Mediawiki

Mediawiki

378 Schwachstellen gefunden.

Hinweis: Diese Liste kann unvollständig sein. Daten werden ohne Gewähr im Ursprungsformat bereitgestellt.
5.3

CVE-2020-35624

  • EPSS 0.17%
  • Veröffentlicht 21.12.2020 23:15:12
  • Zuletzt bearbeitet 21.11.2024 05:27:43

An issue was discovered in the SecurePoll extension for MediaWiki through 1.35.1. The non-admin vote list contains a full vote timestamp, which may provide unintended clues about how a voting process unfolded.

8.8

CVE-2020-35625

  • EPSS 0.23%
  • Veröffentlicht 21.12.2020 23:15:12
  • Zuletzt bearbeitet 21.11.2024 05:27:43

An issue was discovered in the Widgets extension for MediaWiki through 1.35.1. Any user with the ability to edit pages within the Widgets namespace could call any static function within any class (defined within PHP or MediaWiki) via a crafted HTML c...

8.8

CVE-2020-35626

  • EPSS 0.11%
  • Veröffentlicht 21.12.2020 23:15:12
  • Zuletzt bearbeitet 21.11.2024 05:27:43

An issue was discovered in the PushToWatch extension for MediaWiki through 1.35.1. The primary form did not implement an anti-CSRF token and therefore was completely vulnerable to CSRF attacks against onSkinAddFooterLinks in PushToWatch.php.

6.1

CVE-2020-35474

Exploit
  • EPSS 0.47%
  • Veröffentlicht 18.12.2020 08:15:15
  • Zuletzt bearbeitet 21.11.2024 05:27:21

In MediaWiki before 1.35.1, the combination of Html::rawElement and Message::text leads to XSS because the definition of MediaWiki:recentchanges-legend-watchlistexpiry can be changed onwiki so that the output is raw HTML.

7.5

CVE-2020-35475

  • EPSS 0.59%
  • Veröffentlicht 18.12.2020 08:15:15
  • Zuletzt bearbeitet 21.11.2024 05:27:22

In MediaWiki before 1.35.1, the messages userrights-expiry-current and userrights-expiry-none can contain raw HTML. XSS can happen when a user visits Special:UserRights but does not have rights to change all userrights, and the table on the left side...

5.3

CVE-2020-35477

Exploit
  • EPSS 0.47%
  • Veröffentlicht 18.12.2020 08:15:15
  • Zuletzt bearbeitet 21.11.2024 05:27:22

MediaWiki before 1.35.1 blocks legitimate attempts to hide log entries in some situations. If one sets MediaWiki:Mainpage to Special:MyLanguage/Main Page, visits a log entry on Special:Log, and toggles the "Change visibility of selected log entries" ...

6.1

CVE-2020-35478

Exploit
  • EPSS 0.45%
  • Veröffentlicht 18.12.2020 08:15:15
  • Zuletzt bearbeitet 21.11.2024 05:27:22

MediaWiki before 1.35.1 allows XSS via BlockLogFormatter.php. MediaWiki:blanknamespace potentially can be output as raw HTML with SCRIPT tags via LogFormatter::makePageLink(). This affects MediaWiki 1.33.0 and later.

6.1

CVE-2020-35479

Exploit
  • EPSS 0.86%
  • Veröffentlicht 18.12.2020 08:15:15
  • Zuletzt bearbeitet 21.11.2024 05:27:22

MediaWiki before 1.35.1 allows XSS via BlockLogFormatter.php. Language::translateBlockExpiry itself does not escape in all code paths. For example, the return of Language::userTimeAndDate is is always unsafe for HTML in a month value. This affects Me...

5.3

CVE-2020-35480

  • EPSS 0.34%
  • Veröffentlicht 18.12.2020 08:15:15
  • Zuletzt bearbeitet 21.11.2024 05:27:22

An issue was discovered in MediaWiki before 1.35.1. Missing users (accounts that don't exist) and hidden users (accounts that have been explicitly hidden due to being abusive, or similar) that the viewer cannot see are handled differently, exposing s...

4.8

CVE-2020-29002

Exploit
  • EPSS 0.22%
  • Veröffentlicht 24.11.2020 06:15:12
  • Zuletzt bearbeitet 21.11.2024 05:23:28

includes/CologneBlueTemplate.php in the CologneBlue skin for MediaWiki through 1.35 allows XSS via a qbfind message supplied by an administrator.