Mediawiki

Mediawiki

371 Schwachstellen gefunden.

Hinweis: Diese Liste kann unvollständig sein. Daten werden ohne Gewähr im Ursprungsformat bereitgestellt.
7.5

CVE-2020-29005

  • EPSS 0.07%
  • Veröffentlicht 29.01.2021 07:15:16
  • Zuletzt bearbeitet 21.11.2024 05:23:28

The API in the Push extension for MediaWiki through 1.35 used cleartext for ApiPush credentials, allowing for potential information disclosure.

6.1

CVE-2020-35622

  • EPSS 0.17%
  • Veröffentlicht 21.12.2020 23:15:12
  • Zuletzt bearbeitet 21.11.2024 05:27:42

An issue was discovered in the GlobalUsage extension for MediaWiki through 1.35.1. SpecialGlobalUsage.php calls WikiMap::makeForeignLink unsafely. The $page variable within the formatItem function was not being properly escaped, allowing for XSS unde...

7.5

CVE-2020-35623

Exploit
  • EPSS 0.18%
  • Veröffentlicht 21.12.2020 23:15:12
  • Zuletzt bearbeitet 21.11.2024 05:27:43

An issue was discovered in the CasAuth extension for MediaWiki through 1.35.1. Due to improper username validation, it allowed user impersonation with trivial manipulations of certain characters within a given username. An ordinary user may be able t...

5.3

CVE-2020-35624

  • EPSS 0.17%
  • Veröffentlicht 21.12.2020 23:15:12
  • Zuletzt bearbeitet 21.11.2024 05:27:43

An issue was discovered in the SecurePoll extension for MediaWiki through 1.35.1. The non-admin vote list contains a full vote timestamp, which may provide unintended clues about how a voting process unfolded.

8.8

CVE-2020-35625

  • EPSS 0.23%
  • Veröffentlicht 21.12.2020 23:15:12
  • Zuletzt bearbeitet 21.11.2024 05:27:43

An issue was discovered in the Widgets extension for MediaWiki through 1.35.1. Any user with the ability to edit pages within the Widgets namespace could call any static function within any class (defined within PHP or MediaWiki) via a crafted HTML c...

8.8

CVE-2020-35626

  • EPSS 0.11%
  • Veröffentlicht 21.12.2020 23:15:12
  • Zuletzt bearbeitet 21.11.2024 05:27:43

An issue was discovered in the PushToWatch extension for MediaWiki through 1.35.1. The primary form did not implement an anti-CSRF token and therefore was completely vulnerable to CSRF attacks against onSkinAddFooterLinks in PushToWatch.php.

6.1

CVE-2020-35474

Exploit
  • EPSS 0.47%
  • Veröffentlicht 18.12.2020 08:15:15
  • Zuletzt bearbeitet 21.11.2024 05:27:21

In MediaWiki before 1.35.1, the combination of Html::rawElement and Message::text leads to XSS because the definition of MediaWiki:recentchanges-legend-watchlistexpiry can be changed onwiki so that the output is raw HTML.

7.5

CVE-2020-35475

  • EPSS 0.59%
  • Veröffentlicht 18.12.2020 08:15:15
  • Zuletzt bearbeitet 21.11.2024 05:27:22

In MediaWiki before 1.35.1, the messages userrights-expiry-current and userrights-expiry-none can contain raw HTML. XSS can happen when a user visits Special:UserRights but does not have rights to change all userrights, and the table on the left side...

5.3

CVE-2020-35477

Exploit
  • EPSS 0.55%
  • Veröffentlicht 18.12.2020 08:15:15
  • Zuletzt bearbeitet 21.11.2024 05:27:22

MediaWiki before 1.35.1 blocks legitimate attempts to hide log entries in some situations. If one sets MediaWiki:Mainpage to Special:MyLanguage/Main Page, visits a log entry on Special:Log, and toggles the "Change visibility of selected log entries" ...

6.1

CVE-2020-35478

Exploit
  • EPSS 0.45%
  • Veröffentlicht 18.12.2020 08:15:15
  • Zuletzt bearbeitet 21.11.2024 05:27:22

MediaWiki before 1.35.1 allows XSS via BlockLogFormatter.php. MediaWiki:blanknamespace potentially can be output as raw HTML with SCRIPT tags via LogFormatter::makePageLink(). This affects MediaWiki 1.33.0 and later.