CVSS: 9.8EPSS: 1%CPEs: 50EXPL: 1CVE-2014-5243 – Debian Security Advisory 3011-1
https://notcve.org/view.php?id=CVE-2014-5243
22 Aug 2014 — MediaWiki before 1.19.18, 1.20.x through 1.22.x before 1.22.9, and 1.23.x before 1.23.2 does not enforce an IFRAME protection mechanism for transcluded pages, which makes it easier for remote attackers to conduct clickjacking attacks via a crafted web site. MediaWiki anterior a 1.19.18, 1.20.x hasta 1.22.x anterior a 1.22.9, y 1.23.x anterior a 1.23.2 no aplica un mecanismo de protección IFRAME para páginas transcluidas, lo que facilita a atacantes remotos realizar ataques de clickjacking a través de un sit... • http://advisories.mageia.org/MGASA-2014-0309.html • CWE-20: Improper Input Validation •
CVSS: 8.1EPSS: 0%CPEs: 50EXPL: 1CVE-2014-5241 – Debian Security Advisory 3011-1
https://notcve.org/view.php?id=CVE-2014-5241
22 Aug 2014 — The JSONP endpoint in includes/api/ApiFormatJson.php in MediaWiki before 1.19.18, 1.20.x through 1.22.x before 1.22.9, and 1.23.x before 1.23.2 accepts certain long callback values and does not restrict the initial bytes of a JSONP response, which allows remote attackers to conduct cross-site request forgery (CSRF) attacks, and obtain sensitive information, via a crafted OBJECT element with SWF content consistent with a restricted character set. El endpoint JSONP en includes/api/ApiFormatJson.php en MediaWi... • http://advisories.mageia.org/MGASA-2014-0309.html • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 6.1EPSS: 0%CPEs: 33EXPL: 0CVE-2014-3966 – Debian Security Advisory 2957-1
https://notcve.org/view.php?id=CVE-2014-3966
06 Jun 2014 — Cross-site scripting (XSS) vulnerability in Special:PasswordReset in MediaWiki before 1.19.16, 1.21.x before 1.21.10, and 1.22.x before 1.22.7, when wgRawHtml is enabled, allows remote attackers to inject arbitrary web script or HTML via an invalid username. Vulnerabilidad de XSS en Special:PasswordReset in MediaWiki anterior a 1.19.16, 1.21.x anterior a 1.21.10 y 1.22.x anterior a 1.22.7, cuando wgRawHtml está habilitado, permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a ... • http://lists.wikimedia.org/pipermail/mediawiki-announce/2014-May/000151.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.1EPSS: 0%CPEs: 15EXPL: 0CVE-2012-5395
https://notcve.org/view.php?id=CVE-2012-5395
02 Jun 2014 — Session fixation vulnerability in the CentralAuth extension for MediaWiki before 1.18.6, 1.19.x before 1.19.3, and 1.20.x before 1.20.1 allows remote attackers to hijack web sessions via the centralauth_Session cookie. Vulnerabilidad de fijación de sesión en la extensión CentralAuth para MediaWiki anterior a 1.18.6, 1.19.x anterior a 1.19.3 y 1.20.x anterior a 1.20.1 permite a atacantes remotos secuestrar sesiones web a través de la cookie centralauth_Session. • http://lists.wikimedia.org/pipermail/mediawiki-announce/2012-November/000122.html •
CVSS: 9.8EPSS: 1%CPEs: 15EXPL: 0CVE-2012-5391
https://notcve.org/view.php?id=CVE-2012-5391
02 Jun 2014 — Session fixation vulnerability in Special:UserLogin in MediaWiki before 1.18.6, 1.19.x before 1.19.3, and 1.20.x before 1.20.1 allows remote attackers to hijack web sessions via the session_id. Vulnerabilidad de fijación de sesión en Special:UserLogin en MediaWiki anterior a 1.18.6, 1.19.x anterior a 1.19.3 y 1.20.x anterior a 1.20.1 permite a atacantes remotos secuestrar sesiones web a través de session_id. • http://lists.fedoraproject.org/pipermail/package-announce/2013-February/098975.html •
CVSS: 7.5EPSS: 0%CPEs: 18EXPL: 0CVE-2013-4570
https://notcve.org/view.php?id=CVE-2013-4570
12 May 2014 — The zend_inline_hash_func function in php-luasandbox in the Scribuntu extension for MediaWiki before 1.19.10, 1.2x before 1.21.4, and 1.22.x before 1.22.1 allows remote attackers to cause a denial of service (NULL pointer dereference and crash) via vectors related to converting Lua data structures to PHP, as demonstrated by passing { [{}] = 1 } to a module function. La función zend_inline_hash_func en php-luasandbox en la extensión Scribuntu para MediaWiki anterior a 1.19.10, 1.2x anterior a 1.21.4 y 1.22.x... • http://lists.wikimedia.org/pipermail/mediawiki-announce/2014-January/000138.html •
CVSS: 8.8EPSS: 0%CPEs: 18EXPL: 0CVE-2014-3454
https://notcve.org/view.php?id=CVE-2014-3454
12 May 2014 — Cross-site request forgery (CSRF) vulnerability in Special:CreateCategory in the SemanticForms extension for MediaWiki before 1.19.10, 1.2x before 1.21.4, and 1.22.x before 1.22.1 allows remote attackers to hijack the authentication of users for requests that create categories via unspecified vectors. Vulnerabilidad de CSRF en Special:CreateCategory en la extensión SemanticForms para MediaWiki anterior a 1.19.10, 1.2x anterior a 1.21.4 y 1.22.x anterior a 1.22.1 permite a atacantes remotos secuestrar la aut... • http://lists.wikimedia.org/pipermail/mediawiki-announce/2014-January/000138.html • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 9.8EPSS: 0%CPEs: 18EXPL: 0CVE-2013-4571
https://notcve.org/view.php?id=CVE-2013-4571
12 May 2014 — Buffer overflow in php-luasandbox in the Scribuntu extension for MediaWiki before 1.19.10, 1.2x before 1.21.4, and 1.22.x before 1.22.1 has unspecified impact and remote vectors. Desbordamiento de buffer en php-luasandbox en la extensión Scribuntu para MediaWiki anterior a 1.19.10, 1.2x anterior a 1.21.4 y 1.22.x anterior a 1.22.1 tiene impacto no especificado y vectores remotos. • http://lists.wikimedia.org/pipermail/mediawiki-announce/2014-January/000138.html • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer •
CVSS: 8.8EPSS: 0%CPEs: 18EXPL: 0CVE-2014-3455
https://notcve.org/view.php?id=CVE-2014-3455
12 May 2014 — Multiple cross-site request forgery (CSRF) vulnerabilities in the (1) CreateProperty, (2) CreateTemplate, (3) CreateForm, and (4) CreateClass special pages in the SemanticForms extension for MediaWiki before 1.19.10, 1.2x before 1.21.4, and 1.22.x before 1.22.1 allow remote attackers to hijack the authentication of users for requests that have unspecified impact and vectors. Múltiples vulnerabilidades de CSRF en las páginas especiales (1) CreateProperty, (2) CreateTemplate, (3) CreateForm y (4) CreateClass ... • http://lists.wikimedia.org/pipermail/mediawiki-announce/2014-January/000138.html • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 6.1EPSS: 0%CPEs: 18EXPL: 0CVE-2013-4574
https://notcve.org/view.php?id=CVE-2013-4574
12 May 2014 — Cross-site scripting (XSS) vulnerability in the TimeMediaHandler extension for MediaWiki before 1.19.10, 1.2x before 1.21.4, and 1.22.x before 1.22.1 allows remote attackers to inject arbitrary web script or HTML via vectors related to videos. Vulnerabilidad de XSS en la extensión TimeMediaHandler para MediaWiki anterior a 1.19.10, 1.2x anterior a 1.21.4 y 1.22.x anterior a 1.22.1 permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través de vectores relacionados con vídeos. • http://lists.wikimedia.org/pipermail/mediawiki-announce/2014-January/000138.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •