CVSS: 7.5EPSS: 0%CPEs: 7EXPL: 0CVE-2016-6331
https://notcve.org/view.php?id=CVE-2016-6331
20 Apr 2017 — ApiParse in MediaWiki before 1.23.15, 1.26.x before 1.26.4, and 1.27.x before 1.27.1 allows remote attackers to bypass intended per-title read restrictions via a parse action to api.php. ApiParse en MediaWiki en versiones anteriores a 1.23.15, 1.26.x en versiones anteriores a 1.26.4 y 1.27.x en versiones anteriores a 1.27.1 permite a atacantes remotos eludir las restricciones de lectura previstas por título a través de una acción de análisis a api.php. • https://bugzilla.redhat.com/show_bug.cgi?id=1369613 • CWE-284: Improper Access Control •
CVSS: 7.5EPSS: 0%CPEs: 7EXPL: 0CVE-2016-6332
https://notcve.org/view.php?id=CVE-2016-6332
20 Apr 2017 — MediaWiki before 1.23.15, 1.26.x before 1.26.4, and 1.27.x before 1.27.1, when $wgBlockDisablesLogin is true, might allow remote attackers to obtain sensitive information by leveraging failure to terminate sessions when a user account is blocked. MediaWiki en versiones anteriores a 1.23.15, 1.26.x en versiones anteriores a 1.26.4 y1.27.x en versiones anteriores a 1.27.1, cuando $wgBlockDisablesLogin es verdadera, podría permitir a atacantes remotos obtener información sensible mediante el aprovechamiento de... • https://bugzilla.redhat.com/show_bug.cgi?id=1369613 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 6.1EPSS: 0%CPEs: 7EXPL: 0CVE-2016-6333
https://notcve.org/view.php?id=CVE-2016-6333
20 Apr 2017 — Cross-site scripting (XSS) vulnerability in the CSS user subpage preview feature in MediaWiki before 1.23.15, 1.26.x before 1.26.4, and 1.27.x before 1.27.1 allows remote attackers to inject arbitrary web script or HTML via the edit box in Special:MyPage/common.css. Vulnerabilidad XSS en la función de vista previa de subpáginas de usuario CSS en MediaWiki en versiones anteriores a 1.23.15, 1.26.x en versiones anteriores a 1.26.4 y 1.27.x en versiones anteriores a 1.27.1 permite atacantes remotos inyectar se... • http://www.securityfocus.com/bid/98053 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 0%CPEs: 7EXPL: 0CVE-2016-6335
https://notcve.org/view.php?id=CVE-2016-6335
20 Apr 2017 — MediaWiki before 1.23.15, 1.26.x before 1.26.4, and 1.27.x before 1.27.1 does not generate head items in the context of a given title, which allows remote attackers to obtain sensitive information via a parse action to api.php. MediaWiki en versiones anteriores a 1.23.15, 1.26.x en versiones anteriores a 1.26.4, y 1.27.x en versiones anteriores a 1.27.1 no genera elementos de cabecera en el contexto de un título dado, lo que permite a atacantes remotos obtener información sensible a través de una acción de ... • https://bugzilla.redhat.com/show_bug.cgi?id=1369613 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 6.5EPSS: 0%CPEs: 7EXPL: 0CVE-2016-6336
https://notcve.org/view.php?id=CVE-2016-6336
20 Apr 2017 — MediaWiki before 1.23.15, 1.26.x before 1.26.4, and 1.27.x before 1.27.1 allows remote authenticated users with undelete permissions to bypass intended suppressrevision and deleterevision restrictions and remove the revision deletion status of arbitrary file revisions by using Special:Undelete. MediaWiki en versiones anteriores a 1.23.15, 1.26.x en versiones anteriores a 1.26.4, y 1.27.x en versiones anteriores a 1.27.1 permite a los usuarios autenticados remotos con permisos undelete eludir las restriccion... • https://bugzilla.redhat.com/show_bug.cgi?id=1369613 • CWE-284: Improper Access Control •
CVSS: 6.1EPSS: 0%CPEs: 7EXPL: 0CVE-2016-6334
https://notcve.org/view.php?id=CVE-2016-6334
20 Apr 2017 — Cross-site scripting (XSS) vulnerability in the Parser::replaceInternalLinks2 method in MediaWiki before 1.23.15, 1.26.x before 1.26.4, and 1.27.x before 1.27.1 allows remote attackers to inject arbitrary web script or HTML via vectors involving replacement of percent encoding in unclosed internal links. Vulnerabilidad de XSS en el método de Parser::replaceInternalLinks2 en MediaWiki en versiones anterior a 1.23.15, 1.26.x en versiones anterior a 1.26.4, y 1.27.x en versiones anterior a 1.27.1 permite a ata... • http://www.securityfocus.com/bid/98057 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 11EXPL: 0CVE-2015-8622
https://notcve.org/view.php?id=CVE-2015-8622
23 Mar 2017 — Cross-site scripting (XSS) vulnerability in MediaWiki before 1.23.12, 1.24.x before 1.24.5, 1.25.x before 1.25.4, and 1.26.x before 1.26.1, when is configured with a relative URL, allows remote authenticated users to inject arbitrary web script or HTML via wikitext, as demonstrated by a wikilink to a page named "javascript:alert('XSS!')." Vulnerabilidad de secuencias de comandos en sitios cruzados (XSS) en MediaWiki en versiones anteriores a 1.23.12, 1.24.x en versiones anteriores a 1.24.5, 1.25.x en versio... • http://www.openwall.com/lists/oss-security/2015/12/21/8 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 0%CPEs: 6EXPL: 0CVE-2015-8623
https://notcve.org/view.php?id=CVE-2015-8623
23 Mar 2017 — The User::matchEditToken function in includes/User.php in MediaWiki before 1.23.12 and 1.24.x before 1.24.5 does not perform token comparison in constant time before returning, which allows remote attackers to guess the edit token and bypass CSRF protection via a timing attack, a different vulnerability than CVE-2015-8624. La función User::matchEditToken en includes/User.php en MediaWiki en versiones anteriores a 1.23.12 y 1.24.x en versiones anteriores a 1.24.5 no realiza comparación de token en tiempo con... • http://www.openwall.com/lists/oss-security/2015/12/21/8 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 8.8EPSS: 0%CPEs: 11EXPL: 0CVE-2015-8624
https://notcve.org/view.php?id=CVE-2015-8624
23 Mar 2017 — The User::matchEditToken function in includes/User.php in MediaWiki before 1.23.12, 1.24.x before 1.24.5, 1.25.x before 1.25.4, and 1.26.x before 1.26.1 does not perform token comparison in constant time before determining if a debugging message should be logged, which allows remote attackers to guess the edit token and bypass CSRF protection via a timing attack, a different vulnerability than CVE-2015-8623. La función User::matchEditToken en includes/User.php en MediaWiki en versiones anteriores a 1.23.12,... • http://www.openwall.com/lists/oss-security/2015/12/21/8 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 7.5EPSS: 0%CPEs: 11EXPL: 0CVE-2015-8625
https://notcve.org/view.php?id=CVE-2015-8625
23 Mar 2017 — MediaWiki before 1.23.12, 1.24.x before 1.24.5, 1.25.x before 1.25.4, and 1.26.x before 1.26.1 do not properly sanitize parameters when calling the cURL library, which allows remote attackers to read arbitrary files via an @ (at sign) character in unspecified POST array parameters. MediaWiki en versiones anteriores a 1.23.12, 1.24.x en versiones anteriores a 1.24.5, 1.25.x en versiones anteriores a 1.25.4, y 1.26.x en versiones anteriores a 1.26.1 no desinfecta adecuadamente los parámetros al llamar a la bi... • http://www.openwall.com/lists/oss-security/2015/12/21/8 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •