CVSS: 9.8EPSS: 47%CPEs: 17EXPL: 5CVE-2014-1610 – MediaWiki - 'Thumb.php' Remote Command Execution
https://notcve.org/view.php?id=CVE-2014-1610
30 Jan 2014 — MediaWiki 1.22.x before 1.22.2, 1.21.x before 1.21.5, and 1.19.x before 1.19.11, when DjVu or PDF file upload support is enabled, allows remote attackers to execute arbitrary commands via shell metacharacters in (1) the page parameter to includes/media/DjVu.php; (2) the w parameter (aka width field) to thumb.php, which is not properly handled by includes/media/PdfHandler_body.php; and possibly unspecified vectors in (3) includes/media/Bitmap.php and (4) includes/media/ImageHandler.php. MediaWiki 1.22.x en v... • https://packetstorm.news/files/id/125040 • CWE-20: Improper Input Validation •
CVSS: 7.5EPSS: 0%CPEs: 5EXPL: 0CVE-2013-4572 – Debian Security Advisory 2891-3
https://notcve.org/view.php?id=CVE-2013-4572
19 Dec 2013 — The CentralNotice extension for MediaWiki before 1.19.9, 1.20.x before 1.20.8, and 1.21.x before 1.21.3 sets the Cache-Control header to cache session cookies when a user is autocreated, which allows remote attackers to authenticate as the created user. La extensión CentralNotice para MediaWiki versiones anteriores a 1.19.9, versiones 1.20.x anteriores a 1.20.8 y versiones 1.21.x anteriores a 1.21.3, establece el encabezado Cache-Control para almacenar en caché las cookies de sesión cuando un usuario es aut... • http://lists.fedoraproject.org/pipermail/package-announce/2013-December/122998.html • CWE-384: Session Fixation •
CVSS: 6.1EPSS: 0%CPEs: 23EXPL: 0CVE-2013-4567 – Debian Security Advisory 2891-3
https://notcve.org/view.php?id=CVE-2013-4567
13 Dec 2013 — Incomplete blacklist vulnerability in Sanitizer::checkCss in MediaWiki before 1.19.9, 1.20.x before 1.20.8, and 1.21.x before 1.21.3 allows remote attackers to conduct cross-site scripting (XSS) attacks via a \b (backspace) character in CSS. Vulenrabilidad de lista negra incompleta en Sanitizer::checkCss en MediaWiki anterior a 1.19.9, 1.20.x anterior a 1.20.8 y 1.21.x anterior a 1.21.3 que permite a atacantes remotos realizar cross-site scripting (XSS) a través de un \b (retroceso carácter) en el CSS. Kevi... • http://lists.fedoraproject.org/pipermail/package-announce/2013-December/122998.html •
CVSS: 6.1EPSS: 0%CPEs: 23EXPL: 0CVE-2013-4568 – Debian Security Advisory 2891-3
https://notcve.org/view.php?id=CVE-2013-4568
13 Dec 2013 — Incomplete blacklist vulnerability in Sanitizer::checkCss in MediaWiki before 1.19.9, 1.20.x before 1.20.8, and 1.21.x before 1.21.3 allows remote attackers to conduct cross-site scripting (XSS) attacks via certain non-ASCII characters in CSS, as demonstrated using variations of "expression" containing (1) full width characters or (2) IPA extensions, which are converted and rendered by Internet Explorer. Vulnerabilidad de blacklist incompleta en Sanitizer::checkCss en MediaWiki anteriores a 1.19.9, 1.20.8, ... • http://lists.fedoraproject.org/pipermail/package-announce/2013-December/122998.html •
CVSS: 5.3EPSS: 0%CPEs: 23EXPL: 0CVE-2013-4569
https://notcve.org/view.php?id=CVE-2013-4569
13 Dec 2013 — The CleanChanges extension for MediaWiki before 1.19.9, 1.20.x before 1.20.8, and 1.21.x before 1.21.3, when "Group changes by page in recent changes and watchlist" is enabled, allows remote attackers to obtain sensitive information (revision-deleted IPs) via the Recent Changes page. La extensión CleanChanges de MediaWiki anterior a 1.19.9, 1.20.x anterior a 1.20.8 y 1.21.x anterior a 1.21.3, cuando "Group changes by page in recent changes and watchlist" está activada, permite a atacantes remotos obtener in... • http://lists.fedoraproject.org/pipermail/package-announce/2013-December/122998.html • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 8.8EPSS: 0%CPEs: 23EXPL: 0CVE-2012-5394
https://notcve.org/view.php?id=CVE-2012-5394
13 Dec 2013 — Cross-site request forgery (CSRF) vulnerability in the CentralAuth extension for MediaWiki before 1.19.9, 1.20.x before 1.20.8, and 1.21.x before 1.21.3 allows remote attackers to hijack the authentication of users for requests that login via vectors involving image loading. Vulnerabilidad de Cross-site request forgery (CSRF) en la extensión de MediaWiki CentralAuth antes de 1.19.9, 1.20.x anterior a 1.20.8 y 1.21.x anterior a 1.21.3 permite a atacantes remotos secuestrar la autenticación de los usuarios pa... • http://lists.fedoraproject.org/pipermail/package-announce/2013-December/122998.html • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 6.8EPSS: 0%CPEs: 20EXPL: 0CVE-2013-4573
https://notcve.org/view.php?id=CVE-2013-4573
25 Nov 2013 — Cross-site scripting (XSS) vulnerability in the ZeroRatedMobileAccess extension for MediaWiki 1.19.x before 1.19.9, 1.20.x before 1.20.8, and 1.21.x before 1.21.3 allows remote attackers to inject arbitrary web script or HTML via the "to" parameter to index.php. Vulnerabilidad de XSS en la extensión ZeroRatedMobileAccess para MediaWiki 1.19.x anterior a la versión 1.19.9, 1.20.x anterior a 1.20.8, y 1.21.x anterior a la versión 1.21.3 permite a atacantes remotos inyectar script web o HTML arbitrario a travé... • http://lists.wikimedia.org/pipermail/mediawiki-announce/2013-November/000135.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 0%CPEs: 21EXPL: 1CVE-2013-4304 – Gentoo Linux Security Advisory 201310-21
https://notcve.org/view.php?id=CVE-2013-4304
28 Oct 2013 — The CentralAuth extension for MediaWiki 1.19.x before 1.19.8, 1.20.x before 1.20.7, and 1.21.x before 1.21.2 caches a valid CentralAuthUser object in the centralauth_User cookie even when a user has not successfully logged in, which allows remote attackers to bypass authentication without a password. La extensión de MediaWiki CentralAuth 1.19.x anterior a 1.19.8, 1.20.7 anterior a 1.20.x y 1.21.x anterior 1.21.2 almacena en caché un objeto CentralAuthUser válida en la cookie centralauth_User incluso cuando ... • http://lists.wikimedia.org/pipermail/mediawiki-announce/2013-September/000133.html • CWE-287: Improper Authentication •
CVSS: 6.1EPSS: 0%CPEs: 3EXPL: 1CVE-2013-4305 – Gentoo Linux Security Advisory 201310-21
https://notcve.org/view.php?id=CVE-2013-4305
11 Oct 2013 — Cross-site scripting (XSS) vulnerability in contrib/example.php in the SyntaxHighlight GeSHi extension for MediaWiki, possibly as downloaded before September 2013, allows remote attackers to inject arbitrary web script or HTML via the PATH_INFO. Vulnerabilidad de XSS en contrib/example.php de la extensión SyntaxHighlight GeSHi para MediaWiki, posiblemente la descargada antes de septiembre de 2013, permite a atacantes remotos inyectar script web arbitrario o HTML a través de PATH_INFO. Multiple vulnerabiliti... • http://lists.wikimedia.org/pipermail/mediawiki-announce/2013-September/000133.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 0%CPEs: 3EXPL: 0CVE-2013-4306 – Gentoo Linux Security Advisory 201310-21
https://notcve.org/view.php?id=CVE-2013-4306
11 Oct 2013 — Cross-site request forgery (CSRF) vulnerability in api/ApiQueryCheckUser.php in the CheckUser extension for MediaWiki, possibly Checkuser before 2.3, allows remote attackers to hijack the authentication of arbitrary users for requests that "perform sensitive write actions" via unspecified vectors. Vulnerabilidad cross-site request forgery (CSRF) en api/ApiQueryCheckUser.php en la extensión CheckUser para MediaWiki, posiblemente CheckUser anteriores a 2.3, permite a atacantes remotos secuestrar la autenticac... • http://lists.wikimedia.org/pipermail/mediawiki-announce/2013-September/000133.html • CWE-352: Cross-Site Request Forgery (CSRF) •