Mediawiki Core vulnerabilities

28 known vulnerabilities affecting mediawiki/core.

Total CVEs

28

CISA KEV

0

Public exploits

0

Exploited in wild

0

Severity breakdown

CRITICAL2HIGH6MEDIUM20

Vulnerabilities

Page 2 of 2

CVE-2021-41800MEDIUM≥ 0, < 1.36.22022-05-24

CVE-2021-41800 [MEDIUM] CWE-770 MediaWiki allows a denial of service MediaWiki allows a denial of service MediaWiki before 1.36.2 allows a denial of service (resource consumption because of lengthy query processing time). Visiting Special:Contributions can sometimes result in a long running SQL query because PoolCounter protection is mishandled.

CVE-2019-19709MEDIUM≥ 1.31.0, < 1.31.6≥ 1.32.0, < 1.32.6+2 more2022-05-24

CVE-2019-19709 [MEDIUM] CWE-601 Possible to circumvent title-blacklist Possible to circumvent title-blacklist MediaWiki through 1.33.1 allows attackers to bypass the Title_blacklist protection mechanism by starting with an arbitrary title, establishing a non-resolvable redirect for the associated page, and using redirect=1 in the action API when editing that page.

CVE-2019-12471MEDIUM≥ 1.27.0, < 1.27.6≥ 1.30.0, < 1.30.2+1 more2022-05-24

CVE-2019-12471 [MEDIUM] CWE-79 MediaWiki Cross-site Scripting (XSS) MediaWiki Cross-site Scripting (XSS) Wikimedia MediaWiki 1.30.0 through 1.32.1 has XSS. Loading user JavaScript from a non-existent account allows anyone to create the account, and perform XSS on users loading that script. Fixed in 1.32.2, 1.31.2, 1.30.2 and 1.27.6.

CVE-2014-2853MEDIUM≥ 0, < 1.21.9≥ 1.22.0, < 1.22.62022-05-17

CVE-2014-2853 [MEDIUM] CWE-79 Cross-site scripting vulnerability in includes/actions/InfoAction.php Cross-site scripting vulnerability in includes/actions/InfoAction.php Cross-site scripting (XSS) vulnerability in includes/actions/InfoAction.php in MediaWiki before 1.21.9 and 1.22.x before 1.22.6 allows remote attackers to inject arbitrary web script or HTML via the sort key in an info action.

CVE-2018-13258MEDIUM≥ 1.31.0, < 1.31.12022-05-14

CVE-2018-13258 [MEDIUM] CWE-284 Mediawiki tarball is missing .htaccess files Mediawiki tarball is missing .htaccess files Mediawiki 1.31 before 1.31.1 misses .htaccess files in the provided tarball used to protect some directories that shouldn't be web accessible.

CVE-2018-0505MEDIUM≥ 1.27.0, < 1.27.5≥ 1.29.0, < 1.29.3+2 more2022-05-13

CVE-2018-0505 [MEDIUM] CWE-287 Mediawiki BotPassword can bypass CentralAuth's account lock Mediawiki BotPassword can bypass CentralAuth's account lock Mediawiki 1.31 before 1.31.1, 1.30.1, 1.29.3 and 1.27.5 contains a flaw where BotPasswords can bypass CentralAuth's account lock

CVE-2018-0504MEDIUM≥ 1.27.0, < 1.27.5≥ 1.29.0, < 1.29.3+2 more2022-05-13

CVE-2018-0504 [MEDIUM] CWE-532 Mediawiki information disclosure vulnerability Mediawiki information disclosure vulnerability Mediawiki 1.31 before 1.31.1, 1.30.1, 1.29.3 and 1.27.5 contains an information disclosure flaw in the Special:Redirect/logid

CVE-2018-0503MEDIUM≥ 1.27.0, < 1.27.5≥ 1.29.0, < 1.29.3+2 more2022-05-13

CVE-2018-0503 [MEDIUM] CWE-269 Mediawiki Improper Privilege Management Mediawiki Improper Privilege Management Mediawiki 1.31 before 1.31.1, 1.30.1, 1.29.3 and 1.27.5 contains a flaw where contrary to the documentation, $wgRateLimits entry for 'user' overrides that for 'newbie'.

← Previous2 / 2