CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Mediawiki » Mediawiki » * * * * : Security Vulnerabilities

Cpe Name:cpe:2.3:a:mediawiki:mediawiki:*:*:*:*:*:*:*:*
Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1 CVE-2021-36132 863 2021-07-02 2021-07-07
6.0
None Remote Medium ??? Partial Partial Partial
An issue was discovered in the FileImporter extension in MediaWiki through 1.36. For certain relaxed configurations of the $wgFileImporterRequiredRight variable, it might not validate all appropriate user rights, thus allowing a user with insufficient rights to perform operations (specifically file uploads) that they should not be allowed to perform.
2 CVE-2021-36131 79 XSS 2021-07-02 2021-07-07
3.5
None Remote Medium ??? None Partial None
An XSS issue was discovered in the SportsTeams extension in MediaWiki through 1.36. Within several special pages, a privileged user could inject arbitrary HTML and JavaScript within various data fields. The attack could easily propagate across many pages for many users.
3 CVE-2021-36130 79 XSS 2021-07-02 2021-07-07
3.5
None Remote Medium ??? None Partial None
An XSS issue was discovered in the SocialProfile extension in MediaWiki through 1.36. Within several gift-related special pages, a privileged user with the awardmanage right could inject arbitrary HTML and JavaScript within various gift-related data fields. The attack could easily propagate across many pages for many users.
4 CVE-2021-36129 732 2021-07-02 2021-07-07
4.0
None Remote Low ??? None Partial None
An issue was discovered in the Translate extension in MediaWiki through 1.36. The Aggregategroups Action API module does not validate the parameter for aggregategroup when action=remove is set, thus allowing users with the translate-manage right to silently delete various groups' metadata.
5 CVE-2021-36128 287 2021-07-02 2021-07-07
7.5
None Remote Low Not required Partial Partial Partial
An issue was discovered in the CentralAuth extension in MediaWiki through 1.36. Autoblocks for CentralAuth-issued suppression blocks are not properly implemented.
6 CVE-2021-36127 922 2021-07-02 2021-07-07
4.0
None Remote Low ??? Partial None None
An issue was discovered in the CentralAuth extension in MediaWiki through 1.36. The Special:GlobalUserRights page provided search results which, for a suppressed MediaWiki user, were different than for any other user, thus easily disclosing suppressed accounts (which are supposed to be completely hidden).
7 CVE-2021-36126 2021-07-02 2021-07-07
7.5
None Remote Low Not required Partial Partial Partial
An issue was discovered in the AbuseFilter extension in MediaWiki through 1.36. If the MediaWiki:Abusefilter-blocker message is invalid within the content language, the filter user falls back to the English version, but that English version could also be invalid on a wiki. This would result in a fatal error, and potentially fail to block or restrict a potentially nefarious user.
8 CVE-2021-36125 835 DoS 2021-07-02 2021-07-07
5.0
None Remote Low Not required None None Partial
An issue was discovered in the CentralAuth extension in MediaWiki through 1.36. The Special:GlobalRenameRequest page is vulnerable to infinite loops and denial of service attacks when a user's current username is beyond an arbitrary maximum configuration value (MaxNameChars).
9 CVE-2021-35197 668 2021-07-02 2021-07-17
5.0
None Remote Low Not required None Partial None
In MediaWiki before 1.31.15, 1.32.x through 1.35.x before 1.35.3, and 1.36.x before 1.36.1, bots have certain unintended API access. When a bot account has a "sitewide block" applied, it is able to still "purge" pages through the MediaWiki Action API (which a "sitewide block" should have prevented).
10 CVE-2021-31555 20 2021-04-22 2021-04-22
5.0
None Remote Low Not required None Partial None
An issue was discovered in the Oauth extension for MediaWiki through 1.35.2. It did not validate the oarc_version (aka oauth_registered_consumer.oarc_version) parameter's length.
11 CVE-2021-31554 668 2021-04-22 2021-04-22
5.5
None Remote Low ??? Partial Partial None
An issue was discovered in the AbuseFilter extension for MediaWiki through 1.35.2. It improperly handled account blocks for certain automatically created MediaWiki user accounts, thus allowing nefarious users to remain unblocked.
12 CVE-2021-31553 428 DoS 2021-04-22 2021-04-22
6.4
None Remote Low Not required None Partial Partial
An issue was discovered in the CheckUser extension for MediaWiki through 1.35.2. MediaWiki usernames with trailing whitespace could be stored in the cu_log database table such that denial of service occurred for certain CheckUser extension pages and functionality. For example, the attacker could turn off Special:CheckUserLog and thus interfere with usage tracking.
13 CVE-2021-31552 668 2021-04-22 2021-04-22
5.5
None Remote Low ??? Partial Partial None
An issue was discovered in the AbuseFilter extension for MediaWiki through 1.35.2. It incorrectly executed certain rules related to blocking accounts after account creation. Such rules would allow for user accounts to be created while blocking only the IP address used to create an account (and not the user account itself). Such rules could also be used by a nefarious, unprivileged user to catalog and enumerate any number of IP addresses related to these account creations.
14 CVE-2021-31551 79 XSS 2021-04-22 2021-04-22
4.3
None Remote Medium Not required None Partial None
An issue was discovered in the PageForms extension for MediaWiki through 1.35.2. Crafted payloads for Token-related query parameters allowed for XSS on certain PageForms-managed MediaWiki pages.
15 CVE-2021-31550 79 XSS 2021-04-22 2021-04-27
3.5
None Remote Medium ??? None Partial None
An issue was discovered in the CommentBox extension for MediaWiki through 1.35.2. Via crafted configuration variables, a malicious actor could introduce XSS payloads into various layers.
16 CVE-2021-31549 200 +Info 2021-04-22 2021-04-22
4.0
None Remote Low ??? Partial None None
An issue was discovered in the AbuseFilter extension for MediaWiki through 1.35.2. The Special:AbuseFilter/examine form allowed for the disclosure of suppressed MediaWiki usernames to unprivileged users.
17 CVE-2021-31548 668 Bypass 2021-04-22 2021-04-22
4.0
None Remote Low ??? None Partial None
An issue was discovered in the AbuseFilter extension for MediaWiki through 1.35.2. A MediaWiki user who is partially blocked or was unsuccessfully blocked could bypass AbuseFilter and have their edits completed.
18 CVE-2021-31547 668 2021-04-22 2021-04-22
4.0
None Remote Low ??? Partial None None
An issue was discovered in the AbuseFilter extension for MediaWiki through 1.35.2. Its AbuseFilterCheckMatch API reveals suppressed edits and usernames to unprivileged users through the iteration of crafted AbuseFilter rules.
19 CVE-2021-31546 200 +Info 2021-04-22 2021-04-22
4.0
None Remote Low ??? Partial None None
An issue was discovered in the AbuseFilter extension for MediaWiki through 1.35.2. It incorrectly logged sensitive suppression deletions, which should not have been visible to users with access to view AbuseFilter log data.
20 CVE-2021-31545 200 +Info 2021-04-22 2021-04-22
5.0
None Remote Low Not required Partial None None
An issue was discovered in the AbuseFilter extension for MediaWiki through 1.35.2. The page_recent_contributors leaked the existence of certain deleted MediaWiki usernames, related to rev_deleted.
21 CVE-2021-30159 Bypass 2021-04-09 2021-07-17
4.0
None Remote Low ??? None Partial None
An issue was discovered in MediaWiki before 1.31.12 and 1.32.x through 1.35.x before 1.35.2. Users can bypass intended restrictions on deleting pages in certain "fast double move" situations. MovePage::isValidMoveTarget() uses FOR UPDATE, but it's only called if Title::getArticleID() returns non-zero with no special flags. Next, MovePage::moveToInternal() will delete the page if getArticleID(READ_LATEST) is non-zero. Therefore, if the page is missing in the replica DB, isValidMove() will return true, and then moveToInternal() will unconditionally delete the page if it can be found in the master.
22 CVE-2021-30158 287 2021-04-06 2021-07-17
5.0
None Remote Low Not required Partial None None
An issue was discovered in MediaWiki before 1.31.12 and 1.32.x through 1.35.x before 1.35.2. Blocked users are unable to use Special:ResetTokens. This has security relevance because a blocked user might have accidentally shared a token, or might know that a token has been compromised, and yet is not able to block any potential future use of the token by an unauthorized party.
23 CVE-2021-30157 79 XSS 2021-04-06 2021-07-17
4.3
None Remote Medium Not required None Partial None
An issue was discovered in MediaWiki before 1.31.12 and 1.32.x through 1.35.x before 1.35.2. On ChangesList special pages such as Special:RecentChanges and Special:Watchlist, some of the rcfilters-filter-* label messages are output in HTML unescaped, leading to XSS.
24 CVE-2021-30156 732 2021-04-09 2021-05-03
4.0
None Remote Low ??? None Partial None
An issue was discovered in MediaWiki before 1.31.12 and 1.32.x through 1.35.x before 1.35.2. Special:Contributions can leak that a "hidden" user exists.
25 CVE-2021-30155 862 2021-04-09 2021-07-17
4.0
None Remote Low ??? None Partial None
An issue was discovered in MediaWiki before 1.31.12 and 1.32.x through 1.35.x before 1.35.2. ContentModelChange does not check if a user has correct permissions to create and set the content model of a nonexistent page.
26 CVE-2021-30154 79 XSS 2021-04-06 2021-07-17
4.3
None Remote Medium Not required None Partial None
An issue was discovered in MediaWiki before 1.31.12 and 1.32.x through 1.35.x before 1.35.2. On Special:NewFiles, all the mediastatistics-header-* messages are output in HTML unescaped, leading to XSS.
27 CVE-2021-30152 732 2021-04-09 2021-07-17
4.0
None Remote Low ??? None Partial None
An issue was discovered in MediaWiki before 1.31.13 and 1.32.x through 1.35.x before 1.35.2. When using the MediaWiki API to "protect" a page, a user is currently able to protect to a higher level than they currently have permissions for.
28 CVE-2020-35626 352 CSRF 2020-12-21 2020-12-22
6.8
None Remote Medium Not required Partial Partial Partial
An issue was discovered in the PushToWatch extension for MediaWiki through 1.35.1. The primary form did not implement an anti-CSRF token and therefore was completely vulnerable to CSRF attacks against onSkinAddFooterLinks in PushToWatch.php.
29 CVE-2020-35625 732 2020-12-21 2021-07-21
6.5
None Remote Low ??? Partial Partial Partial
An issue was discovered in the Widgets extension for MediaWiki through 1.35.1. Any user with the ability to edit pages within the Widgets namespace could call any static function within any class (defined within PHP or MediaWiki) via a crafted HTML comment, related to a Smarty template. For example, a person in the Widget Editors group could use \MediaWiki\Shell\Shell::command within a comment.
30 CVE-2020-35624 203 2020-12-21 2020-12-22
5.0
None Remote Low Not required Partial None None
An issue was discovered in the SecurePoll extension for MediaWiki through 1.35.1. The non-admin vote list contains a full vote timestamp, which may provide unintended clues about how a voting process unfolded.
31 CVE-2020-35623 522 2020-12-21 2021-07-21
5.0
None Remote Low Not required None Partial None
An issue was discovered in the CasAuth extension for MediaWiki through 1.35.1. Due to improper username validation, it allowed user impersonation with trivial manipulations of certain characters within a given username. An ordinary user may be able to login as a "bureaucrat user" who has a similar username, as demonstrated by usernames that differ only in (1) bidirectional override symbols or (2) blank space.
32 CVE-2020-35622 79 XSS 2020-12-21 2020-12-22
4.3
None Remote Medium Not required None Partial None
An issue was discovered in the GlobalUsage extension for MediaWiki through 1.35.1. SpecialGlobalUsage.php calls WikiMap::makeForeignLink unsafely. The $page variable within the formatItem function was not being properly escaped, allowing for XSS under certain conditions.
33 CVE-2020-35480 200 +Info 2020-12-18 2021-07-21
5.0
None Remote Low Not required Partial None None
An issue was discovered in MediaWiki before 1.35.1. Missing users (accounts that don't exist) and hidden users (accounts that have been explicitly hidden due to being abusive, or similar) that the viewer cannot see are handled differently, exposing sensitive information about the hidden status to unprivileged viewers. This exists on various code paths.
34 CVE-2020-35479 79 XSS 2020-12-18 2020-12-27
4.3
None Remote Medium Not required None Partial None
MediaWiki before 1.35.1 allows XSS via BlockLogFormatter.php. Language::translateBlockExpiry itself does not escape in all code paths. For example, the return of Language::userTimeAndDate is is always unsafe for HTML in a month value. This affects MediaWiki 1.12.0 and later.
35 CVE-2020-35478 79 XSS 2020-12-18 2020-12-27
4.3
None Remote Medium Not required None Partial None
MediaWiki before 1.35.1 allows XSS via BlockLogFormatter.php. MediaWiki:blanknamespace potentially can be output as raw HTML with SCRIPT tags via LogFormatter::makePageLink(). This affects MediaWiki 1.33.0 and later.
36 CVE-2020-35477 20 2020-12-18 2021-07-21
5.0
None Remote Low Not required None Partial None
MediaWiki before 1.35.1 blocks legitimate attempts to hide log entries in some situations. If one sets MediaWiki:Mainpage to Special:MyLanguage/Main Page, visits a log entry on Special:Log, and toggles the "Change visibility of selected log entries" checkbox (or a tags checkbox) next to it, there is a redirection to the main page's action=historysubmit (instead of the desired behavior in which a revision-deletion form appears).
37 CVE-2020-35475 116 XSS 2020-12-18 2021-07-21
5.0
None Remote Low Not required Partial None None
In MediaWiki before 1.35.1, the messages userrights-expiry-current and userrights-expiry-none can contain raw HTML. XSS can happen when a user visits Special:UserRights but does not have rights to change all userrights, and the table on the left side has unchangeable groups in it. (The right column with the changeable groups is not affected and is escaped correctly.)
38 CVE-2020-35474 79 XSS 2020-12-18 2021-02-04
4.3
None Remote Medium Not required None Partial None
In MediaWiki before 1.35.1, the combination of Html::rawElement and Message::text leads to XSS because the definition of MediaWiki:recentchanges-legend-watchlistexpiry can be changed onwiki so that the output is raw HTML.
39 CVE-2020-29005 522 2021-01-29 2021-07-21
5.0
None Remote Low Not required Partial None None
The API in the Push extension for MediaWiki through 1.35 used cleartext for ApiPush credentials, allowing for potential information disclosure.
40 CVE-2020-29004 352 CSRF 2021-01-29 2021-02-03
6.8
None Remote Medium Not required Partial Partial Partial
The API in the Push extension for MediaWiki through 1.35 did not require an edit token in ApiPushBase.php and therefore facilitated a CSRF attack.
41 CVE-2020-29003 79 XSS 2020-11-24 2020-11-30
3.5
None Remote Medium ??? None Partial None
The PollNY extension for MediaWiki through 1.35 allows XSS via an answer option for a poll question, entered during Special:CreatePoll or Special:UpdatePoll.
42 CVE-2020-29002 79 XSS 2020-11-24 2020-11-30
3.5
None Remote Medium ??? None Partial None
includes/CologneBlueTemplate.php in the CologneBlue skin for MediaWiki through 1.35 allows XSS via a qbfind message supplied by an administrator.
43 CVE-2020-27957 79 XSS 2020-10-28 2020-11-04
3.5
None Remote Medium ??? None Partial None
The RandomGameUnit extension for MediaWiki through 1.35 was not properly escaping various title-related data. When certain varieties of games were created within MediaWiki, their names or titles could be manipulated to generate stored XSS within the RandomGameUnit extension.
44 CVE-2020-27621 2020-10-22 2020-11-02
4.0
None Remote Low ??? None Partial None
The FileImporter extension in MediaWiki through 1.35.0 was not properly attributing various user actions to a specific user's IP address. Instead, for various actions, it would report the IP address of an internal Wikimedia Foundation server by omitting X-Forwarded-For data. This resulted in an inability to properly audit and attribute various user actions performed via the FileImporter extension.
45 CVE-2020-26121 863 2020-09-27 2020-12-14
5.0
None Remote Low Not required None Partial None
An issue was discovered in the FileImporter extension for MediaWiki before 1.34.4. An attacker can import a file even when the target page is protected against "page creation" and the attacker should not be able to create it. This occurs because of a mishandled distinction between an upload restriction and a create restriction. An attacker cannot leverage this to overwrite anything, but can leverage this to force a wiki to have a page with a disallowed title.
46 CVE-2020-26120 79 XSS 2020-09-27 2020-12-14
4.3
None Remote Medium Not required None Partial None
XSS exists in the MobileFrontend extension for MediaWiki before 1.34.4 because section.line is mishandled during regex section line replacement from PageGateway. Using crafted HTML, an attacker can elicit an XSS attack via jQuery's parseHTML method, which can cause image callbacks to fire even without the element being appended to the DOM.
47 CVE-2020-25869 755 +Info 2020-09-27 2021-07-21
5.0
None Remote Low Not required Partial None None
An information leak was discovered in MediaWiki before 1.31.10 and 1.32.x through 1.34.x before 1.34.4. Handling of actor ID does not necessarily use the correct database or correct wiki.
48 CVE-2020-25828 79 XSS 2020-09-27 2020-12-14
4.3
None Remote Medium Not required None Partial None
An issue was discovered in MediaWiki before 1.31.10 and 1.32.x through 1.34.x before 1.34.4. The non-jqueryMsg version of mw.message().parse() doesn't escape HTML. This affects both message contents (which are generally safe) and the parameters (which can be based on user input). (When jqueryMsg is loaded, it correctly accepts only whitelisted tags in message contents, and escapes all parameters. Situations with an unloaded jqueryMsg are rare in practice, but can for example occur for Special:SpecialPages on a wiki with no extensions installed.)
49 CVE-2020-25827 307 2020-09-27 2020-12-14
5.0
None Remote Low Not required None Partial None
An issue was discovered in the OATHAuth extension in MediaWiki before 1.31.10 and 1.32.x through 1.34.x before 1.34.4. For Wikis using OATHAuth on a farm/cluster (such as via CentralAuth), rate limiting of OATH tokens is only done on a single site level. Thus, multiple requests can be made across many wikis/sites concurrently.
50 CVE-2020-25815 79 XSS 2020-09-27 2020-12-14
4.3
None Remote Medium Not required None Partial None
An issue was discovered in MediaWiki 1.32.x through 1.34.x before 1.34.4. LogEventList::getFiltersDesc is insecurely using message text to build options names for an HTML multi-select field. The relevant code should use escaped() instead of text().
Total number of vulnerabilities : 193   Page : 1 (This Page)2 3 4
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.