Unspecified vulnerability in MediaWiki 1.11 before 1.11.2 allows remote attackers to obtain sensitive "cross-site" information via the callback parameter in an API call for JavaScript Object Notation (JSON) formatted results.
Max CVSS
5.0
EPSS Score
0.68%
Published
2008-03-13
Updated
2017-08-08
MediaWiki 1.8.1, and other versions before 1.13.3, when the wgShowExceptionDetails variable is enabled, sometimes provides the full installation path in a debugging message, which might allow remote attackers to obtain sensitive information via unspecified requests that trigger an uncaught exception.
Max CVSS
4.3
EPSS Score
0.50%
Published
2008-12-19
Updated
2009-02-18
api.php in MediaWiki before 1.15.5 does not prevent use of public caching headers for private data, which allows remote attackers to bypass intended access restrictions and obtain sensitive information by retrieving documents from an HTTP proxy cache that has been used by a victim.
Max CVSS
4.3
EPSS Score
0.53%
Published
2011-04-27
Updated
2011-09-07
MediaWiki before 1.17.1 allows remote attackers to obtain the page titles of all restricted pages via a series of requests involving the (1) curid or (2) oldid parameter.
Max CVSS
5.0
EPSS Score
0.52%
Published
2012-01-08
Updated
2021-04-21
mediawiki allows deleted text to be exposed
Max CVSS
7.5
EPSS Score
0.15%
Published
2019-10-29
Updated
2019-10-31
The resource loader in MediaWiki 1.17.x before 1.17.3 and 1.18.x before 1.18.2 includes private data such as CSRF tokens in a JavaScript file, which allows remote attackers to obtain sensitive information.
Max CVSS
5.0
EPSS Score
0.77%
Published
2012-09-09
Updated
2012-09-10
MediaWiki before 1.18.5, and 1.19.x before 1.19.2 does not properly protect user block metadata, which allows remote administrators to read a user block reason via a reblock attempt.
Max CVSS
4.9
EPSS Score
0.11%
Published
2017-10-19
Updated
2017-10-31
MediaWiki before 1.19.4 and 1.20.x before 1.20.3 contains an error in the api.php script which allows remote attackers to obtain sensitive information.
Max CVSS
7.5
EPSS Score
1.02%
Published
2019-11-20
Updated
2019-11-21
maintenance/mwdoc-filter.php in MediaWiki before 1.20.3 allows remote attackers to read arbitrary files via unspecified vectors.
Max CVSS
5.0
EPSS Score
0.38%
Published
2014-06-02
Updated
2017-08-29
includes/resourceloader/ResourceLoaderContext.php in MediaWiki 1.19.x before 1.19.8, 1.20.x before 1.20.7, and 1.21.x before 1.21.2 allows remote attackers to obtain sensitive information via a "<" (open angle bracket) character in the lang parameter to w/load.php, which reveals the installation path in an error message.
Max CVSS
5.0
EPSS Score
0.58%
Published
2013-10-27
Updated
2017-08-29
The CleanChanges extension for MediaWiki before 1.19.9, 1.20.x before 1.20.8, and 1.21.x before 1.21.3, when "Group changes by page in recent changes and watchlist" is enabled, allows remote attackers to obtain sensitive information (revision-deleted IPs) via the Recent Changes page.
Max CVSS
4.3
EPSS Score
0.38%
Published
2013-12-13
Updated
2013-12-16
The CentralAuth extension for MediaWiki before 1.19.10, 1.2x before 1.21.4, and 1.22.x before 1.22.1 allows remote attackers to obtain usernames via vectors related to writing the names to the DOM of a page.
Max CVSS
5.3
EPSS Score
0.15%
Published
2020-01-28
Updated
2020-01-30
MediaWiki before 1.19.10, 1.2x before 1.21.4, and 1.22.x before 1.22.1 allows remote attackers to obtain information about deleted page via the (1) log API, (2) enhanced RecentChanges, and (3) user watchlists.
Max CVSS
5.0
EPSS Score
0.38%
Published
2014-05-12
Updated
2014-05-13
The Special:Contributions page in MediaWiki before 1.22.0 allows remote attackers to determine if an IP is autoblocked via the "Change block" text.
Max CVSS
5.0
EPSS Score
0.63%
Published
2015-09-01
Updated
2015-09-02
MediaWiki 1.18.0 allows remote attackers to obtain the installation path via vectors related to thumbnail creation.
Max CVSS
5.3
EPSS Score
0.21%
Published
2018-04-16
Updated
2018-05-18
The Scribunto extension for MediaWiki allows remote attackers to obtain the rollback token and possibly other sensitive information via a crafted module, related to unstripping special page HTML.
Max CVSS
5.9
EPSS Score
0.24%
Published
2020-01-27
Updated
2020-02-05
MediaWiki before 1.19.24, 1.2x before 1.23.9, and 1.24.x before 1.24.2 allows remote attackers to bypass the SVG filtering and obtain sensitive user information via a mixed case @import in a style element in an SVG file, as demonstrated by "@imporT."
Max CVSS
5.0
EPSS Score
0.80%
Published
2015-04-13
Updated
2016-12-07
The Special:DeletedContributions page in MediaWiki before 1.23.10, 1.24.x before 1.24.3, and 1.25.x before 1.25.2 allows remote attackers to determine if an IP is autoblocked via the "Change block" text.
Max CVSS
5.0
EPSS Score
0.63%
Published
2015-09-01
Updated
2015-09-02
MediaWiki before 1.23.11, 1.24.x before 1.24.4, and 1.25.x before 1.25.3 uses the thumbnail ImageMagick command line argument, which allows remote attackers to obtain the installation path by reading the metadata of a PNG thumbnail file.
Max CVSS
5.0
EPSS Score
0.31%
Published
2015-11-09
Updated
2015-11-10
MediaWiki before 1.23.12, 1.24.x before 1.24.5, 1.25.x before 1.25.4, and 1.26.x before 1.26.1 do not properly sanitize parameters when calling the cURL library, which allows remote attackers to read arbitrary files via an @ (at sign) character in unspecified POST array parameters.
Max CVSS
7.5
EPSS Score
0.29%
Published
2017-03-23
Updated
2017-03-27
The (1) Special:MyPage, (2) Special:MyTalk, (3) Special:MyContributions, (4) Special:MyUploads, and (5) Special:AllMyUploads pages in MediaWiki before 1.23.12, 1.24.x before 1.24.5, 1.25.x before 1.25.4, and 1.26.x before 1.26.1 allow remote attackers to obtain sensitive user login information via crafted links combined with page view statistics.
Max CVSS
5.3
EPSS Score
0.26%
Published
2017-03-23
Updated
2017-03-28
MediaWiki before 1.23.15, 1.26.x before 1.26.4, and 1.27.x before 1.27.1, when $wgBlockDisablesLogin is true, might allow remote attackers to obtain sensitive information by leveraging failure to terminate sessions when a user account is blocked.
Max CVSS
7.5
EPSS Score
0.30%
Published
2017-04-20
Updated
2017-04-24
MediaWiki before 1.23.15, 1.26.x before 1.26.4, and 1.27.x before 1.27.1 does not generate head items in the context of a given title, which allows remote attackers to obtain sensitive information via a parse action to api.php.
Max CVSS
7.5
EPSS Score
0.30%
Published
2017-04-20
Updated
2017-04-24
Mediawiki before 1.28.1 / 1.27.2 / 1.23.16 contains an information disclosure flaw, where the api.log might contain passwords in plaintext.
Max CVSS
7.8
EPSS Score
0.06%
Published
2018-04-13
Updated
2018-05-14
MediaWiki before 1.27.4, 1.28.x before 1.28.3, and 1.29.x before 1.29.2, when a private wiki is configured, provides different error messages for failed login attempts depending on whether the username exists, which allows remote attackers to enumerate account names and conduct brute-force attacks via a series of requests.
Max CVSS
7.5
EPSS Score
0.15%
Published
2017-11-15
Updated
2017-11-28
38 vulnerabilities found
1 2
This web site uses cookies for managing your session, storing preferences, website analytics and additional purposes described in our privacy policy.
By using this web site you are agreeing to CVEdetails.com terms of use!