CVSS: 6.1EPSS: 0%CPEs: 3EXPL: 1CVE-2013-4303
https://notcve.org/view.php?id=CVE-2013-4303
includes/libs/IEUrlExtension.php in the MediaWiki API in MediaWiki 1.19.x before 1.19.8, 1.20.x before 1.20.7, and 1.21.x before 1.21.2 does not properly detect extensions when there are an even number of "." (period) characters in a string, which allows remote attackers to conduct cross-site scripting (XSS) attacks via the siprop parameter in a query action to wiki/api.php. El archivo includes/libs/IEUrlExtension.php en la API MediaWiki en MediaWiki versiones 1.19.x anteriores a 1.19.8, versiones 1.20.x anteriores a 1.20.7 y versiones 1.21.x anteriores a 1.21.2 no detecta apropiadamente las extensiones cuando existe un número par de caracteres "." (punto) en una cadena, lo que permite a atacantes remotos realizar ataques de tipo cross-site scripting (XSS) por medio del parámetro siprop en una acción query en el archivo wiki/api.php. • http://lists.wikimedia.org/pipermail/mediawiki-announce/2013-September/000133.html http://seclists.org/oss-sec/2013/q3/553 http://www.securityfocus.com/bid/62194 https://bugzilla.wikimedia.org/show_bug.cgi?id=52746 https://exchange.xforce.ibmcloud.com/vulnerabilities/86897 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.0EPSS: 0%CPEs: 17EXPL: 0CVE-2013-4302
https://notcve.org/view.php?id=CVE-2013-4302
(1) ApiBlock.php, (2) ApiCreateAccount.php, (3) ApiLogin.php, (4) ApiMain.php, (5) ApiQueryDeletedrevs.php, (6) ApiTokens.php, and (7) ApiUnblock.php in includes/api/ in MediaWiki 1.19.x before 1.19.8, 1.20.x before 1.20.7, and 1.21.x before 1.21.2 allow remote attackers to obtain CSRF tokens and bypass the cross-site request forgery (CSRF) protection mechanism via a JSONP request to wiki/api.php. Los scripts ApiBlock.php, ApiCreateAccount.php, ApiLogin.php, ApiMain.php, ApiQueryDeletedrevs.php, ApiTokens.php, y ApiUnblock.php en includes/api en MediaWiki 1.19.x anterior a 1.19.8, 1.20.x anterior a 1.20.7, y 1.21.x anterior a 1.21.2 permite a atacantes remotos obtener tokens CSFR y evitar la protección contra CSFR via peticiones JSON a wiki/api.php • http://lists.wikimedia.org/pipermail/mediawiki-announce/2013-September/000133.html http://osvdb.org/96912 http://seclists.org/oss-sec/2013/q3/553 http://secunia.com/advisories/54715 http://www.debian.org/security/2013/dsa-2753 https://bugzilla.wikimedia.org/show_bug.cgi?id=49090 https://exchange.xforce.ibmcloud.com/vulnerabilities/86896 https://www.mediawiki.org/wiki/Release_notes/1.19 https://www.mediawiki.org/wiki/Release_notes/1.20 https://www.mediawiki.org/wiki/Relea • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 4.3EPSS: 0%CPEs: 22EXPL: 0CVE-2013-4308
https://notcve.org/view.php?id=CVE-2013-4308
Cross-site scripting (XSS) vulnerability in pages/TalkpageHistoryView.php in the LiquidThreads (LQT) extension 2.x and possibly 3.x for MediaWiki 1.19.x before 1.19.8, 1.20.x before 1.20.7, and 1.21.x before 1.21.2 allows remote attackers to inject arbitrary web script or HTML via a thread subject. Vulnerabilidad cross-site scripting (XSS) en pages/TalkpageHistoryView.php en la extensión LiquidThreads (LQT) 2.x y posiblemente 3.x para MediaWiki 1.19.x (anteriores a 1.19.8) 1.20.x (anteriores a 1.20.7) y 1.21.x (anteriores a 1.21.2) permite a atacantes remotos inyectar script web o HTML a discrección a través de un Asunto de hilo. • http://lists.wikimedia.org/pipermail/mediawiki-announce/2013-September/000133.html http://osvdb.org/96906 http://seclists.org/oss-sec/2013/q3/553 http://www.securityfocus.com/bid/62218 https://bugzilla.wikimedia.org/show_bug.cgi?id=53320 https://exchange.xforce.ibmcloud.com/vulnerabilities/86891 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.3EPSS: 0%CPEs: 20EXPL: 0CVE-2013-4307
https://notcve.org/view.php?id=CVE-2013-4307
Multiple cross-site scripting (XSS) vulnerabilities in repo/includes/EntityView.php in the Wikibase extension for MediaWiki 1.19.x before 1.19.8, 1.20.x before 1.20.7, and 1.21.x before 1.21.2 allow (1) remote attackers to inject arbitrary web script or HTML via a label in the "In other languages" section or (2) remote administrators to inject arbitrary web script or HTML via a description. Multiples vulnerabilidades XSS en repo/includes/EntityView.php en la extensión de Wikibase para MediaWiki 1.19.x anteriores a 1.19.8, 1.20.x anteriores a 1.20.7, y 1.21.x anteriores a 1.21.2 permite (1) a atacantes remotos inyectar scripts web o HTML arbitrarios a través de una etiqueta en la sección "In other languages" o (2) a administradores remotos inyectar scripts web o HTML arbitrarios a través de una descripción. • http://lists.wikimedia.org/pipermail/mediawiki-announce/2013-September/000133.html http://osvdb.org/96907 http://seclists.org/oss-sec/2013/q3/553 http://www.securityfocus.com/bid/62201 https://bugzilla.wikimedia.org/show_bug.cgi?id=53472 https://exchange.xforce.ibmcloud.com/vulnerabilities/86892 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.0EPSS: 5%CPEs: 11EXPL: 0CVE-2012-4885
https://notcve.org/view.php?id=CVE-2012-4885
The wikitext parser in MediaWiki 1.17.x before 1.17.3 and 1.18.x before 1.18.2 allows remote attackers to cause a denial of service (infinite loop) via certain input, as demonstrated by the padleft function. El analizador wikitext en MediaWiki 1.17.x antes de 1.17.3 y 1.18.x antes de 1.18.2 permite a atacantes remotos provocar una denegación de servicio (bucle infinito) a través de ciertas entradas, como lo demuestra la función PadLeft. • http://lists.wikimedia.org/pipermail/mediawiki-announce/2012-March/000109.html http://lists.wikimedia.org/pipermail/mediawiki-announce/2012-March/000110.html http://secunia.com/advisories/48504 http://www.openwall.com/lists/oss-security/2012/03/22/9 http://www.openwall.com/lists/oss-security/2012/03/24/1 http://www.securityfocus.com/bid/52689 https://bugzilla.wikimedia.org/show_bug.cgi?id=22555 https://bugzilla.wikimedia.org/show_bug.cgi?id=35315 •