CVSS: 5.0EPSS: 0%CPEs: 17EXPL: 0CVE-2013-4302
https://notcve.org/view.php?id=CVE-2013-4302
(1) ApiBlock.php, (2) ApiCreateAccount.php, (3) ApiLogin.php, (4) ApiMain.php, (5) ApiQueryDeletedrevs.php, (6) ApiTokens.php, and (7) ApiUnblock.php in includes/api/ in MediaWiki 1.19.x before 1.19.8, 1.20.x before 1.20.7, and 1.21.x before 1.21.2 allow remote attackers to obtain CSRF tokens and bypass the cross-site request forgery (CSRF) protection mechanism via a JSONP request to wiki/api.php. Los scripts ApiBlock.php, ApiCreateAccount.php, ApiLogin.php, ApiMain.php, ApiQueryDeletedrevs.php, ApiTokens.php, y ApiUnblock.php en includes/api en MediaWiki 1.19.x anterior a 1.19.8, 1.20.x anterior a 1.20.7, y 1.21.x anterior a 1.21.2 permite a atacantes remotos obtener tokens CSFR y evitar la protección contra CSFR via peticiones JSON a wiki/api.php • http://lists.wikimedia.org/pipermail/mediawiki-announce/2013-September/000133.html http://osvdb.org/96912 http://seclists.org/oss-sec/2013/q3/553 http://secunia.com/advisories/54715 http://www.debian.org/security/2013/dsa-2753 https://bugzilla.wikimedia.org/show_bug.cgi?id=49090 https://exchange.xforce.ibmcloud.com/vulnerabilities/86896 https://www.mediawiki.org/wiki/Release_notes/1.19 https://www.mediawiki.org/wiki/Release_notes/1.20 https://www.mediawiki.org/wiki/Relea • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 4.3EPSS: 0%CPEs: 22EXPL: 0CVE-2013-4308
https://notcve.org/view.php?id=CVE-2013-4308
Cross-site scripting (XSS) vulnerability in pages/TalkpageHistoryView.php in the LiquidThreads (LQT) extension 2.x and possibly 3.x for MediaWiki 1.19.x before 1.19.8, 1.20.x before 1.20.7, and 1.21.x before 1.21.2 allows remote attackers to inject arbitrary web script or HTML via a thread subject. Vulnerabilidad cross-site scripting (XSS) en pages/TalkpageHistoryView.php en la extensión LiquidThreads (LQT) 2.x y posiblemente 3.x para MediaWiki 1.19.x (anteriores a 1.19.8) 1.20.x (anteriores a 1.20.7) y 1.21.x (anteriores a 1.21.2) permite a atacantes remotos inyectar script web o HTML a discrección a través de un Asunto de hilo. • http://lists.wikimedia.org/pipermail/mediawiki-announce/2013-September/000133.html http://osvdb.org/96906 http://seclists.org/oss-sec/2013/q3/553 http://www.securityfocus.com/bid/62218 https://bugzilla.wikimedia.org/show_bug.cgi?id=53320 https://exchange.xforce.ibmcloud.com/vulnerabilities/86891 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.3EPSS: 0%CPEs: 20EXPL: 0CVE-2013-4307
https://notcve.org/view.php?id=CVE-2013-4307
Multiple cross-site scripting (XSS) vulnerabilities in repo/includes/EntityView.php in the Wikibase extension for MediaWiki 1.19.x before 1.19.8, 1.20.x before 1.20.7, and 1.21.x before 1.21.2 allow (1) remote attackers to inject arbitrary web script or HTML via a label in the "In other languages" section or (2) remote administrators to inject arbitrary web script or HTML via a description. Multiples vulnerabilidades XSS en repo/includes/EntityView.php en la extensión de Wikibase para MediaWiki 1.19.x anteriores a 1.19.8, 1.20.x anteriores a 1.20.7, y 1.21.x anteriores a 1.21.2 permite (1) a atacantes remotos inyectar scripts web o HTML arbitrarios a través de una etiqueta en la sección "In other languages" o (2) a administradores remotos inyectar scripts web o HTML arbitrarios a través de una descripción. • http://lists.wikimedia.org/pipermail/mediawiki-announce/2013-September/000133.html http://osvdb.org/96907 http://seclists.org/oss-sec/2013/q3/553 http://www.securityfocus.com/bid/62201 https://bugzilla.wikimedia.org/show_bug.cgi?id=53472 https://exchange.xforce.ibmcloud.com/vulnerabilities/86892 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.3EPSS: 0%CPEs: 136EXPL: 0CVE-2011-0047
https://notcve.org/view.php?id=CVE-2011-0047
Cross-site scripting (XSS) vulnerability in MediaWiki before 1.16.2 allows remote attackers to inject arbitrary web script or HTML via crafted Cascading Style Sheets (CSS) comments, aka "CSS injection vulnerability." Múltiples vulnerabilidades de ejecución de secuencias de comandos en sitios cruzados (XSS) en MediaWiki anterior a v1.16.2, permite a atacantes remotos inyectar secuencias de comandos web o HTML mediante una hoja de estilos (CSS) manipulada, también conocido como "vulnerabilidad de inyección de CSS." • http://lists.fedoraproject.org/pipermail/package-announce/2011-April/058910.html http://lists.fedoraproject.org/pipermail/package-announce/2011-April/059232.html http://lists.fedoraproject.org/pipermail/package-announce/2011-April/059235.html http://lists.wikimedia.org/pipermail/mediawiki-announce/2011-February/000095.html http://osvdb.org/70770 http://secunia.com/advisories/43142 http://www.securityfocus.com/bid/46108 http://www.vupen.com/english/advisories/2011/0273 https://bugzilla.wikimedia.org&# • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.8EPSS: 0%CPEs: 135EXPL: 0CVE-2011-0003
https://notcve.org/view.php?id=CVE-2011-0003
MediaWiki before 1.16.1, when user or site JavaScript or CSS is enabled, allows remote attackers to conduct clickjacking attacks via unspecified vectors. MediaWiki anterior a v1.16.1, cuando el usuario o el sitio JavaScript o CSS está activado, permite a atacantes remotos realizar ataques de clickjacking a través de vectores no especificados. • http://lists.fedoraproject.org/pipermail/package-announce/2011-April/058910.html http://lists.fedoraproject.org/pipermail/package-announce/2011-April/059232.html http://lists.fedoraproject.org/pipermail/package-announce/2011-April/059235.html http://lists.wikimedia.org/pipermail/mediawiki-announce/2011-January/000093.html http://secunia.com/advisories/42810 http://www.openwall.com/lists/oss-security/2011/01/04/12 http://www.openwall.com/lists/oss-security/2011/01/04/6 http://www.osvdb.org& • CWE-20: Improper Input Validation •