CVSS: 9.8EPSS: 0%CPEs: 18EXPL: 0CVE-2013-6453 – Mandriva Linux Security Advisory 2014-057
https://notcve.org/view.php?id=CVE-2013-6453
13 Mar 2014 — MediaWiki before 1.19.10, 1.2x before 1.21.4, and 1.22.x before 1.22.1 does not properly sanitize SVG files, which allows remote attackers to have unspecified impact via invalid XML. MediaWiki anterior a 1.19.10, 1.2x anterior a 1.21.4 y 1.22.x anterior a 1.22.1 no limpia debidamente archivos SVG, lo que permite a atacantes remotos tener impacto no especificado a través de XML inválido. MediaWiki user Michael M reported that the fix for CVE-2013-4568 allowed insertion of escaped CSS values which could pass ... • http://lists.wikimedia.org/pipermail/mediawiki-announce/2014-January/000138.html • CWE-20: Improper Input Validation •
CVSS: 5.3EPSS: 0%CPEs: 18EXPL: 0CVE-2013-6472 – Mandriva Linux Security Advisory 2014-057
https://notcve.org/view.php?id=CVE-2013-6472
13 Mar 2014 — MediaWiki before 1.19.10, 1.2x before 1.21.4, and 1.22.x before 1.22.1 allows remote attackers to obtain information about deleted page via the (1) log API, (2) enhanced RecentChanges, and (3) user watchlists. MediaWiki anterior a 1.19.10, 1.2x anterior a 1.21.4 y 1.22.x anterior a 1.22.1 permite a atacantes remotos obtener información acerca de página eliminada a través de las listas de vigilancia de (1) la API de registro, (2) Enhanced RecentChanges y (3) usuarios. MediaWiki user Michael M reported that t... • http://lists.wikimedia.org/pipermail/mediawiki-announce/2014-January/000138.html • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 6.1EPSS: 0%CPEs: 90EXPL: 0CVE-2014-2242 – Mandriva Linux Security Advisory 2014-057
https://notcve.org/view.php?id=CVE-2014-2242
02 Mar 2014 — includes/upload/UploadBase.php in MediaWiki before 1.19.12, 1.20.x and 1.21.x before 1.21.6, and 1.22.x before 1.22.3 does not prevent use of invalid namespaces in SVG files, which allows remote attackers to conduct cross-site scripting (XSS) attacks via an SVG upload, as demonstrated by use of a W3C XHTML namespace in conjunction with an IFRAME element. includes/upload/UploadBase.php en MediaWiki anterior a 1.19.12, 1.20.x y 1.21.x anterior a 1.21.6 y 1.22.x anterior a 1.22.3 no previene el uso de espacios... • http://lists.wikimedia.org/pipermail/mediawiki-announce/2014-February/000141.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.1EPSS: 0%CPEs: 90EXPL: 0CVE-2014-2243 – Mandriva Linux Security Advisory 2014-057
https://notcve.org/view.php?id=CVE-2014-2243
02 Mar 2014 — includes/User.php in MediaWiki before 1.19.12, 1.20.x and 1.21.x before 1.21.6, and 1.22.x before 1.22.3 terminates validation of a user token upon encountering the first incorrect character, which makes it easier for remote attackers to obtain access via a brute-force attack that relies on timing differences in responses to incorrect token guesses. includes/User.php en MediaWiki anterior a 1.19.12, 1.20.x y 1.21.x anterior a 1.21.6 y 1.22.x anterior a 1.22.3 termina la validación de un token de usuario cua... • http://lists.wikimedia.org/pipermail/mediawiki-announce/2014-February/000141.html • CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') •
CVSS: 6.1EPSS: 0%CPEs: 90EXPL: 0CVE-2014-2244 – Mandriva Linux Security Advisory 2014-057
https://notcve.org/view.php?id=CVE-2014-2244
02 Mar 2014 — Cross-site scripting (XSS) vulnerability in the formatHTML function in includes/api/ApiFormatBase.php in MediaWiki before 1.19.12, 1.20.x and 1.21.x before 1.21.6, and 1.22.x before 1.22.3 allows remote attackers to inject arbitrary web script or HTML via a crafted string located after http:// in the text parameter to api.php. Vulnerabilidad de XSS en la función formatHTML en includes/api/ApiFormatBase.php en MediaWiki anterior a 1.19.12, 1.20.x y 1.21.x anterior a 1.21.6 y 1.22.x anterior a 1.22.3 permite ... • http://lists.wikimedia.org/pipermail/mediawiki-announce/2014-February/000141.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 0%CPEs: 5EXPL: 0CVE-2013-4572 – Debian Security Advisory 2891-3
https://notcve.org/view.php?id=CVE-2013-4572
19 Dec 2013 — The CentralNotice extension for MediaWiki before 1.19.9, 1.20.x before 1.20.8, and 1.21.x before 1.21.3 sets the Cache-Control header to cache session cookies when a user is autocreated, which allows remote attackers to authenticate as the created user. La extensión CentralNotice para MediaWiki versiones anteriores a 1.19.9, versiones 1.20.x anteriores a 1.20.8 y versiones 1.21.x anteriores a 1.21.3, establece el encabezado Cache-Control para almacenar en caché las cookies de sesión cuando un usuario es aut... • http://lists.fedoraproject.org/pipermail/package-announce/2013-December/122998.html • CWE-384: Session Fixation •
CVSS: 6.1EPSS: 0%CPEs: 23EXPL: 0CVE-2013-4567 – Debian Security Advisory 2891-3
https://notcve.org/view.php?id=CVE-2013-4567
13 Dec 2013 — Incomplete blacklist vulnerability in Sanitizer::checkCss in MediaWiki before 1.19.9, 1.20.x before 1.20.8, and 1.21.x before 1.21.3 allows remote attackers to conduct cross-site scripting (XSS) attacks via a \b (backspace) character in CSS. Vulenrabilidad de lista negra incompleta en Sanitizer::checkCss en MediaWiki anterior a 1.19.9, 1.20.x anterior a 1.20.8 y 1.21.x anterior a 1.21.3 que permite a atacantes remotos realizar cross-site scripting (XSS) a través de un \b (retroceso carácter) en el CSS. Kevi... • http://lists.fedoraproject.org/pipermail/package-announce/2013-December/122998.html •
CVSS: 6.1EPSS: 0%CPEs: 23EXPL: 0CVE-2013-4568 – Debian Security Advisory 2891-3
https://notcve.org/view.php?id=CVE-2013-4568
13 Dec 2013 — Incomplete blacklist vulnerability in Sanitizer::checkCss in MediaWiki before 1.19.9, 1.20.x before 1.20.8, and 1.21.x before 1.21.3 allows remote attackers to conduct cross-site scripting (XSS) attacks via certain non-ASCII characters in CSS, as demonstrated using variations of "expression" containing (1) full width characters or (2) IPA extensions, which are converted and rendered by Internet Explorer. Vulnerabilidad de blacklist incompleta en Sanitizer::checkCss en MediaWiki anteriores a 1.19.9, 1.20.8, ... • http://lists.fedoraproject.org/pipermail/package-announce/2013-December/122998.html •
CVSS: 5.3EPSS: 0%CPEs: 23EXPL: 0CVE-2013-4569
https://notcve.org/view.php?id=CVE-2013-4569
13 Dec 2013 — The CleanChanges extension for MediaWiki before 1.19.9, 1.20.x before 1.20.8, and 1.21.x before 1.21.3, when "Group changes by page in recent changes and watchlist" is enabled, allows remote attackers to obtain sensitive information (revision-deleted IPs) via the Recent Changes page. La extensión CleanChanges de MediaWiki anterior a 1.19.9, 1.20.x anterior a 1.20.8 y 1.21.x anterior a 1.21.3, cuando "Group changes by page in recent changes and watchlist" está activada, permite a atacantes remotos obtener in... • http://lists.fedoraproject.org/pipermail/package-announce/2013-December/122998.html • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 8.8EPSS: 0%CPEs: 23EXPL: 0CVE-2012-5394
https://notcve.org/view.php?id=CVE-2012-5394
13 Dec 2013 — Cross-site request forgery (CSRF) vulnerability in the CentralAuth extension for MediaWiki before 1.19.9, 1.20.x before 1.20.8, and 1.21.x before 1.21.3 allows remote attackers to hijack the authentication of users for requests that login via vectors involving image loading. Vulnerabilidad de Cross-site request forgery (CSRF) en la extensión de MediaWiki CentralAuth antes de 1.19.9, 1.20.x anterior a 1.20.8 y 1.21.x anterior a 1.21.3 permite a atacantes remotos secuestrar la autenticación de los usuarios pa... • http://lists.fedoraproject.org/pipermail/package-announce/2013-December/122998.html • CWE-352: Cross-Site Request Forgery (CSRF) •