An issue was discovered in the CheckUser extension for MediaWiki through 1.39.3. In certain situations, an attempt to block a user fails after a temporary browser hang and a DBQueryDisconnectedError error message.
Max CVSS
9.8
EPSS Score
0.09%
Published
2023-06-30
Updated
2023-07-07
An issue was discovered in MediaWiki before 1.35.10, 1.36.x through 1.38.x before 1.38.6, and 1.39.x before 1.39.3. An auto-block can occur for an untrusted X-Forwarded-For header.
Max CVSS
9.8
EPSS Score
0.12%
Published
2023-03-31
Updated
2023-08-23
Mediawiki v1.40.0 does not validate namespaces used in XML files. Therefore, if the instance administrator allows XML file uploads, a remote attacker with a low-privileged user account can use this exploit to become an administrator by sending a malicious link to the instance administrator.
Max CVSS
9.0
EPSS Score
0.13%
Published
2023-09-25
Updated
2024-02-01
The admin API module in the QuizGame extension for MediaWiki through 1.37.2 (before 665e33a68f6fa1167df99c0aa18ed0157cdf9f66) omits a check for the quizadmin user.
Max CVSS
9.8
EPSS Score
0.21%
Published
2022-04-29
Updated
2022-05-10
The SemanticDrilldown extension for MediaWiki through 1.37.2 (before e688bdba6434591b5dff689a45e4d53459954773) allows SQL injection with certain '-' and '_' constraints.
Max CVSS
9.8
EPSS Score
0.16%
Published
2022-04-29
Updated
2022-05-10
An issue was discovered in Mediawiki through 1.37.1. The check for the override-antispoof permission in the AntiSpoof extension is incorrect.
Max CVSS
9.8
EPSS Score
0.28%
Published
2022-03-30
Updated
2023-05-21
An issue was discovered in MediaWiki through 1.37.1. ImportPlanValidator.php in the FileImporter extension mishandles the check for edit rights.
Max CVSS
9.8
EPSS Score
0.30%
Published
2022-03-30
Updated
2023-05-21
An issue was discovered in MediaWiki through 1.37.1. The CentralAuth extension mishandles a ttl issue for groups expiring in the future.
Max CVSS
9.8
EPSS Score
0.26%
Published
2022-03-30
Updated
2023-05-21
An issue was discovered in MediaWiki before 1.35.5, 1.36.x before 1.36.3, and 1.37.x before 1.37.1. MassEditRegex allows CSRF.
Max CVSS
8.8
EPSS Score
0.10%
Published
2022-01-10
Updated
2022-01-13
The ReplaceText extension through 1.41 for MediaWiki has Incorrect Access Control. When a user is blocked after submitting a replace job, the job is still run, even if it may be run at a later time (due to the job queue backlog)
Max CVSS
8.8
EPSS Score
0.09%
Published
2021-10-11
Updated
2022-07-12
An issue was discovered in the FileImporter extension in MediaWiki through 1.36. For certain relaxed configurations of the $wgFileImporterRequiredRight variable, it might not validate all appropriate user rights, thus allowing a user with insufficient rights to perform operations (specifically file uploads) that they should not be allowed to perform.
Max CVSS
8.8
EPSS Score
0.10%
Published
2021-07-02
Updated
2021-07-07
An issue was discovered in the CentralAuth extension in MediaWiki through 1.36. Autoblocks for CentralAuth-issued suppression blocks are not properly implemented.
Max CVSS
9.8
EPSS Score
0.40%
Published
2021-07-02
Updated
2022-07-12
An issue was discovered in the AbuseFilter extension in MediaWiki through 1.36. If the MediaWiki:Abusefilter-blocker message is invalid within the content language, the filter user falls back to the English version, but that English version could also be invalid on a wiki. This would result in a fatal error, and potentially fail to block or restrict a potentially nefarious user.
Max CVSS
9.8
EPSS Score
0.24%
Published
2021-07-02
Updated
2021-07-07
An issue was discovered in the Oauth extension for MediaWiki through 1.35.2. MWOAuthConsumerSubmitControl.php does not ensure that the length of an RSA key will fit in a MySQL blob.
Max CVSS
9.8
EPSS Score
0.31%
Published
2021-08-12
Updated
2021-11-28
An issue was discovered in the PushToWatch extension for MediaWiki through 1.35.1. The primary form did not implement an anti-CSRF token and therefore was completely vulnerable to CSRF attacks against onSkinAddFooterLinks in PushToWatch.php.
Max CVSS
8.8
EPSS Score
0.10%
Published
2020-12-21
Updated
2020-12-22
An issue was discovered in the Widgets extension for MediaWiki through 1.35.1. Any user with the ability to edit pages within the Widgets namespace could call any static function within any class (defined within PHP or MediaWiki) via a crafted HTML comment, related to a Smarty template. For example, a person in the Widget Editors group could use \MediaWiki\Shell\Shell::command within a comment.
Max CVSS
8.8
EPSS Score
0.10%
Published
2020-12-21
Updated
2021-07-21
The API in the Push extension for MediaWiki through 1.35 did not require an edit token in ApiPushBase.php and therefore facilitated a CSRF attack.
Max CVSS
8.8
EPSS Score
0.12%
Published
2021-01-29
Updated
2021-02-03
In the GlobalBlocking extension before 2020-03-10 for MediaWiki through 1.34.0, an issue related to IP range evaluation resulted in blocked users re-gaining escalated privileges. This is related to the case in which an IP address is contained in two ranges, one of which is locally disabled.
Max CVSS
9.8
EPSS Score
0.24%
Published
2020-03-12
Updated
2021-07-21
An Incorrect Access Control vulnerability was found in Wikimedia MediaWiki 1.27.0 through 1.32.1. Directly POSTing to Special:ChangeEmail would allow for bypassing re-authentication, allowing for potential account takeover.
Max CVSS
9.8
EPSS Score
0.56%
Published
2019-07-10
Updated
2020-08-24
Wikimedia MediaWiki through 1.32.1 allows CSRF.
Max CVSS
8.8
EPSS Score
0.40%
Published
2019-07-10
Updated
2019-07-11
api.php in MediaWiki before 1.27.4, 1.28.x before 1.28.3, and 1.29.x before 1.29.2 has a Reflected File Download vulnerability.
Max CVSS
9.8
EPSS Score
0.69%
Published
2017-11-15
Updated
2017-11-28

CVE-2017-0372

Public exploit
Parameters injection in the SyntaxHighlight extension of Mediawiki before 1.23.16, 1.27.3 and 1.28.2 might result in multiple vulnerabilities.
Max CVSS
9.8
EPSS Score
88.62%
Published
2018-04-13
Updated
2018-05-17
Mediawiki before 1.28.1 / 1.27.2 contains an unsafe use of temporary directory, where having LocalisationCache directory default to system tmp directory is insecure.
Max CVSS
8.8
EPSS Score
0.19%
Published
2018-04-13
Updated
2019-10-03
Mediawiki before 1.28.1 / 1.27.2 / 1.23.16 contains a flaw where the "Mark all pages visited" on the watchlist does not require a CSRF token.
Max CVSS
8.8
EPSS Score
0.23%
Published
2018-04-13
Updated
2018-05-15
The User::randomPassword function in MediaWiki before 1.23.12, 1.24.x before 1.24.5, 1.25.x before 1.25.4, and 1.26.x before 1.26.1 generates passwords smaller than $wgMinimalPasswordLength, which makes it easier for remote attackers to obtain access via a brute-force attack.
Max CVSS
9.8
EPSS Score
0.60%
Published
2017-03-23
Updated
2017-03-27
30 vulnerabilities found
1 2
This web site uses cookies for managing your session, storing preferences, website analytics and additional purposes described in our privacy policy.
By using this web site you are agreeing to CVEdetails.com terms of use!