| CVE-2017-8815 |
High |
Yes |
Cross-site scripting |
The language converter in MediaWiki before 1.27.4, 1.28.x before 1.28.3, and 1.29.x before 1.29.2 allows attribute injection attacks via glossary rules. |
| CVE-2017-8814 |
High |
Yes |
Cross-site scripting |
The language converter in MediaWiki before 1.27.4, 1.28.x before 1.28.3, and 1.29.x before 1.29.2 allows attackers to replace text inside tags via a rule... |
| CVE-2017-8812 |
Medium |
Yes |
Insufficient validation |
MediaWiki before 1.27.4, 1.28.x before 1.28.3, and 1.29.x before 1.29.2 allows remote attackers to inject > (greater than) characters via the id attribute... |
| CVE-2017-8811 |
High |
Yes |
Cross-site scripting |
The implementation of raw message parameter expansion in MediaWiki before 1.27.4, 1.28.x before 1.28.3, and 1.29.x before 1.29.2 allows HTML mangling attacks. |
| CVE-2017-8810 |
Low |
Yes |
Information disclosure |
MediaWiki before 1.27.4, 1.28.x before 1.28.3, and 1.29.x before 1.29.2, when a private wiki is configured, provides different error messages for failed... |
| CVE-2017-8809 |
High |
Yes |
Url request injection |
api.php in MediaWiki before 1.27.4, 1.28.x before 1.28.3, and 1.29.x before 1.29.2 has a Reflected File Download vulnerability. |
| CVE-2017-8808 |
High |
Yes |
Cross-site scripting |
MediaWiki before 1.27.4, 1.28.x before 1.28.3, and 1.29.x before 1.29.2 has XSS when the $wgShowExceptionDetails setting is false and the browser sends... |
| CVE-2017-0361 |
High |
No |
Information disclosure |
MediaWiki before 1.29.2 may leak passwords in plaintext. API parameters may now be marked as "sensitive" to keep their values out of the logs. |