Mediawiki : Security Vulnerabilities, CVEs, (XSS)
Mediawiki v1.40.0 does not validate namespaces used in XML files.
Therefore, if the instance administrator allows XML file uploads,
a remote attacker with a low-privileged user account can use this
exploit to become an administrator by sending a malicious link to
the instance administrator.
Max CVSS
9.0
EPSS Score
0.13%
Published
2023-09-25
Updated
2024-02-01
In MediaWiki before 1.35.1, the messages userrights-expiry-current and userrights-expiry-none can contain raw HTML. XSS can happen when a user visits Special:UserRights but does not have rights to change all userrights, and the table on the left side has unchangeable groups in it. (The right column with the changeable groups is not affected and is escaped correctly.)
Max CVSS
7.5
EPSS Score
0.20%
Published
2020-12-18
Updated
2022-04-08
Multiple cross-site scripting (XSS) vulnerabilities in MediaWiki 1.3.5 allow remote attackers to execute arbitrary scripts and/or SQL queries via (1) the UnicodeConverter extension, (2) raw page views, (3) SpecialIpblocklist, (4) SpecialEmailuser, (5) SpecialMaintenance, and (6) ImagePage.
Max CVSS
6.8
EPSS Score
0.61%
Published
2004-12-31
Updated
2008-09-05
Cross-site scripting (XSS) vulnerability in the AJAX features in index.php in MediaWiki 1.6.x through 1.9.2, when $wgUseAjax is enabled, allows remote attackers to inject arbitrary web script or HTML via a UTF-7 encoded value of the rs parameter, which is processed by Internet Explorer.
Max CVSS
6.8
EPSS Score
10.55%
Published
2007-02-21
Updated
2018-10-16
Cross-site scripting (XSS) vulnerability in the AJAX features in index.php in MediaWiki 1.9.x before 1.9.0rc2, and 1.8.2 and earlier allows remote attackers to inject arbitrary web script or HTML via the rs parameter. NOTE: this issue might be a duplicate of CVE-2007-0177.
Max CVSS
6.8
EPSS Score
1.67%
Published
2007-02-21
Updated
2018-10-19
Cross-site scripting (XSS) vulnerability in MediaWiki before 1.18.5 and 1.19.x before 1.19.2 allows remote attackers to inject arbitrary web script or HTML via a File: link to a nonexistent image.
Max CVSS
6.1
EPSS Score
0.17%
Published
2017-10-26
Updated
2017-10-31
Multiple cross-site scripting (XSS) vulnerabilities in MediaWiki before 1.18.5 and 1.19.x before 1.19.2, when unspecified JavaScript gadgets are used, allow remote attackers to inject arbitrary web script or HTML via the userlang parameter to w/index.php.
Max CVSS
6.1
EPSS Score
0.18%
Published
2017-10-26
Updated
2017-10-31
A cross-site scripting (XSS) vulnerability in MediaWiki before 1.19.5 and 1.20.x before 1.20.4 and allows remote attackers to inject arbitrary web script or HTML via Lua function names.
Max CVSS
6.1
EPSS Score
0.34%
Published
2019-10-31
Updated
2020-08-18
includes/libs/IEUrlExtension.php in the MediaWiki API in MediaWiki 1.19.x before 1.19.8, 1.20.x before 1.20.7, and 1.21.x before 1.21.2 does not properly detect extensions when there are an even number of "." (period) characters in a string, which allows remote attackers to conduct cross-site scripting (XSS) attacks via the siprop parameter in a query action to wiki/api.php.
Max CVSS
6.1
EPSS Score
0.45%
Published
2019-12-11
Updated
2019-12-19
Cross-site scripting (XSS) vulnerability in MediaWiki 1.19.9 before 1.19.10, 1.2x before 1.21.4, and 1.22.x before 1.22.1 allows remote attackers to inject arbitrary web script or HTML via unspecified CSS values.
Max CVSS
6.1
EPSS Score
0.09%
Published
2020-01-28
Updated
2020-01-30
Cross-site scripting (XSS) vulnerability in MediaWiki before 1.23.12, 1.24.x before 1.24.5, 1.25.x before 1.25.4, and 1.26.x before 1.26.1, when is configured with a relative URL, allows remote authenticated users to inject arbitrary web script or HTML via wikitext, as demonstrated by a wikilink to a page named "javascript:alert('XSS!')."
Max CVSS
6.1
EPSS Score
0.17%
Published
2017-03-23
Updated
2017-03-27
A vulnerability, which was classified as problematic, was found in Wikisource Category Browser. This affects an unknown part of the file index.php. The manipulation of the argument lang leads to cross site scripting. It is possible to initiate the attack remotely. The patch is named 764f4e8ce3f9242637df77530c70ae8a2ec4b6a1. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-218415.
Max CVSS
6.1
EPSS Score
0.14%
Published
2023-01-17
Updated
2024-04-11
Cross-site scripting (XSS) vulnerability in the CSS user subpage preview feature in MediaWiki before 1.23.15, 1.26.x before 1.26.4, and 1.27.x before 1.27.1 allows remote attackers to inject arbitrary web script or HTML via the edit box in Special:MyPage/common.css.
Max CVSS
6.1
EPSS Score
0.21%
Published
2017-04-20
Updated
2017-04-29
Cross-site scripting (XSS) vulnerability in the Parser::replaceInternalLinks2 method in MediaWiki before 1.23.15, 1.26.x before 1.26.4, and 1.27.x before 1.27.1 allows remote attackers to inject arbitrary web script or HTML via vectors involving replacement of percent encoding in unclosed internal links.
Max CVSS
6.1
EPSS Score
0.21%
Published
2017-04-20
Updated
2017-04-29
MediaWiki before 1.27.4, 1.28.x before 1.28.3, and 1.29.x before 1.29.2 has XSS when the $wgShowExceptionDetails setting is false and the browser sends non-standard URL escaping.
Max CVSS
6.1
EPSS Score
0.09%
Published
2017-11-15
Updated
2017-11-28
A vulnerability classified as problematic has been found in DaSchTour matomo-mediawiki-extension up to 2.4.2 on MediaWiki. This affects an unknown part of the file Piwik.hooks.php of the component Username Handler. The manipulation leads to cross site scripting. It is possible to initiate the attack remotely. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used. Upgrading to version 2.4.3 is able to address this issue. The patch is named 681324e4f518a8af4bd1f93867074c728eb9923d. It is recommended to upgrade the affected component. The associated identifier of this vulnerability is VDB-220203.
Max CVSS
6.1
EPSS Score
0.09%
Published
2023-02-05
Updated
2024-04-11
Wikimedia MediaWiki 1.30.0 through 1.32.1 has XSS. Loading user JavaScript from a non-existent account allows anyone to create the account, and perform XSS on users loading that script. Fixed in 1.32.2, 1.31.2, 1.30.2 and 1.27.6.
Max CVSS
6.1
EPSS Score
0.56%
Published
2019-07-10
Updated
2019-07-16
In the MobileFrontend extension 1.31 through 1.33 for MediaWiki, XSS exists within the edit summary field in includes/specials/MobileSpecialPageFeed.php.
Max CVSS
6.1
EPSS Score
0.07%
Published
2019-08-09
Updated
2019-09-25
In the MobileFrontend extension for MediaWiki, XSS exists within the edit summary field of the watchlist feed. This affects REL1_31, REL1_32, and REL1_33.
Max CVSS
6.1
EPSS Score
0.10%
Published
2020-03-19
Updated
2020-03-23
The VisualEditor extension through 1.34 for MediaWiki allows XSS via pasted content containing an element with a data-ve-clipboard-key attribute.
Max CVSS
6.1
EPSS Score
0.11%
Published
2019-12-11
Updated
2019-12-11
The MinervaNeue Skin in MediaWiki from 2019-11-05 to 2019-12-13 (1.35 and/or 1.34) mishandles certain HTML attributes, as demonstrated by IMG onmouseover= (impact is XSS) and IMG src=http (impact is disclosing the client's IP address). This can occur within a talk page topical header that is viewed within a mobile (MobileFrontend) context.
Max CVSS
6.1
EPSS Score
0.08%
Published
2019-12-19
Updated
2019-12-31
The WikibaseMediaInfo extension 1.35 for MediaWiki allows XSS because of improper template syntax within the PropertySuggestionsWidget template (in the templates/search/PropertySuggestionsWidget.mustache+dom file).
Max CVSS
6.1
EPSS Score
0.07%
Published
2020-01-08
Updated
2020-01-15
An issue was discovered in MediaWiki 1.34.x before 1.34.4. On Special:Contributions, the NS filter uses unescaped messages as keys in the option key for an HTMLForm specifier. This is vulnerable to a mild XSS if one of those messages is changed to include raw HTML.
Max CVSS
6.1
EPSS Score
0.10%
Published
2020-09-27
Updated
2022-01-01
In MediaWiki before 1.31.10 and 1.32.x through 1.34.x before 1.34.4, XSS related to jQuery can occur. The attacker creates a message with [javascript:payload xss] and turns it into a jQuery object with mw.message().parse(). The expected result is that the jQuery object does not contain an <a> tag (or it does not have a href attribute, or it's empty, etc.). The actual result is that the object contains an <a href ="javascript... that executes when clicked.
Max CVSS
6.1
EPSS Score
0.10%
Published
2020-09-27
Updated
2022-01-01
An issue was discovered in MediaWiki 1.32.x through 1.34.x before 1.34.4. LogEventList::getFiltersDesc is insecurely using message text to build options names for an HTML multi-select field. The relevant code should use escaped() instead of text().
Max CVSS
6.1
EPSS Score
0.10%
Published
2020-09-27
Updated
2022-01-01