CVE-2014-2244
https://notcve.org/view.php?id=CVE-2014-2244
Cross-site scripting (XSS) vulnerability in the formatHTML function in includes/api/ApiFormatBase.php in MediaWiki before 1.19.12, 1.20.x and 1.21.x before 1.21.6, and 1.22.x before 1.22.3 allows remote attackers to inject arbitrary web script or HTML via a crafted string located after http:// in the text parameter to api.php. Vulnerabilidad de XSS en la función formatHTML en includes/api/ApiFormatBase.php en MediaWiki anterior a 1.19.12, 1.20.x y 1.21.x anterior a 1.21.6 y 1.22.x anterior a 1.22.3 permite a atacantes remotos inyectar script Web o HTML arbitrarios a través de una cadena manipulada localizada después de http:// en el parámetro text hacia api.php. • http://lists.wikimedia.org/pipermail/mediawiki-announce/2014-February/000141.html http://openwall.com/lists/oss-security/2014/02/28/1 http://openwall.com/lists/oss-security/2014/03/01/2 http://www.securityfocus.com/bid/65906 https://bugzilla.redhat.com/show_bug.cgi?id=1071139 https://bugzilla.wikimedia.org/show_bug.cgi?id=61362 https://gerrit.wikimedia.org/r/#/q/Idf985e4e69c2f11778a8a90503914678441cb3fb%2Cn%2Cz • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2014-1610 – MediaWiki - 'Thumb.php' Remote Command Execution
https://notcve.org/view.php?id=CVE-2014-1610
MediaWiki 1.22.x before 1.22.2, 1.21.x before 1.21.5, and 1.19.x before 1.19.11, when DjVu or PDF file upload support is enabled, allows remote attackers to execute arbitrary commands via shell metacharacters in (1) the page parameter to includes/media/DjVu.php; (2) the w parameter (aka width field) to thumb.php, which is not properly handled by includes/media/PdfHandler_body.php; and possibly unspecified vectors in (3) includes/media/Bitmap.php and (4) includes/media/ImageHandler.php. MediaWiki 1.22.x en versiones anteriores a 1.22.2, 1.21.x en versiones anteriores a 1.21.5 y 1.19.x en versiones anteriores a 1.19.11, cuando el soporte a la carga de archivos DjVu o PDF está habilitado, permite a atacantes remotos ejecutar comandos arbitrarios a través de metacaracteres shell en (1) el parámetro page en includes/media/DjVu.php; (2) el parámetro w (también conocido como campo width) en thumb.php, lo que no se maneja correctamente por includes/media/PdfHandler_body.php; y posiblemente vectores no especificados en (3) includes/media/Bitmap.php e (4) includes/media/ImageHandler.php. • https://www.exploit-db.com/exploits/31767 https://www.exploit-db.com/exploits/31329 http://lists.fedoraproject.org/pipermail/package-announce/2014-February/127942.html http://lists.fedoraproject.org/pipermail/package-announce/2014-February/127948.html http://lists.wikimedia.org/pipermail/mediawiki-announce/2014-January/000140.html http://osvdb.org/102630 http://secunia.com/advisories/56695 http://secunia.com/advisories/57472 http://www.checkpoint.com/defense/advisories/public/2014/cpai-26-jan • CWE-20: Improper Input Validation •
CVE-2011-0047
https://notcve.org/view.php?id=CVE-2011-0047
Cross-site scripting (XSS) vulnerability in MediaWiki before 1.16.2 allows remote attackers to inject arbitrary web script or HTML via crafted Cascading Style Sheets (CSS) comments, aka "CSS injection vulnerability." Múltiples vulnerabilidades de ejecución de secuencias de comandos en sitios cruzados (XSS) en MediaWiki anterior a v1.16.2, permite a atacantes remotos inyectar secuencias de comandos web o HTML mediante una hoja de estilos (CSS) manipulada, también conocido como "vulnerabilidad de inyección de CSS." • http://lists.fedoraproject.org/pipermail/package-announce/2011-April/058910.html http://lists.fedoraproject.org/pipermail/package-announce/2011-April/059232.html http://lists.fedoraproject.org/pipermail/package-announce/2011-April/059235.html http://lists.wikimedia.org/pipermail/mediawiki-announce/2011-February/000095.html http://osvdb.org/70770 http://secunia.com/advisories/43142 http://www.securityfocus.com/bid/46108 http://www.vupen.com/english/advisories/2011/0273 https://bugzilla.wikimedia.org • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2011-0003
https://notcve.org/view.php?id=CVE-2011-0003
MediaWiki before 1.16.1, when user or site JavaScript or CSS is enabled, allows remote attackers to conduct clickjacking attacks via unspecified vectors. MediaWiki anterior a v1.16.1, cuando el usuario o el sitio JavaScript o CSS está activado, permite a atacantes remotos realizar ataques de clickjacking a través de vectores no especificados. • http://lists.fedoraproject.org/pipermail/package-announce/2011-April/058910.html http://lists.fedoraproject.org/pipermail/package-announce/2011-April/059232.html http://lists.fedoraproject.org/pipermail/package-announce/2011-April/059235.html http://lists.wikimedia.org/pipermail/mediawiki-announce/2011-January/000093.html http://secunia.com/advisories/42810 http://www.openwall.com/lists/oss-security/2011/01/04/12 http://www.openwall.com/lists/oss-security/2011/01/04/6 http://www.osvdb.org& • CWE-20: Improper Input Validation •
CVE-2005-1888
https://notcve.org/view.php?id=CVE-2005-1888
Cross-site scripting (XSS) vulnerability in MediaWiki before 1.4.5 allows remote attackers to inject arbitrary web script via HTML attributes in page templates. • http://sourceforge.net/project/shownotes.php?release_id=332231 http://www.novell.com/linux/security/advisories/2005_19_sr.html http://www.securityfocus.com/bid/13861 •