CVE-2022-41767 |
AVG-2823 |
Unknown |
Unknown |
Unknown |
Unknown |
CVE-2022-41765 |
AVG-2823 |
Unknown |
Unknown |
Unknown |
Unknown |
CVE-2022-34912 |
AVG-2823 |
Unknown |
Unknown |
Unknown |
Unknown |
CVE-2022-34911 |
AVG-2823 |
Unknown |
Unknown |
Unknown |
Unknown |
CVE-2022-31091 |
AVG-2823 |
Unknown |
Unknown |
Unknown |
Unknown |
CVE-2022-31090 |
AVG-2823 |
Unknown |
Unknown |
Unknown |
Unknown |
CVE-2022-31043 |
AVG-2823 |
Unknown |
Unknown |
Unknown |
Unknown |
CVE-2022-31042 |
AVG-2823 |
Unknown |
Unknown |
Unknown |
Unknown |
CVE-2022-29248 |
AVG-2823 |
Unknown |
Unknown |
Unknown |
Unknown |
CVE-2022-28209 |
AVG-2676 |
Critical |
Unknown |
Unknown |
An issue was discovered in Mediawiki through 1.37.1. The check for the override-antispoof permission in the AntiSpoof extension is incorrect. |
CVE-2022-28206 |
AVG-2676 |
Critical |
Unknown |
Unknown |
An issue was discovered in MediaWiki through 1.37.1. ImportPlanValidator.php in the FileImporter extension mishandles the check for edit rights. |
CVE-2022-28205 |
AVG-2676 |
Critical |
Unknown |
Unknown |
An issue was discovered in MediaWiki through 1.37.1. The CentralAuth extension mishandles a ttl issue for groups expiring in the future. |
CVE-2022-28203 |
AVG-2823 |
Unknown |
Unknown |
Unknown |
Unknown |
CVE-2022-28202 |
AVG-2677 |
Medium |
Yes |
Cross-site scripting |
An XSS issue was discovered in MediaWiki before 1.35.6, 1.36.x before 1.36.4, and 1.37.x before 1.37.2. The widthheight, widthheightpage, and nbytes... |
CVE-2022-28201 |
AVG-2823 |
Unknown |
Unknown |
Unknown |
Unknown |
CVE-2021-44856 |
AVG-2823 |
Unknown |
Unknown |
Unknown |
Unknown |
CVE-2021-44855 |
AVG-2823 |
Unknown |
Unknown |
Unknown |
Unknown |
CVE-2021-44854 |
AVG-2823 |
Unknown |
Unknown |
Unknown |
Unknown |
CVE-2021-41801 |
AVG-2434 |
Medium |
Yes |
Access restriction bypass |
A security issue has been found in MediaWiki before version 1.36.2. ReplaceText continues performing actions if the user no longer has the correct... |
CVE-2021-41800 |
AVG-2434 |
Medium |
Yes |
Denial of service |
A denial of service vulnerability in Special:Contributions has been found in MediaWiki before version 1.36.2. |
CVE-2021-41799 |
AVG-2434 |
Medium |
Yes |
Denial of service |
A security issue has been found in MediaWiki before version 1.36.2. ApiQueryBacklinks can cause a full table scan, leading to high resource consumption. |
CVE-2021-41798 |
AVG-2434 |
Medium |
Yes |
Cross-site scripting |
A cross-site scripting vulnerability in Special:Search has been found in MediaWiki before version 1.36.2. |
CVE-2021-35197 |
AVG-2093 |
Medium |
Yes |
Access restriction bypass |
A security issue has been found in MediaWiki before version 1.36.1 that allows blocked users to purge pages. |
CVE-2021-30458 |
AVG-1775 |
Medium |
Yes |
Cross-site scripting |
An issue was discovered in Wikimedia Parsoid before 0.11.1 and 0.12.x before 0.12.2. An attacker can send crafted wikitext that Utils/WTUtils.php will... |
CVE-2021-30159 |
AVG-1775 |
Medium |
Yes |
Access restriction bypass |
An issue was discovered in MediaWiki before 1.31.12 and 1.32.x through 1.35.x before 1.35.2. Users can bypass intended restrictions on deleting pages in... |
CVE-2021-30158 |
AVG-1775 |
Low |
Yes |
Incorrect calculation |
An issue was discovered in MediaWiki before 1.31.12 and 1.32.x through 1.35.x before 1.35.2. Blocked users are unable to use Special:ResetTokens. This has... |
CVE-2021-30157 |
AVG-1775 |
Medium |
Yes |
Cross-site scripting |
An issue was discovered in MediaWiki before 1.31.12 and 1.32.x through 1.35.x before 1.35.2. On ChangesList special pages such as Special:RecentChanges and... |
CVE-2021-30156 |
AVG-1791 |
Medium |
Yes |
Information disclosure |
An issue was discovered in MediaWiki on the master branch. Special:Contributions can leak that a "hidden" user exists. |
CVE-2021-30155 |
AVG-1775 |
Medium |
Yes |
Access restriction bypass |
n issue was discovered in MediaWiki before 1.31.12 and 1.32.x through 1.35.x before 1.35.2. ContentModelChange does not check if a user has correct... |
CVE-2021-30154 |
AVG-1775 |
Medium |
Yes |
Cross-site scripting |
An issue was discovered in MediaWiki before 1.31.12 and 1.32.x through 1.35.x before 1.35.2. On Special:NewFiles, all the mediastatistics- header-* messages... |
CVE-2021-30153 |
AVG-1775 |
Medium |
Yes |
Information disclosure |
An issue was discovered in MediaWiki before 1.31.12 and 1.32.x through 1.35.x before 1.35.2. ApiVisualEditor can leak that a "hidden" user exists. |
CVE-2021-30152 |
AVG-1775 |
Medium |
Yes |
Access restriction bypass |
An issue was discovered in MediaWiki before 1.31.13 and 1.32.x through 1.35.x before 1.35.2. When using the MediaWiki API to "protect" a page, a user is... |
CVE-2021-27291 |
AVG-1775 |
Low |
Yes |
Denial of service |
In pygments 1.1+, fixed in 2.7.4, the lexers used to parse programming languages rely heavily on regular expressions. Some of the regular expressions have... |
CVE-2021-20270 |
AVG-1775 |
Low |
Yes |
Denial of service |
A security issue was found in python-pygments version 1.5 up to 2.7.3. When the SMLLexer gets fed the string "exception", it loops indefinitely, leading to... |
CVE-2020-35480 |
AVG-1371 |
Low |
Yes |
Information disclosure |
An issue was discovered in MediaWiki before 1.35.1. Missing users (accounts that don't exist) and hidden users (accounts that have been explicitly hidden... |
CVE-2020-35479 |
AVG-1371 |
Medium |
Yes |
Cross-site scripting |
MediaWiki before 1.35.1 allows XSS via BlockLogFormatter.php. Language::translateBlockExpiry itself does not escape in all code paths. For example, the... |
CVE-2020-35478 |
AVG-1371 |
Medium |
Yes |
Cross-site scripting |
MediaWiki before 1.35.1 allows XSS via BlockLogFormatter.php. MediaWiki:blanknamespace potentially can be output as raw HTML with SCRIPT tags via... |
CVE-2020-35477 |
AVG-1371 |
Low |
Yes |
Information disclosure |
MediaWiki before 1.35.1 blocks legitimate attempts to hide log entries in some situations. If one sets MediaWiki:Mainpage to Special:MyLanguage/Main Page,... |
CVE-2020-35475 |
AVG-1371 |
Medium |
Yes |
Cross-site scripting |
In MediaWiki before 1.35.1, the messages userrights-expiry-current and userrights-expiry-none can contain raw HTML. XSS can happen when a user visits... |
CVE-2020-35474 |
AVG-1371 |
Low |
Yes |
Cross-site scripting |
In MediaWiki before 1.35.1, the combination of Html::rawElement and Message::text leads to XSS because the definition of... |
CVE-2018-13258 |
AVG-765 |
Medium |
Yes |
Information disclosure |
A security issue has been found in mediawiki < 1.31.1 where the tarball is missing .htaccess files used to protect some directories that shouldn't be web accessible. |
CVE-2018-0505 |
AVG-765 |
Medium |
Yes |
Access restriction bypass |
A security issue has been found in mediawiki < 1.31.1 where BotPassword can bypass CentralAuth's account lock. |
CVE-2018-0503 |
AVG-765 |
Low |
Yes |
Access restriction bypass |
A security issue has been found in the rate limiting feature of mediawiki < 1.31.1 where, contrary to the documentation, $wgRateLimits entry for 'user'... |
CVE-2017-9841 |
AVG-491 |
Critical |
Yes |
Arbitrary code execution |
Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP code via HTTP POST data beginning... |
CVE-2017-8815 |
AVG-490 |
High |
Yes |
Cross-site scripting |
The language converter in MediaWiki before 1.27.4, 1.28.x before 1.28.3, and 1.29.x before 1.29.2 allows attribute injection attacks via glossary rules. |
CVE-2017-8814 |
AVG-490 |
High |
Yes |
Cross-site scripting |
The language converter in MediaWiki before 1.27.4, 1.28.x before 1.28.3, and 1.29.x before 1.29.2 allows attackers to replace text inside tags via a rule... |
CVE-2017-8812 |
AVG-490 |
Medium |
Yes |
Insufficient validation |
MediaWiki before 1.27.4, 1.28.x before 1.28.3, and 1.29.x before 1.29.2 allows remote attackers to inject > (greater than) characters via the id attribute... |
CVE-2017-8811 |
AVG-490 |
High |
Yes |
Cross-site scripting |
The implementation of raw message parameter expansion in MediaWiki before 1.27.4, 1.28.x before 1.28.3, and 1.29.x before 1.29.2 allows HTML mangling attacks. |
CVE-2017-8810 |
AVG-490 |
Low |
Yes |
Information disclosure |
MediaWiki before 1.27.4, 1.28.x before 1.28.3, and 1.29.x before 1.29.2, when a private wiki is configured, provides different error messages for failed... |
CVE-2017-8809 |
AVG-490 |
High |
Yes |
Url request injection |
api.php in MediaWiki before 1.27.4, 1.28.x before 1.28.3, and 1.29.x before 1.29.2 has a Reflected File Download vulnerability. |
CVE-2017-8808 |
AVG-490 |
High |
Yes |
Cross-site scripting |
MediaWiki before 1.27.4, 1.28.x before 1.28.3, and 1.29.x before 1.29.2 has XSS when the $wgShowExceptionDetails setting is false and the browser sends... |
CVE-2017-0372 |
AVG-259 |
Medium |
Yes |
Cross-site scripting |
The SyntaxHighlight extension in MediaWiki before 1.28.1 does not properly validate the 'start' parameter before passing it to Pygments. |
CVE-2017-0370 |
AVG-236 |
Medium |
Yes |
Insufficient validation |
The spam blacklist in MediaWiki before 1.28.1 could be bypassed by encoding URLs inside a file inclusion syntax's link parameter. |
CVE-2017-0369 |
AVG-236 |
Low |
Yes |
Access restriction bypass |
In MediaWiki < 1.28.1, a normal sysop that doesn't have the necessary rights to override a page protection can still recreate it by restoring a former... |
CVE-2017-0368 |
AVG-236 |
Low |
Yes |
Cross-site scripting |
MediaWiki < 1.28.1 did not properly mark system messages as raw HTML, hence not properly escaping it. |
CVE-2017-0367 |
AVG-236 |
High |
No |
Arbitrary code execution |
MediaWiki before 1.28.1 uses the default system temporary directory for the LocalisationCache directory, allowing a local attacker to execute arbitrary code... |
CVE-2017-0366 |
AVG-236 |
High |
Yes |
Cross-site scripting |
MediaWiki < 1.28.1 did not properly filter the DTD declaration when a SVG file was uploaded, leading to a persistent XSS. |
CVE-2017-0365 |
AVG-236 |
Medium |
Yes |
Cross-site scripting |
SearchHighlighter::removeWiki() uses a regex to remove html from snippets. The regex - /<\/?[^>]+>/ assumes that html is well-formed. As a result when using... |
CVE-2017-0364 |
AVG-236 |
Medium |
Yes |
Open redirect |
The Special:Search page in MediaWiki < 1.28.1 has an open redirect issue. |
CVE-2017-0363 |
AVG-236 |
Medium |
Yes |
Open redirect |
The Special:UserLogin page in MediaWiki < 1.28.1 has an open redirect issue. |
CVE-2017-0362 |
AVG-236 |
Medium |
Yes |
Cross-site request forgery |
MediaWiki before 1.18.1 did not require a CSRF token for the "Mark all pages visited" action on the watchlist. |
CVE-2017-0361 |
AVG-236 |
High |
No |
Information disclosure |
MediaWiki before 1.29.2 may leak passwords in plaintext. API parameters may now be marked as "sensitive" to keep their values out of the logs. |
CVE-2017-0361 |
AVG-490 |
High |
No |
Information disclosure |
MediaWiki before 1.29.2 may leak passwords in plaintext. API parameters may now be marked as "sensitive" to keep their values out of the logs. |