CVSS: 6.1EPSS: 0%CPEs: 193EXPL: 0CVE-2014-2853 – Gentoo Linux Security Advisory 201502-04
https://notcve.org/view.php?id=CVE-2014-2853
29 Apr 2014 — Cross-site scripting (XSS) vulnerability in includes/actions/InfoAction.php in MediaWiki before 1.21.9 and 1.22.x before 1.22.6 allows remote attackers to inject arbitrary web script or HTML via the sort key in an info action. Vulnerabilidad de XSS en includes/actions/InfoAction.php en MediaWiki anterior a 1.21.9 y 1.22.x anterior a 1.22.6 permite a atacantes remotos inyectar script Web o HTML arbitrarios a través de la clave "sort" en una acción "info". Multiple vulnerabilities have been found in MediaWiki... • http://lists.wikimedia.org/pipermail/mediawiki-announce/2014-April/000149.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 0%CPEs: 39EXPL: 0CVE-2014-2665 – Debian Security Advisory 2891-3
https://notcve.org/view.php?id=CVE-2014-2665
07 Apr 2014 — includes/specials/SpecialChangePassword.php in MediaWiki before 1.19.14, 1.20.x and 1.21.x before 1.21.8, and 1.22.x before 1.22.5 does not properly handle a correctly authenticated but unintended login attempt, which makes it easier for remote authenticated users to obtain sensitive information by arranging for a victim to login to the attacker's account, as demonstrated by tracking the victim's activity, related to a "login CSRF" issue. El archivo includes/specials/SpecialChangePassword.php en MediaWiki a... • http://lists.wikimedia.org/pipermail/mediawiki-announce/2014-March/000145.html • CWE-287: Improper Authentication •
CVSS: 6.1EPSS: 0%CPEs: 18EXPL: 0CVE-2013-6454 – Debian Security Advisory 2891-3
https://notcve.org/view.php?id=CVE-2013-6454
31 Mar 2014 — Cross-site scripting (XSS) vulnerability in MediaWiki before 1.19.10, 1.2x before 1.21.4, and 1.22.x before 1.22.1 allows remote attackers to inject arbitrary web script or HTML via a -o-link attribute. Vulnerabilidad de XSS en MediaWiki anterior a 1.19.10, 1.2x anterior a 1.21.4 y 1.22.x anterior a 1.22.1 permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través de un atributo -o-link. Multiple vulnerabilities have been found in MediaWiki, the worst of which may allow remo... • http://lists.wikimedia.org/pipermail/mediawiki-announce/2014-January/000138.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 0%CPEs: 18EXPL: 0CVE-2013-6453 – Mandriva Linux Security Advisory 2014-057
https://notcve.org/view.php?id=CVE-2013-6453
13 Mar 2014 — MediaWiki before 1.19.10, 1.2x before 1.21.4, and 1.22.x before 1.22.1 does not properly sanitize SVG files, which allows remote attackers to have unspecified impact via invalid XML. MediaWiki anterior a 1.19.10, 1.2x anterior a 1.21.4 y 1.22.x anterior a 1.22.1 no limpia debidamente archivos SVG, lo que permite a atacantes remotos tener impacto no especificado a través de XML inválido. MediaWiki user Michael M reported that the fix for CVE-2013-4568 allowed insertion of escaped CSS values which could pass ... • http://lists.wikimedia.org/pipermail/mediawiki-announce/2014-January/000138.html • CWE-20: Improper Input Validation •
CVSS: 5.3EPSS: 0%CPEs: 18EXPL: 0CVE-2013-6472 – Mandriva Linux Security Advisory 2014-057
https://notcve.org/view.php?id=CVE-2013-6472
13 Mar 2014 — MediaWiki before 1.19.10, 1.2x before 1.21.4, and 1.22.x before 1.22.1 allows remote attackers to obtain information about deleted page via the (1) log API, (2) enhanced RecentChanges, and (3) user watchlists. MediaWiki anterior a 1.19.10, 1.2x anterior a 1.21.4 y 1.22.x anterior a 1.22.1 permite a atacantes remotos obtener información acerca de página eliminada a través de las listas de vigilancia de (1) la API de registro, (2) Enhanced RecentChanges y (3) usuarios. MediaWiki user Michael M reported that t... • http://lists.wikimedia.org/pipermail/mediawiki-announce/2014-January/000138.html • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 6.1EPSS: 0%CPEs: 18EXPL: 0CVE-2013-6452 – Mandriva Linux Security Advisory 2014-057
https://notcve.org/view.php?id=CVE-2013-6452
13 Mar 2014 — Cross-site scripting (XSS) vulnerability in MediaWiki before 1.19.10, 1.2x before 1.21.4, and 1.22.x before 1.22.1 allows remote attackers to inject arbitrary web script or HTML via crafted XSL in an SVG file. Vulnerabilidad de XSS en MediaWiki anterior a 1.19.10, 1.2x anterior a 1.21.4 y 1.22.x anterior a 1.22.1 permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través de XSL manipulado en un archivo SVG. MediaWiki user Michael M reported that the fix for CVE-2013-4568 all... • http://lists.wikimedia.org/pipermail/mediawiki-announce/2014-January/000138.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 90EXPL: 0CVE-2014-2244 – Mandriva Linux Security Advisory 2014-057
https://notcve.org/view.php?id=CVE-2014-2244
02 Mar 2014 — Cross-site scripting (XSS) vulnerability in the formatHTML function in includes/api/ApiFormatBase.php in MediaWiki before 1.19.12, 1.20.x and 1.21.x before 1.21.6, and 1.22.x before 1.22.3 allows remote attackers to inject arbitrary web script or HTML via a crafted string located after http:// in the text parameter to api.php. Vulnerabilidad de XSS en la función formatHTML en includes/api/ApiFormatBase.php en MediaWiki anterior a 1.19.12, 1.20.x y 1.21.x anterior a 1.21.6 y 1.22.x anterior a 1.22.3 permite ... • http://lists.wikimedia.org/pipermail/mediawiki-announce/2014-February/000141.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 90EXPL: 0CVE-2014-2242 – Mandriva Linux Security Advisory 2014-057
https://notcve.org/view.php?id=CVE-2014-2242
02 Mar 2014 — includes/upload/UploadBase.php in MediaWiki before 1.19.12, 1.20.x and 1.21.x before 1.21.6, and 1.22.x before 1.22.3 does not prevent use of invalid namespaces in SVG files, which allows remote attackers to conduct cross-site scripting (XSS) attacks via an SVG upload, as demonstrated by use of a W3C XHTML namespace in conjunction with an IFRAME element. includes/upload/UploadBase.php en MediaWiki anterior a 1.19.12, 1.20.x y 1.21.x anterior a 1.21.6 y 1.22.x anterior a 1.22.3 no previene el uso de espacios... • http://lists.wikimedia.org/pipermail/mediawiki-announce/2014-February/000141.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.1EPSS: 0%CPEs: 90EXPL: 0CVE-2014-2243 – Mandriva Linux Security Advisory 2014-057
https://notcve.org/view.php?id=CVE-2014-2243
02 Mar 2014 — includes/User.php in MediaWiki before 1.19.12, 1.20.x and 1.21.x before 1.21.6, and 1.22.x before 1.22.3 terminates validation of a user token upon encountering the first incorrect character, which makes it easier for remote attackers to obtain access via a brute-force attack that relies on timing differences in responses to incorrect token guesses. includes/User.php en MediaWiki anterior a 1.19.12, 1.20.x y 1.21.x anterior a 1.21.6 y 1.22.x anterior a 1.22.3 termina la validación de un token de usuario cua... • http://lists.wikimedia.org/pipermail/mediawiki-announce/2014-February/000141.html • CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') •
CVSS: 7.5EPSS: 0%CPEs: 5EXPL: 0CVE-2013-4572 – Debian Security Advisory 2891-3
https://notcve.org/view.php?id=CVE-2013-4572
19 Dec 2013 — The CentralNotice extension for MediaWiki before 1.19.9, 1.20.x before 1.20.8, and 1.21.x before 1.21.3 sets the Cache-Control header to cache session cookies when a user is autocreated, which allows remote attackers to authenticate as the created user. La extensión CentralNotice para MediaWiki versiones anteriores a 1.19.9, versiones 1.20.x anteriores a 1.20.8 y versiones 1.21.x anteriores a 1.21.3, establece el encabezado Cache-Control para almacenar en caché las cookies de sesión cuando un usuario es aut... • http://lists.fedoraproject.org/pipermail/package-announce/2013-December/122998.html • CWE-384: Session Fixation •