CVSS: 6.1EPSS: 0%CPEs: 7EXPL: 0CVE-2016-6333
https://notcve.org/view.php?id=CVE-2016-6333
20 Apr 2017 — Cross-site scripting (XSS) vulnerability in the CSS user subpage preview feature in MediaWiki before 1.23.15, 1.26.x before 1.26.4, and 1.27.x before 1.27.1 allows remote attackers to inject arbitrary web script or HTML via the edit box in Special:MyPage/common.css. Vulnerabilidad XSS en la función de vista previa de subpáginas de usuario CSS en MediaWiki en versiones anteriores a 1.23.15, 1.26.x en versiones anteriores a 1.26.4 y 1.27.x en versiones anteriores a 1.27.1 permite atacantes remotos inyectar se... • http://www.securityfocus.com/bid/98053 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.5EPSS: 0%CPEs: 7EXPL: 0CVE-2016-6336
https://notcve.org/view.php?id=CVE-2016-6336
20 Apr 2017 — MediaWiki before 1.23.15, 1.26.x before 1.26.4, and 1.27.x before 1.27.1 allows remote authenticated users with undelete permissions to bypass intended suppressrevision and deleterevision restrictions and remove the revision deletion status of arbitrary file revisions by using Special:Undelete. MediaWiki en versiones anteriores a 1.23.15, 1.26.x en versiones anteriores a 1.26.4, y 1.27.x en versiones anteriores a 1.27.1 permite a los usuarios autenticados remotos con permisos undelete eludir las restriccion... • https://bugzilla.redhat.com/show_bug.cgi?id=1369613 • CWE-284: Improper Access Control •
CVSS: 5.3EPSS: 0%CPEs: 11EXPL: 0CVE-2015-8627
https://notcve.org/view.php?id=CVE-2015-8627
23 Mar 2017 — MediaWiki before 1.23.12, 1.24.x before 1.24.5, 1.25.x before 1.25.4, and 1.26.x before 1.26.1 do not properly normalize IP addresses containing zero-padded octets, which might allow remote attackers to bypass intended access restrictions by using an IP address that was not supposed to have been allowed. MediaWiki en versiones anteriores a 1.23.12, 1.24.x en versiones anteriores a 1.24.5, 1.25.x en versiones anteriores a 1.25.4 y 1.26.x en versiones anteriores a 1.26.1 no normaliza correctamente las direcci... • http://www.openwall.com/lists/oss-security/2015/12/21/8 • CWE-284: Improper Access Control •
CVSS: 5.3EPSS: 0%CPEs: 11EXPL: 0CVE-2015-8628
https://notcve.org/view.php?id=CVE-2015-8628
23 Mar 2017 — The (1) Special:MyPage, (2) Special:MyTalk, (3) Special:MyContributions, (4) Special:MyUploads, and (5) Special:AllMyUploads pages in MediaWiki before 1.23.12, 1.24.x before 1.24.5, 1.25.x before 1.25.4, and 1.26.x before 1.26.1 allow remote attackers to obtain sensitive user login information via crafted links combined with page view statistics. Las páginas (1) Special:MyPage, (2) Special:MyTalk, (3) Special:MyContributions, (4) Special:MyUploads y (5) Special:AllMyUploads en MediaWiki en versiones anterio... • http://www.openwall.com/lists/oss-security/2015/12/21/8 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 6.1EPSS: 0%CPEs: 11EXPL: 0CVE-2015-8622
https://notcve.org/view.php?id=CVE-2015-8622
23 Mar 2017 — Cross-site scripting (XSS) vulnerability in MediaWiki before 1.23.12, 1.24.x before 1.24.5, 1.25.x before 1.25.4, and 1.26.x before 1.26.1, when is configured with a relative URL, allows remote authenticated users to inject arbitrary web script or HTML via wikitext, as demonstrated by a wikilink to a page named "javascript:alert('XSS!')." Vulnerabilidad de secuencias de comandos en sitios cruzados (XSS) en MediaWiki en versiones anteriores a 1.23.12, 1.24.x en versiones anteriores a 1.24.5, 1.25.x en versio... • http://www.openwall.com/lists/oss-security/2015/12/21/8 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 0%CPEs: 11EXPL: 0CVE-2015-8625
https://notcve.org/view.php?id=CVE-2015-8625
23 Mar 2017 — MediaWiki before 1.23.12, 1.24.x before 1.24.5, 1.25.x before 1.25.4, and 1.26.x before 1.26.1 do not properly sanitize parameters when calling the cURL library, which allows remote attackers to read arbitrary files via an @ (at sign) character in unspecified POST array parameters. MediaWiki en versiones anteriores a 1.23.12, 1.24.x en versiones anteriores a 1.24.5, 1.25.x en versiones anteriores a 1.25.4, y 1.26.x en versiones anteriores a 1.26.1 no desinfecta adecuadamente los parámetros al llamar a la bi... • http://www.openwall.com/lists/oss-security/2015/12/21/8 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 8.8EPSS: 0%CPEs: 6EXPL: 0CVE-2015-8623
https://notcve.org/view.php?id=CVE-2015-8623
23 Mar 2017 — The User::matchEditToken function in includes/User.php in MediaWiki before 1.23.12 and 1.24.x before 1.24.5 does not perform token comparison in constant time before returning, which allows remote attackers to guess the edit token and bypass CSRF protection via a timing attack, a different vulnerability than CVE-2015-8624. La función User::matchEditToken en includes/User.php en MediaWiki en versiones anteriores a 1.23.12 y 1.24.x en versiones anteriores a 1.24.5 no realiza comparación de token en tiempo con... • http://www.openwall.com/lists/oss-security/2015/12/21/8 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 9.8EPSS: 0%CPEs: 11EXPL: 0CVE-2015-8626
https://notcve.org/view.php?id=CVE-2015-8626
23 Mar 2017 — The User::randomPassword function in MediaWiki before 1.23.12, 1.24.x before 1.24.5, 1.25.x before 1.25.4, and 1.26.x before 1.26.1 generates passwords smaller than $wgMinimalPasswordLength, which makes it easier for remote attackers to obtain access via a brute-force attack. La función User::randomPassword en MediaWiki en versiones anteriores a 1.23.12, 1.24.x en versiones anteriores a 1.24.5, 1.25.x en versiones anteriores a 1.25.4 y 1.26.x en versiones anteriores a 1.26.1 genera contraseñas más pequeñas ... • http://www.openwall.com/lists/oss-security/2015/12/21/8 • CWE-255: Credentials Management Errors •
CVSS: 8.8EPSS: 0%CPEs: 11EXPL: 0CVE-2015-8624
https://notcve.org/view.php?id=CVE-2015-8624
23 Mar 2017 — The User::matchEditToken function in includes/User.php in MediaWiki before 1.23.12, 1.24.x before 1.24.5, 1.25.x before 1.25.4, and 1.26.x before 1.26.1 does not perform token comparison in constant time before determining if a debugging message should be logged, which allows remote attackers to guess the edit token and bypass CSRF protection via a timing attack, a different vulnerability than CVE-2015-8623. La función User::matchEditToken en includes/User.php en MediaWiki en versiones anteriores a 1.23.12,... • http://www.openwall.com/lists/oss-security/2015/12/21/8 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 8.1EPSS: 0%CPEs: 8EXPL: 0CVE-2015-8003
https://notcve.org/view.php?id=CVE-2015-8003
09 Nov 2015 — MediaWiki before 1.23.11, 1.24.x before 1.24.4, and 1.25.x before 1.25.3 does not throttle file uploads, which allows remote authenticated users to have unspecified impact via multiple file uploads. MediaWiki en versiones anteriores a 1.23.11, 1.24.x en versiones anteriores a 1.24.4 y 1.25.x en versiones anteriores a 1.25.3 no regula la subida de archivos, lo que permite a usuarios remotos autenticados tener un impacto no especificado a través de múltiples subidas de archivos. • http://www.securitytracker.com/id/1034028 • CWE-399: Resource Management Errors •