before 1.36.4, and 1.37.x before 1.37.2. Users with the editinterface permission can trigger infinite recursion, because a bare local interwiki is mishandled for the mainpage message.

4.9 2022-09-02 CVE-2022-39194

An issue was discovered in the MediaWiki through 1.38.2. The community configuration pages for the GrowthExperiments extension could cause a site to become unavailable due to insufficient validation when certain actions (including page moves) were performed.

6.1 2022-07-02 CVE-2022-34912

An issue was discovered in MediaWiki before 1.37.3 and 1.38.x before 1.38.1. The contributions-title, used on Special:Contributions, is used as page title without escaping. Hence, in a non-default configuration where a username contains HTML entities, it won't be escaped.

6.1 2022-07-02 CVE-2022-34911

An issue was discovered in MediaWiki before 1.35.7, 1.36.x and 1.37.x before 1.37.3, and 1.38.x before 1.38.1. XSS can occur in configurations that allow a JavaScript payload in a username. After account creation, when it sets the page title to "Welcome" followed by the username, the username is not escaped: SpecialCreateAccount::successfulAction() calls ::showSuccessPage() with a message as second parameter, and OutputPage::setPageTitle() uses text().

7.5 2022-06-28 CVE-2022-34750

An issue was discovered in MediaWiki through 1.38.1. The lemma length of a Wikibase lexeme is currently capped at a thousand characters. Unfortunately, this length is not validated, allowing much larger lexemes to be created, which introduces various denial-of-service attack vectors within the Wikibase and WikibaseLexeme extensions. This is related to Special:NewLexeme and Special:NewProperty.

7.5 2022-04-30 CVE-2022-28323

An issue was discovered in MediaWiki through 1.37.2. The SecurePoll extension allows a leak because sorting by timestamp is supported,

6.1 2022-04-29 CVE-2022-29907

The Nimbus skin for MediaWiki through 1.37.2 (before 6f9c8fb868345701d9544a54d9752515aace39df) allows XSS in Advertise link messages.

9.8 2022-04-29 CVE-2022-29906

The admin API module in the QuizGame extension for MediaWiki through 1.37.2 (before 665e33a68f6fa1167df99c0aa18ed0157cdf9f66) omits a check for the quizadmin user.

4.3 2022-04-29 CVE-2022-29905

The FanBoxes extension for MediaWiki through 1.37.2 (before 027ffb0b9d6fe0d823810cf03f5b562a212162d4) allows Special:UserBoxes CSRF.

9.8 2022-04-29 CVE-2022-29904

The SemanticDrilldown extension for MediaWiki through 1.37.2 (before e688bdba6434591b5dff689a45e4d53459954773) allows SQL injection with certain '-' and '_' constraints.

4.3 2022-04-29 CVE-2022-29903

The Private Domains extension for MediaWiki through 1.37.2 (before 1ad65d4c1c199b375ea80988d99ab51ae068f766) allows CSRF for editing pages that store the extension's configuration. The attacker must trigger a POST request to Special:PrivateDomains.

9.8 2022-03-30 CVE-2022-28209

An issue was discovered in Mediawiki through 1.37.1. The check for the override-antispoof permission in the AntiSpoof extension is incorrect.

9.8 2022-03-30 CVE-2022-28206

An issue was discovered in MediaWiki through 1.37.1. ImportPlanValidator.php in the FileImporter extension mishandles the check for edit rights.

9.8 2022-03-30 CVE-2022-28205

An issue was discovered in MediaWiki through 1.37.1. The CentralAuth extension mishandles a ttl issue for groups expiring in the future.

6.1 2022-03-30 CVE-2022-28202

An XSS issue was discovered in MediaWiki before 1.35.6, 1.36.x before 1.36.4, and 1.37.x before 1.37.2. The widthheight, widthheightpage, and nbytes properties of messages are not escaped when used in galleries or Special:RevisionDelete.

7.5 2022-02-18 CVE-2017-0371

MediaWiki before 1.23.16, 1.24.x through 1.27.x before 1.27.2, and 1.28.x before 1.28.1 allows remote attackers to discover the IP addresses of Wiki visitors via a style="background-image: attr(title url);" attack within a DIV element that has an attacker-controlled URL in the title attribute.

4.8 2022-01-10 CVE-2021-46150

An issue was discovered in MediaWiki before 1.35.5, 1.36.x before 1.36.3, and 1.37.x before 1.37.1. Special:CheckUserLog allows CheckUser XSS because of date mishandling, as demonstrated by an XSS payload in MediaWiki:October.

7.5 2022-01-10 CVE-2021-46149

An issue was discovered in MediaWiki before 1.35.5, 1.36.x before 1.36.3, and 1.37.x before 1.37.1. A denial of service (resource consumption) can be accomplished by searching for a very long key in a Language Name Search.

CWE : Common Weakness Enumeration

This CPE have more than 25 Relations. If you want to see a complete summary for this CPE, please contact us.
%idName
38% (76) CWE-79 Failure to Preserve Web Page Structure ('Cross-site Scripting')
13% (27) CWE-200 Information Exposure
9% (18) CWE-352 Cross-Site Request Forgery (CSRF)
7% (15) CWE-20 Improper Input Validation
3% (7) CWE-284 Access Control (Authorization) Issues
2% (5) CWE-399 Resource Management Errors
2% (4) CWE-601 URL Redirection to Untrusted Site ('Open Redirect')
2% (4) CWE-287 Improper Authentication
2% (4) CWE-264 Permissions, Privileges, and Access Controls
1% (3) CWE-770 Allocation of Resources Without Limits or Throttling
1% (3) CWE-276 Incorrect Default Permissions
1% (3) CWE-74 Failure to Sanitize Data into a Different Plane ('Injection')
1% (2) CWE-532 Information Leak Through Log Files
1% (2) CWE-400 Uncontrolled Resource Consumption ('Resource Exhaustion')
1% (2) CWE-269 Improper Privilege Management
1% (2) CWE-255 Credentials Management
1% (2) CWE-203 Information Exposure Through Discrepancy
0% (1) CWE-798 Use of Hard-coded Credentials
0% (1) CWE-763 Release of Invalid Pointer or Reference
0% (1) CWE-755 Improper Handling of Exceptional Conditions
0% (1) CWE-732 Incorrect Permission Assignment for Critical Resource
0% (1) CWE-706 Use of Incorrectly-Resolved Name or Reference
0% (1) CWE-674 Uncontrolled Recursion
0% (1) CWE-670 Always-Incorrect Control Flow Implementation
0% (1) CWE-668 Exposure of Resource to Wrong Sphere

Open Source Vulnerability Database (OSVDB)

id Description
78260 MediaWiki includes/api/ApiQueryRevisions.php execute() Function Deleted Cache...
77365 MediaWiki Ajax Request Parsing File Existance Disclosure
77364 MediaWiki preliminaryChecks() Function curid Parameter Request Parsing Remote...
74621 MediaWiki Transwiki Import wgImportSources Crafted POST Request Remote Import...
74620 MediaWiki Wikitext Parser includes/Sanitizer.php checkCss Function Hex String...
74619 MediaWiki URI Query String %2E Sequence XSS
74613 MediaWiki wgBlockDisablesLogin includes/User.php Auth Token Cached Data Multi...
70770 MediaWiki CSS Comments XSS
70272 MediaWiki Multiple Unspecified Function Clickjacking
66652 MediaWiki profileinfo.php filter Parameter XSS
66651 MediaWiki api.php Cache-Control HTTP Header Information Disclosure
63570 MediaWiki Unspecified CSRF
62799 MediaWiki thumb.php Permission Check Weakness Restricted Image Disclosure
62798 MediaWiki CSS Validation Function External Image Information Disclosure
50955 MediaWiki Special:Import Feature Unspecified CSRF
37343 MediaWiki AJAX Features index.php rs Parameter XSS
33709 MediaWiki wiki/skins/Chick.deps.php Direct Request Path Disclosure
33708 MediaWiki wiki/skins/MySkin.deps.php Direct Request Path Disclosure
33707 MediaWiki wiki/skins/MonoBook.deps.php Direct Request Path Disclosure
33706 MediaWiki wiki/skins/Simple.deps.php Direct Request Path Disclosure
32078 MediaWiki AJAX Support Module UTF-7 XSS
25713 MediaWiki Parser Unspecified XSS
24321 MediaWiki Encoded Links Unspecified XSS

OpenVAS Exploits

This CPE have more than 25 Relations. If you want to see a complete summary for this CPE, please contact us.
id Description
2012-09-07 Name : FreeBSD Ports: mediawiki
File : nvt/freebsd_mediawiki8.nasl
2012-08-10 Name : Gentoo Security Advisory GLSA 201206-09 (MediaWiki)
File : nvt/glsa_201206_09.nasl
2012-07-09 Name : MediaWiki 'uselang' Parameter Cross Site Scripting Vulnerability
File : nvt/gb_mediawiki_uselang_param_xss_vuln.nasl
2012-02-11 Name : Debian Security Advisory DSA 2366-1 (mediawiki)
File : nvt/deb_2366_1.nasl
2011-06-02 Name : MediaWiki Cross-Site Scripting Vulnerability
File : nvt/secpod_mediawiki_xss_vuln.nasl
2011-05-23 Name : Fedora Update for mediawiki FEDORA-2011-6775
File : nvt/gb_fedora_2011_6775_mediawiki_fc13.nasl
2011-05-23 Name : Fedora Update for mediawiki FEDORA-2011-6774
File : nvt/gb_fedora_2011_6774_mediawiki_fc14.nasl
2011-05-11 Name : MediaWiki 'profileinfo.php' Cross Site Scripting Vulnerability
File : nvt/gb_mediawiki_profileinfo_xss_vuln.nasl
2011-05-05 Name : Fedora Update for mediawiki FEDORA-2011-5807
File : nvt/gb_fedora_2011_5807_mediawiki_fc13.nasl
2011-05-05 Name : Fedora Update for mediawiki FEDORA-2011-5812
File : nvt/gb_fedora_2011_5812_mediawiki_fc14.nasl
2011-03-05 Name : FreeBSD Ports: mediawiki
File : nvt/freebsd_mediawiki6.nasl
2011-03-04 Name : MediaWiki Frames Processing Clickjacking Information Disclosure Vulnerability
File : nvt/gb_mediawiki_clickjacking_vuln.nasl
2011-02-03 Name : MediaWiki CSS Comments Cross Site Scripting Vulnerability
File : nvt/gb_mediawiki_46108.nasl
2010-08-02 Name : MediaWiki 'api.php' Information Disclosure Vulnerability
File : nvt/gb_MediaWiki_42019.nasl
2010-08-02 Name : MediaWiki 'profileinfo.php' Cross Site Scripting Vulnerability
File : nvt/gb_MediaWiki_42024.nasl
2010-07-12 Name : Fedora Update for mediawiki FEDORA-2010-6335
File : nvt/gb_fedora_2010_6335_mediawiki_fc12.nasl
2010-05-14 Name : FreeBSD Ports: mediawiki
File : nvt/freebsd_mediawiki3.nasl
2010-04-29 Name : MediaWiki Login CSRF Vulnerability
File : nvt/secpod_mediawiki_login_csrf_vuln.nasl
2010-03-30 Name : Debian Security Advisory DSA 2022-1 (mediawiki)
File : nvt/deb_2022_1.nasl
2010-03-15 Name : MediaWiki 'CSS validation' Information Disclosure Vulnerability
File : nvt/gb_mediawiki_38621.nasl
2009-10-06 Name : Debian Security Advisory DSA 1901-1 (mediawiki1.7)
File : nvt/deb_1901_1.nasl
2009-07-29 Name : Fedora Core 10 FEDORA-2009-7750 (mediawiki)
File : nvt/fcore_2009_7750.nasl
2009-03-07 Name : Fedora Core 9 FEDORA-2009-2237 (mediawiki)
File : nvt/fcore_2009_2237.nasl
2009-03-07 Name : Fedora Core 10 FEDORA-2009-2231 (mediawiki)
File : nvt/fcore_2009_2231.nasl
2009-02-27 Name : Fedora Update for mediawiki FEDORA-2007-1442
File : nvt/gb_fedora_2007_1442_mediawiki_fc7.nasl

Snort® IPS/IDS

Date Description
2018-01-04 MediaWiki arbitrary file write attempt
RuleID : 45094 - Type : SERVER-WEBAPP - Revision : 2
2014-01-10 Media Wiki script injection attempt
RuleID : 26298 - Type : SERVER-WEBAPP - Revision : 2

Nessus® Vulnerability Scanner

This CPE have more than 25 Relations. If you want to see a complete summary for this CPE, please contact us.
id Description
2019-01-03 Name: The remote Fedora host is missing a security update.
File: fedora_2018-e022ecbc52.nasl - Type: ACT_GATHER_INFO
2019-01-03 Name: The remote Fedora host is missing a security update.
File: fedora_2018-f4b65fc7cd.nasl - Type: ACT_GATHER_INFO
2018-10-09 Name: The remote Fedora host is missing a security update.
File: fedora_2018-edf90410ea.nasl - Type: ACT_GATHER_INFO
2018-09-24 Name: The remote Debian host is missing a security-related update.
File: debian_DSA-4301.nasl - Type: ACT_GATHER_INFO
2018-09-24 Name: The remote FreeBSD host is missing one or more security-related updates.
File: freebsd_pkg_be1aada2be6c11e88fc6000c29434208.nasl - Type: ACT_GATHER_INFO
2017-11-20 Name: The remote FreeBSD host is missing one or more security-related updates.
File: freebsd_pkg_298829e2ccce11e792e4000c29649f92.nasl - Type: ACT_GATHER_INFO
2017-11-16 Name: The remote Debian host is missing a security-related update.
File: debian_DSA-4036.nasl - Type: ACT_GATHER_INFO
2017-05-16 Name: The remote Fedora host is missing a security update.
File: fedora_2017-2643ef1cad.nasl - Type: ACT_GATHER_INFO
2017-04-17 Name: The remote Fedora host is missing a security update.
File: fedora_2017-3fb95ed01f.nasl - Type: ACT_GATHER_INFO
2016-11-15 Name: The remote Fedora host is missing a security update.
File: fedora_2016-9299ce1c7d.nasl - Type: ACT_GATHER_INFO
2016-09-08 Name: The remote Fedora host is missing a security update.
File: fedora_2016-af3b0af887.nasl - Type: ACT_GATHER_INFO
2016-09-08 Name: The remote Fedora host is missing a security update.
File: fedora_2016-ce1678471e.nasl - Type: ACT_GATHER_INFO
2016-08-29 Name: An application running on the remote web server is affected by multiple vulne...
File: mediawiki_1_27_1.nasl - Type: ACT_GATHER_INFO
2016-07-14 Name: The remote Fedora host is missing a security update.
File: fedora_2015-122a831a05.nasl - Type: ACT_GATHER_INFO
2016-03-04 Name: The remote Fedora host is missing a security update.
File: fedora_2015-24fe8b66c9.nasl - Type: ACT_GATHER_INFO
2016-03-04 Name: The remote Fedora host is missing a security update.
File: fedora_2015-97fe05f788.nasl - Type: ACT_GATHER_INFO
2016-03-04 Name: The remote Fedora host is missing a security update.
File: fedora_2015-ec6d598d3d.nasl - Type: ACT_GATHER_INFO
2015-12-29 Name: The remote FreeBSD host is missing one or more security-related updates.
File: freebsd_pkg_f36bbd66aa4411e58f5c002590263bf5.nasl - Type: ACT_GATHER_INFO
2015-11-02 Name: The remote Gentoo host is missing one or more security-related patches.
File: gentoo_GLSA-201510-05.nasl - Type: ACT_GATHER_INFO
2015-10-23 Name: The remote FreeBSD host is missing one or more security-related updates.
File: freebsd_pkg_b973a763793611e5a2a1002590263bf5.nasl - Type: ACT_GATHER_INFO
2015-08-31 Name: The remote Fedora host is missing a security update.
File: fedora_2015-13920.nasl - Type: ACT_GATHER_INFO
2015-08-17 Name: The remote FreeBSD host is missing one or more security-related updates.
File: freebsd_pkg_6241b5df42a111e593ad002590263bf5.nasl - Type: ACT_GATHER_INFO
2015-06-12 Name: The remote web server contains an application that is affected by multiple vu...
File: mediawiki_1_24_2.nasl - Type: ACT_GATHER_INFO
2015-04-10 Name: The remote Mandriva Linux host is missing one or more security updates.
File: mandriva_MDVSA-2015-200.nasl - Type: ACT_GATHER_INFO
2015-02-09 Name: The remote Gentoo host is missing one or more security-related patches.
File: gentoo_GLSA-201502-04.nasl - Type: ACT_GATHER_INFO