CVE-2013-4302
https://notcve.org/view.php?id=CVE-2013-4302
(1) ApiBlock.php, (2) ApiCreateAccount.php, (3) ApiLogin.php, (4) ApiMain.php, (5) ApiQueryDeletedrevs.php, (6) ApiTokens.php, and (7) ApiUnblock.php in includes/api/ in MediaWiki 1.19.x before 1.19.8, 1.20.x before 1.20.7, and 1.21.x before 1.21.2 allow remote attackers to obtain CSRF tokens and bypass the cross-site request forgery (CSRF) protection mechanism via a JSONP request to wiki/api.php. Los scripts ApiBlock.php, ApiCreateAccount.php, ApiLogin.php, ApiMain.php, ApiQueryDeletedrevs.php, ApiTokens.php, y ApiUnblock.php en includes/api en MediaWiki 1.19.x anterior a 1.19.8, 1.20.x anterior a 1.20.7, y 1.21.x anterior a 1.21.2 permite a atacantes remotos obtener tokens CSFR y evitar la protección contra CSFR via peticiones JSON a wiki/api.php • http://lists.wikimedia.org/pipermail/mediawiki-announce/2013-September/000133.html http://osvdb.org/96912 http://seclists.org/oss-sec/2013/q3/553 http://secunia.com/advisories/54715 http://www.debian.org/security/2013/dsa-2753 https://bugzilla.wikimedia.org/show_bug.cgi?id=49090 https://exchange.xforce.ibmcloud.com/vulnerabilities/86896 https://www.mediawiki.org/wiki/Release_notes/1.19 https://www.mediawiki.org/wiki/Release_notes/1.20 https://www.mediawiki.org/wiki/Relea • CWE-264: Permissions, Privileges, and Access Controls •
CVE-2013-4308
https://notcve.org/view.php?id=CVE-2013-4308
Cross-site scripting (XSS) vulnerability in pages/TalkpageHistoryView.php in the LiquidThreads (LQT) extension 2.x and possibly 3.x for MediaWiki 1.19.x before 1.19.8, 1.20.x before 1.20.7, and 1.21.x before 1.21.2 allows remote attackers to inject arbitrary web script or HTML via a thread subject. Vulnerabilidad cross-site scripting (XSS) en pages/TalkpageHistoryView.php en la extensión LiquidThreads (LQT) 2.x y posiblemente 3.x para MediaWiki 1.19.x (anteriores a 1.19.8) 1.20.x (anteriores a 1.20.7) y 1.21.x (anteriores a 1.21.2) permite a atacantes remotos inyectar script web o HTML a discrección a través de un Asunto de hilo. • http://lists.wikimedia.org/pipermail/mediawiki-announce/2013-September/000133.html http://osvdb.org/96906 http://seclists.org/oss-sec/2013/q3/553 http://www.securityfocus.com/bid/62218 https://bugzilla.wikimedia.org/show_bug.cgi?id=53320 https://exchange.xforce.ibmcloud.com/vulnerabilities/86891 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2013-4307
https://notcve.org/view.php?id=CVE-2013-4307
Multiple cross-site scripting (XSS) vulnerabilities in repo/includes/EntityView.php in the Wikibase extension for MediaWiki 1.19.x before 1.19.8, 1.20.x before 1.20.7, and 1.21.x before 1.21.2 allow (1) remote attackers to inject arbitrary web script or HTML via a label in the "In other languages" section or (2) remote administrators to inject arbitrary web script or HTML via a description. Multiples vulnerabilidades XSS en repo/includes/EntityView.php en la extensión de Wikibase para MediaWiki 1.19.x anteriores a 1.19.8, 1.20.x anteriores a 1.20.7, y 1.21.x anteriores a 1.21.2 permite (1) a atacantes remotos inyectar scripts web o HTML arbitrarios a través de una etiqueta en la sección "In other languages" o (2) a administradores remotos inyectar scripts web o HTML arbitrarios a través de una descripción. • http://lists.wikimedia.org/pipermail/mediawiki-announce/2013-September/000133.html http://osvdb.org/96907 http://seclists.org/oss-sec/2013/q3/553 http://www.securityfocus.com/bid/62201 https://bugzilla.wikimedia.org/show_bug.cgi?id=53472 https://exchange.xforce.ibmcloud.com/vulnerabilities/86892 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2012-4885
https://notcve.org/view.php?id=CVE-2012-4885
The wikitext parser in MediaWiki 1.17.x before 1.17.3 and 1.18.x before 1.18.2 allows remote attackers to cause a denial of service (infinite loop) via certain input, as demonstrated by the padleft function. El analizador wikitext en MediaWiki 1.17.x antes de 1.17.3 y 1.18.x antes de 1.18.2 permite a atacantes remotos provocar una denegación de servicio (bucle infinito) a través de ciertas entradas, como lo demuestra la función PadLeft. • http://lists.wikimedia.org/pipermail/mediawiki-announce/2012-March/000109.html http://lists.wikimedia.org/pipermail/mediawiki-announce/2012-March/000110.html http://secunia.com/advisories/48504 http://www.openwall.com/lists/oss-security/2012/03/22/9 http://www.openwall.com/lists/oss-security/2012/03/24/1 http://www.securityfocus.com/bid/52689 https://bugzilla.wikimedia.org/show_bug.cgi?id=22555 https://bugzilla.wikimedia.org/show_bug.cgi?id=35315 •
CVE-2012-2698 – MediaWiki 1.x - 'uselang' Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2012-2698
Cross-site scripting (XSS) vulnerability in the outputPage function in includes/SkinTemplate.php in MediaWiki before 1.17.5, 1.18.x before 1.18.4, and 1.19.x before 1.19.1 allows remote attackers to inject arbitrary web script or HTML via the uselang parameter to index.php/Main_page. Vulnerabilidad de secuencias de comandos en sitios cruzados (XSS) en includes/SkinTemplate.php de MediaWiki anteriores a 1.17.5, 1.8.x anteriores a 1.18.4, y 1.19.x anteriores a 1.19.1. Permite a atacantes remotos inyectar codigo de script web o código HTML de su elección a través del parámetro uselang de index.php/Main_page. • https://www.exploit-db.com/exploits/37404 http://lists.wikimedia.org/pipermail/mediawiki-announce/2012-June/000116.html http://lists.wikimedia.org/pipermail/mediawiki-announce/2012-June/000117.html http://lists.wikimedia.org/pipermail/mediawiki-announce/2012-June/000118.html http://secunia.com/advisories/49484 http://securitytracker.com/id?1027179 http://www.openwall.com/lists/oss-security/2012/06/14/2 http://www.osvdb.org/82983 https://bugzilla.wikimedia.org/show_bug.cgi?id=36938 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •