CVSS: 8.8EPSS: 0%CPEs: 17EXPL: 0CVE-2013-4302 – Mandriva Linux Security Advisory 2013-235
https://notcve.org/view.php?id=CVE-2013-4302
13 Sep 2013 — (1) ApiBlock.php, (2) ApiCreateAccount.php, (3) ApiLogin.php, (4) ApiMain.php, (5) ApiQueryDeletedrevs.php, (6) ApiTokens.php, and (7) ApiUnblock.php in includes/api/ in MediaWiki 1.19.x before 1.19.8, 1.20.x before 1.20.7, and 1.21.x before 1.21.2 allow remote attackers to obtain CSRF tokens and bypass the cross-site request forgery (CSRF) protection mechanism via a JSONP request to wiki/api.php. Los scripts ApiBlock.php, ApiCreateAccount.php, ApiLogin.php, ApiMain.php, ApiQueryDeletedrevs.php, ApiTokens.p... • http://lists.wikimedia.org/pipermail/mediawiki-announce/2013-September/000133.html • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 6.1EPSS: 0%CPEs: 20EXPL: 0CVE-2013-4307 – Gentoo Linux Security Advisory 201310-21
https://notcve.org/view.php?id=CVE-2013-4307
11 Sep 2013 — Multiple cross-site scripting (XSS) vulnerabilities in repo/includes/EntityView.php in the Wikibase extension for MediaWiki 1.19.x before 1.19.8, 1.20.x before 1.20.7, and 1.21.x before 1.21.2 allow (1) remote attackers to inject arbitrary web script or HTML via a label in the "In other languages" section or (2) remote administrators to inject arbitrary web script or HTML via a description. Multiples vulnerabilidades XSS en repo/includes/EntityView.php en la extensión de Wikibase para MediaWiki 1.19.x anter... • http://lists.wikimedia.org/pipermail/mediawiki-announce/2013-September/000133.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 22EXPL: 0CVE-2013-4308 – Gentoo Linux Security Advisory 201310-21
https://notcve.org/view.php?id=CVE-2013-4308
11 Sep 2013 — Cross-site scripting (XSS) vulnerability in pages/TalkpageHistoryView.php in the LiquidThreads (LQT) extension 2.x and possibly 3.x for MediaWiki 1.19.x before 1.19.8, 1.20.x before 1.20.7, and 1.21.x before 1.21.2 allows remote attackers to inject arbitrary web script or HTML via a thread subject. Vulnerabilidad cross-site scripting (XSS) en pages/TalkpageHistoryView.php en la extensión LiquidThreads (LQT) 2.x y posiblemente 3.x para MediaWiki 1.19.x (anteriores a 1.19.8) 1.20.x (anteriores a 1.20.7) y 1.2... • http://lists.wikimedia.org/pipermail/mediawiki-announce/2013-September/000133.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 0%CPEs: 11EXPL: 0CVE-2012-4885
https://notcve.org/view.php?id=CVE-2012-4885
09 Sep 2012 — The wikitext parser in MediaWiki 1.17.x before 1.17.3 and 1.18.x before 1.18.2 allows remote attackers to cause a denial of service (infinite loop) via certain input, as demonstrated by the padleft function. El analizador wikitext en MediaWiki 1.17.x antes de 1.17.3 y 1.18.x antes de 1.18.2 permite a atacantes remotos provocar una denegación de servicio (bucle infinito) a través de ciertas entradas, como lo demuestra la función PadLeft. • http://lists.wikimedia.org/pipermail/mediawiki-announce/2012-March/000109.html •
CVSS: 8.8EPSS: 0%CPEs: 11EXPL: 0CVE-2012-1578
https://notcve.org/view.php?id=CVE-2012-1578
09 Sep 2012 — Multiple cross-site request forgery (CSRF) vulnerabilities in MediaWiki 1.17.x before 1.17.3 and 1.18.x before 1.18.2 allow remote attackers to hijack the authentication of users with the block permission for requests that (1) block a user via a request to the Block module or (2) unblock a user via a request to the Unblock module. Múltiples vulnerabilidades de falsificación de petición en sitios cruzados (CSRF) en MediaWiki V1.17.x anteriores a v1.17.3 y v.18.x anteriores a v1.18.2, permite a atacantes remo... • http://lists.wikimedia.org/pipermail/mediawiki-announce/2012-March/000109.html • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 6.5EPSS: 0%CPEs: 11EXPL: 1CVE-2012-1579
https://notcve.org/view.php?id=CVE-2012-1579
09 Sep 2012 — The resource loader in MediaWiki 1.17.x before 1.17.3 and 1.18.x before 1.18.2 includes private data such as CSRF tokens in a JavaScript file, which allows remote attackers to obtain sensitive information. El gestor de recursos en MediaWiki v1.17.x antes de v1.17.3 y v1.18.x antes de v1.18.2 incluye datos privados, como tokens CSRF en un archivo JavaScript, lo que permite a atacantes remotos obtener información sensible. • http://lists.wikimedia.org/pipermail/mediawiki-announce/2012-March/000109.html • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 8.8EPSS: 0%CPEs: 11EXPL: 0CVE-2012-1580
https://notcve.org/view.php?id=CVE-2012-1580
09 Sep 2012 — Cross-site request forgery (CSRF) vulnerability in Special:Upload in MediaWiki 1.17.x before 1.17.3 and 1.18.x before 1.18.2 allows remote attackers to hijack the authentication of unspecified victims for requests that upload files. Vulnerabilidad de falsificación de petición en sitios cruzados (CSRF) en Special:Upload en MediaWiki v1.17.x antes de v1.17.3 y v1.18.x antes de v1.18.2, permite a atacantes remotos secuestrar la autenticación de las víctimas no especificadas para las solicitudes que suben archi... • http://lists.wikimedia.org/pipermail/mediawiki-announce/2012-March/000109.html • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 9.1EPSS: 0%CPEs: 11EXPL: 0CVE-2012-1581
https://notcve.org/view.php?id=CVE-2012-1581
09 Sep 2012 — MediaWiki 1.17.x before 1.17.3 and 1.18.x before 1.18.2 uses weak random numbers for password reset tokens, which makes it easier for remote attackers to change the passwords of arbitrary users. MediaWiki v1.17.x anterior a v1.17.3 y v1.18.x anterior a v1.18.2 usa números aleatorios débiles para el reseteo de contraseñas de los tokens, lo que facilita a los atacantes remotos cambiar las contraseñas de los usuarios. • http://lists.wikimedia.org/pipermail/mediawiki-announce/2012-March/000109.html • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 6.1EPSS: 0%CPEs: 11EXPL: 0CVE-2012-1582
https://notcve.org/view.php?id=CVE-2012-1582
09 Sep 2012 — Cross-site scripting (XSS) vulnerability in the wikitext parser in MediaWiki 1.17.x before 1.17.3 and 1.18.x before 1.18.2 allows remote attackers to inject arbitrary web script or HTML via a crafted page with "forged strip item markers," as demonstrated using the CharInsert extension. Vulnerabilidad de ejecución de secuencias de comandos en sitios cruzados (XSS) en el analizador wikitext en MediaWiki v1.17.x antes de v1.17.3 y v1.18.x antes de v1.18.2 permite a atacantes remotos inyectar secuencias de coma... • http://lists.wikimedia.org/pipermail/mediawiki-announce/2012-March/000109.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 18%CPEs: 155EXPL: 2CVE-2012-2698 – MediaWiki 1.x - 'uselang' Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2012-2698
29 Jun 2012 — Cross-site scripting (XSS) vulnerability in the outputPage function in includes/SkinTemplate.php in MediaWiki before 1.17.5, 1.18.x before 1.18.4, and 1.19.x before 1.19.1 allows remote attackers to inject arbitrary web script or HTML via the uselang parameter to index.php/Main_page. Vulnerabilidad de secuencias de comandos en sitios cruzados (XSS) en includes/SkinTemplate.php de MediaWiki anteriores a 1.17.5, 1.8.x anteriores a 1.18.4, y 1.19.x anteriores a 1.19.1. Permite a atacantes remotos inyectar codi... • https://www.exploit-db.com/exploits/37404 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •