CVSS: 6.1EPSS: 0%CPEs: 139EXPL: 1CVE-2011-1578 – Debian Security Advisory 2366-1
https://notcve.org/view.php?id=CVE-2011-1578
27 Apr 2011 — Cross-site scripting (XSS) vulnerability in MediaWiki before 1.16.3, when Internet Explorer 6 or earlier is used, allows remote attackers to inject arbitrary web script or HTML via an uploaded file accessed with a dangerous extension such as .html at the end of the query string, in conjunction with a modified URI path that has a %2E sequence in place of the . (dot) character. Ejecución de secuencias de comandos en sitios cruzados (XSS) en MediaWiki antes de 1.16.3, cuando Internet Explorer 6 o versiones ant... • http://lists.fedoraproject.org/pipermail/package-announce/2011-April/058588.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 0%CPEs: 135EXPL: 0CVE-2011-1580 – Gentoo Linux Security Advisory 201206-09
https://notcve.org/view.php?id=CVE-2011-1580
27 Apr 2011 — The transwiki import functionality in MediaWiki before 1.16.3 does not properly check privileges, which allows remote authenticated users to perform imports from any wgImportSources wiki via a crafted POST request. La funcionalidad de importación transwiki en MediaWiki antes de v1.16.3 no comprueba correctamente los privilegios, lo que permite a usuarios autenticados remotamente realizar las importaciones de cualquier wiki wgImportSources a través de una petición POST manipulada. Multiple vulnerabilities ha... • http://lists.fedoraproject.org/pipermail/package-announce/2011-April/058588.html • CWE-20: Improper Input Validation •
CVSS: 6.1EPSS: 0%CPEs: 140EXPL: 0CVE-2011-1587 – Debian Security Advisory 2366-1
https://notcve.org/view.php?id=CVE-2011-1587
27 Apr 2011 — Cross-site scripting (XSS) vulnerability in MediaWiki before 1.16.4, when Internet Explorer 6 or earlier is used, allows remote attackers to inject arbitrary web script or HTML via an uploaded file accessed with a dangerous extension such as .html located before a ? (question mark) in a query string, in conjunction with a modified URI path that has a %2E sequence in place of the . (dot) character. NOTE: this vulnerability exists because of an incomplete fix for CVE-2011-1578. Vulnerabilidad de ejecución de ... • http://lists.wikimedia.org/pipermail/mediawiki-announce/2011-April/000097.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 1%CPEs: 135EXPL: 1CVE-2011-1579 – Gentoo Linux Security Advisory 201206-09
https://notcve.org/view.php?id=CVE-2011-1579
27 Apr 2011 — The checkCss function in includes/Sanitizer.php in the wikitext parser in MediaWiki before 1.16.3 does not properly validate Cascading Style Sheets (CSS) token sequences, which allows remote attackers to conduct cross-site scripting (XSS) attacks or obtain sensitive information by using the \2f\2a and \2a\2f hex strings to surround CSS comments. La función checkCss en includes/Sanitizer.php en el analizador wikitext de MediaWiki antes de v1.16.3, no valida correctamente las hojas de estilo en cascada (CSS) ... • http://lists.fedoraproject.org/pipermail/package-announce/2011-April/058588.html • CWE-20: Improper Input Validation •
CVSS: 7.5EPSS: 0%CPEs: 95EXPL: 0CVE-2010-2787 – Gentoo Linux Security Advisory 201206-09
https://notcve.org/view.php?id=CVE-2010-2787
27 Apr 2011 — api.php in MediaWiki before 1.15.5 does not prevent use of public caching headers for private data, which allows remote attackers to bypass intended access restrictions and obtain sensitive information by retrieving documents from an HTTP proxy cache that has been used by a victim. api.php en MediaWiki anterior a v1.15.5 no previene el uso de las cabeceras caché públicas para los datos privados, lo que permite a atacantes remotos evitar las restricciones de acceso implementadas y obtener información sensibl... • http://lists.fedoraproject.org/pipermail/package-announce/2011-April/058588.html • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 6.1EPSS: 0%CPEs: 126EXPL: 0CVE-2010-2788 – Gentoo Linux Security Advisory 201206-09
https://notcve.org/view.php?id=CVE-2010-2788
27 Apr 2011 — Cross-site scripting (XSS) vulnerability in profileinfo.php in MediaWiki before 1.15.5, when wgEnableProfileInfo is enabled, allows remote attackers to inject arbitrary web script or HTML via the filter parameter. Vulnerabilidad de ejecución de secuencias de comandos en sitios cruzados (XSS) en profileinfo.php en MediaWiki anterior a v1.15.5, cyabdi wgEnableProfileInfo está activado, permite a atacantes remotos inyectar secuencias de comandos web o HTML de su elección a través del parámetro "filter". Multip... • http://lists.fedoraproject.org/pipermail/package-announce/2011-April/058588.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 1%CPEs: 136EXPL: 0CVE-2011-0047 – Gentoo Linux Security Advisory 201206-09
https://notcve.org/view.php?id=CVE-2011-0047
04 Feb 2011 — Cross-site scripting (XSS) vulnerability in MediaWiki before 1.16.2 allows remote attackers to inject arbitrary web script or HTML via crafted Cascading Style Sheets (CSS) comments, aka "CSS injection vulnerability." Múltiples vulnerabilidades de ejecución de secuencias de comandos en sitios cruzados (XSS) en MediaWiki anterior a v1.16.2, permite a atacantes remotos inyectar secuencias de comandos web o HTML mediante una hoja de estilos (CSS) manipulada, también conocido como "vulnerabilidad de inyección de... • http://lists.fedoraproject.org/pipermail/package-announce/2011-April/058910.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 1%CPEs: 135EXPL: 0CVE-2011-0003 – Gentoo Linux Security Advisory 201206-09
https://notcve.org/view.php?id=CVE-2011-0003
11 Jan 2011 — MediaWiki before 1.16.1, when user or site JavaScript or CSS is enabled, allows remote attackers to conduct clickjacking attacks via unspecified vectors. MediaWiki anterior a v1.16.1, cuando el usuario o el sitio JavaScript o CSS está activado, permite a atacantes remotos realizar ataques de clickjacking a través de vectores no especificados. Multiple vulnerabilities have been found in MediaWiki, the worst of which leading to remote execution of arbitrary code. Versions less than 1.18.2 are affected. • http://lists.fedoraproject.org/pipermail/package-announce/2011-April/058910.html • CWE-20: Improper Input Validation •
CVSS: 8.0EPSS: 0%CPEs: 64EXPL: 1CVE-2010-1150 – Debian Linux Security Advisory 2041-1
https://notcve.org/view.php?id=CVE-2010-1150
20 Apr 2010 — MediaWiki before 1.15.3, and 1.6.x before 1.16.0beta2, does not properly handle a correctly authenticated but unintended login attempt, which makes it easier for remote authenticated users to conduct phishing attacks by arranging for a victim to login to the attacker's account and then execute a crafted user script, related to a "login CSRF" issue. MediaWiki en versiones anteriores a la v1.15.3, y v1.6.x anteriores a la v1.16.0beta2, no gestiona apropiadamente un intento de inicio de sesión correctamente au... • http://download.wikimedia.org/mediawiki/1.15/mediawiki-1.15.3.patch.gz • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 9.1EPSS: 0%CPEs: 92EXPL: 0CVE-2010-1190
https://notcve.org/view.php?id=CVE-2010-1190
31 Mar 2010 — thumb.php in MediaWiki before 1.15.2, when used with access-restriction mechanisms such as img_auth.php, does not check user permissions before providing scaled images, which allows remote attackers to bypass intended access restrictions and read private images via unspecified manipulations. thumb.php en MediaWiki en versiones anteriores a la 1.15.2, cuando es usado con mecanismos de restricción de acceso como en img_auth.php, no verifica los permisos del usuario antes de proporcionar imágenes a escala, lo ... • http://lists.opensuse.org/opensuse-security-announce/2010-04/msg00006.html • CWE-264: Permissions, Privileges, and Access Controls •