Mediawiki : Security Vulnerabilities, CVEs, Published In 2004

Unknown vulnerability in ImagePage for MediaWiki 1.3.5, related to "filename validation," has unknown impact and attack vectors.

SQL injection vulnerability in MediaWiki 1.3.5 allows remote attackers to execute arbitrary SQL commands via SpecialMaintenance.

Multiple cross-site scripting (XSS) vulnerabilities in MediaWiki 1.3.5 allow remote attackers to execute arbitrary scripts and/or SQL queries via (1) the UnicodeConverter extension, (2) raw page views, (3) SpecialIpblocklist, (4) SpecialEmailuser, (5) SpecialMaintenance, and (6) ImagePage.

Cross-site scripting (XSS) vulnerability in 'raw' page output mode for MediaWiki 1.3.4 and earlier allows remote attackers to inject arbitrary web script or HTML.

MediaWiki 1.3.8 and earlier, when used with Apache mod_mime, does not properly handle files with two file extensions, such as .php.rar, which allows remote attackers to upload and execute arbitrary code.