Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2012-2698

Summary
Assigner-redhat
Assigner Org ID-53f830b8-0a3f-465b-8143-3b8a9948e749
Published At-29 Jun, 2012 | 19:00
Updated At-06 Aug, 2024 | 19:42
Rejected At-
Credits

Cross-site scripting (XSS) vulnerability in the outputPage function in includes/SkinTemplate.php in MediaWiki before 1.17.5, 1.18.x before 1.18.4, and 1.19.x before 1.19.1 allows remote attackers to inject arbitrary web script or HTML via the uselang parameter to index.php/Main_page.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
â–¼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:redhat
Assigner Org ID:53f830b8-0a3f-465b-8143-3b8a9948e749
Published At:29 Jun, 2012 | 19:00
Updated At:06 Aug, 2024 | 19:42
Rejected At:
â–¼CVE Numbering Authority (CNA)

Cross-site scripting (XSS) vulnerability in the outputPage function in includes/SkinTemplate.php in MediaWiki before 1.17.5, 1.18.x before 1.18.4, and 1.19.x before 1.19.1 allows remote attackers to inject arbitrary web script or HTML via the uselang parameter to index.php/Main_page.

Affected Products
Vendor
n/a
Product
n/a
Versions
Affected
  • n/a
Problem Types
TypeCWE IDDescription
textN/An/a
Type: text
CWE ID: N/A
Description: n/a
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
http://lists.wikimedia.org/pipermail/mediawiki-announce/2012-June/000116.html
mailing-list
x_refsource_MLIST
https://www.mediawiki.org/wiki/Release_notes/1.18
x_refsource_CONFIRM
http://www.osvdb.org/82983
vdb-entry
x_refsource_OSVDB
http://lists.wikimedia.org/pipermail/mediawiki-announce/2012-June/000117.html
mailing-list
x_refsource_MLIST
http://secunia.com/advisories/49484
third-party-advisory
x_refsource_SECUNIA
https://bugzilla.wikimedia.org/show_bug.cgi?id=36938
x_refsource_CONFIRM
http://securitytracker.com/id?1027179
vdb-entry
x_refsource_SECTRACK
https://www.mediawiki.org/wiki/Release_notes/1.19
x_refsource_CONFIRM
https://exchange.xforce.ibmcloud.com/vulnerabilities/76311
vdb-entry
x_refsource_XF
https://www.mediawiki.org/wiki/Release_notes/1.17
x_refsource_CONFIRM
https://gerrit.wikimedia.org/r/#/c/7979/1/includes/SkinTemplate.php
x_refsource_CONFIRM
http://www.openwall.com/lists/oss-security/2012/06/14/2
mailing-list
x_refsource_MLIST
http://lists.wikimedia.org/pipermail/mediawiki-announce/2012-June/000118.html
mailing-list
x_refsource_MLIST
Hyperlink: http://lists.wikimedia.org/pipermail/mediawiki-announce/2012-June/000116.html
Resource:
mailing-list
x_refsource_MLIST
Hyperlink: https://www.mediawiki.org/wiki/Release_notes/1.18
Resource:
x_refsource_CONFIRM
Hyperlink: http://www.osvdb.org/82983
Resource:
vdb-entry
x_refsource_OSVDB
Hyperlink: http://lists.wikimedia.org/pipermail/mediawiki-announce/2012-June/000117.html
Resource:
mailing-list
x_refsource_MLIST
Hyperlink: http://secunia.com/advisories/49484
Resource:
third-party-advisory
x_refsource_SECUNIA
Hyperlink: https://bugzilla.wikimedia.org/show_bug.cgi?id=36938
Resource:
x_refsource_CONFIRM
Hyperlink: http://securitytracker.com/id?1027179
Resource:
vdb-entry
x_refsource_SECTRACK
Hyperlink: https://www.mediawiki.org/wiki/Release_notes/1.19
Resource:
x_refsource_CONFIRM
Hyperlink: https://exchange.xforce.ibmcloud.com/vulnerabilities/76311
Resource:
vdb-entry
x_refsource_XF
Hyperlink: https://www.mediawiki.org/wiki/Release_notes/1.17
Resource:
x_refsource_CONFIRM
Hyperlink: https://gerrit.wikimedia.org/r/#/c/7979/1/includes/SkinTemplate.php
Resource:
x_refsource_CONFIRM
Hyperlink: http://www.openwall.com/lists/oss-security/2012/06/14/2
Resource:
mailing-list
x_refsource_MLIST
Hyperlink: http://lists.wikimedia.org/pipermail/mediawiki-announce/2012-June/000118.html
Resource:
mailing-list
x_refsource_MLIST
â–¼Authorized Data Publishers (ADP)
CVE Program Container
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
http://lists.wikimedia.org/pipermail/mediawiki-announce/2012-June/000116.html
mailing-list
x_refsource_MLIST
x_transferred
https://www.mediawiki.org/wiki/Release_notes/1.18
x_refsource_CONFIRM
x_transferred
http://www.osvdb.org/82983
vdb-entry
x_refsource_OSVDB
x_transferred
http://lists.wikimedia.org/pipermail/mediawiki-announce/2012-June/000117.html
mailing-list
x_refsource_MLIST
x_transferred
http://secunia.com/advisories/49484
third-party-advisory
x_refsource_SECUNIA
x_transferred
https://bugzilla.wikimedia.org/show_bug.cgi?id=36938
x_refsource_CONFIRM
x_transferred
http://securitytracker.com/id?1027179
vdb-entry
x_refsource_SECTRACK
x_transferred
https://www.mediawiki.org/wiki/Release_notes/1.19
x_refsource_CONFIRM
x_transferred
https://exchange.xforce.ibmcloud.com/vulnerabilities/76311
vdb-entry
x_refsource_XF
x_transferred
https://www.mediawiki.org/wiki/Release_notes/1.17
x_refsource_CONFIRM
x_transferred
https://gerrit.wikimedia.org/r/#/c/7979/1/includes/SkinTemplate.php
x_refsource_CONFIRM
x_transferred
http://www.openwall.com/lists/oss-security/2012/06/14/2
mailing-list
x_refsource_MLIST
x_transferred
http://lists.wikimedia.org/pipermail/mediawiki-announce/2012-June/000118.html
mailing-list
x_refsource_MLIST
x_transferred
Hyperlink: http://lists.wikimedia.org/pipermail/mediawiki-announce/2012-June/000116.html
Resource:
mailing-list
x_refsource_MLIST
x_transferred
Hyperlink: https://www.mediawiki.org/wiki/Release_notes/1.18
Resource:
x_refsource_CONFIRM
x_transferred
Hyperlink: http://www.osvdb.org/82983
Resource:
vdb-entry
x_refsource_OSVDB
x_transferred
Hyperlink: http://lists.wikimedia.org/pipermail/mediawiki-announce/2012-June/000117.html
Resource:
mailing-list
x_refsource_MLIST
x_transferred
Hyperlink: http://secunia.com/advisories/49484
Resource:
third-party-advisory
x_refsource_SECUNIA
x_transferred
Hyperlink: https://bugzilla.wikimedia.org/show_bug.cgi?id=36938
Resource:
x_refsource_CONFIRM
x_transferred
Hyperlink: http://securitytracker.com/id?1027179
Resource:
vdb-entry
x_refsource_SECTRACK
x_transferred
Hyperlink: https://www.mediawiki.org/wiki/Release_notes/1.19
Resource:
x_refsource_CONFIRM
x_transferred
Hyperlink: https://exchange.xforce.ibmcloud.com/vulnerabilities/76311
Resource:
vdb-entry
x_refsource_XF
x_transferred
Hyperlink: https://www.mediawiki.org/wiki/Release_notes/1.17
Resource:
x_refsource_CONFIRM
x_transferred
Hyperlink: https://gerrit.wikimedia.org/r/#/c/7979/1/includes/SkinTemplate.php
Resource:
x_refsource_CONFIRM
x_transferred
Hyperlink: http://www.openwall.com/lists/oss-security/2012/06/14/2
Resource:
mailing-list
x_refsource_MLIST
x_transferred
Hyperlink: http://lists.wikimedia.org/pipermail/mediawiki-announce/2012-June/000118.html
Resource:
mailing-list
x_refsource_MLIST
x_transferred
Information is not available yet
â–¼National Vulnerability Database (NVD)
nvd.nist.gov
Source:secalert@redhat.com
Published At:29 Jun, 2012 | 19:55
Updated At:11 Apr, 2025 | 00:51

Cross-site scripting (XSS) vulnerability in the outputPage function in includes/SkinTemplate.php in MediaWiki before 1.17.5, 1.18.x before 1.18.4, and 1.19.x before 1.19.1 allows remote attackers to inject arbitrary web script or HTML via the uselang parameter to index.php/Main_page.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Primary2.04.3MEDIUM
AV:N/AC:M/Au:N/C:N/I:P/A:N
Primary2.04.3MEDIUM
AV:N/AC:M/Au:N/C:N/I:P/A:N
Type: Primary
Version: 2.0
Base score: 4.3
Base severity: MEDIUM
Vector:
AV:N/AC:M/Au:N/C:N/I:P/A:N
Type: Primary
Version: 2.0
Base score: 4.3
Base severity: MEDIUM
Vector:
AV:N/AC:M/Au:N/C:N/I:P/A:N
CPE Matches
Wikimedia Foundation
mediawiki
>>mediawiki>>1.18
cpe:2.3:a:mediawiki:mediawiki:1.18:*:*:*:*:*:*:*
Wikimedia Foundation
mediawiki
>>mediawiki>>1.18
cpe:2.3:a:mediawiki:mediawiki:1.18:beta_1:*:*:*:*:*:*
Wikimedia Foundation
mediawiki
>>mediawiki>>1.18.0
cpe:2.3:a:mediawiki:mediawiki:1.18.0:*:*:*:*:*:*:*
Wikimedia Foundation
mediawiki
>>mediawiki>>1.18.0
cpe:2.3:a:mediawiki:mediawiki:1.18.0:rc1:*:*:*:*:*:*
Wikimedia Foundation
mediawiki
>>mediawiki>>1.18.1
cpe:2.3:a:mediawiki:mediawiki:1.18.1:*:*:*:*:*:*:*
Wikimedia Foundation
mediawiki
>>mediawiki>>1.18.2
cpe:2.3:a:mediawiki:mediawiki:1.18.2:*:*:*:*:*:*:*
Wikimedia Foundation
mediawiki
>>mediawiki>>1.18.3
cpe:2.3:a:mediawiki:mediawiki:1.18.3:*:*:*:*:*:*:*
Wikimedia Foundation
mediawiki
>>mediawiki>>Versions up to 1.17.4(inclusive)
cpe:2.3:a:mediawiki:mediawiki:*:*:*:*:*:*:*:*
Wikimedia Foundation
mediawiki
>>mediawiki>>1.1.0
cpe:2.3:a:mediawiki:mediawiki:1.1.0:*:*:*:*:*:*:*
Wikimedia Foundation
mediawiki
>>mediawiki>>1.2.0
cpe:2.3:a:mediawiki:mediawiki:1.2.0:*:*:*:*:*:*:*
Wikimedia Foundation
mediawiki
>>mediawiki>>1.2.1
cpe:2.3:a:mediawiki:mediawiki:1.2.1:*:*:*:*:*:*:*
Wikimedia Foundation
mediawiki
>>mediawiki>>1.2.2
cpe:2.3:a:mediawiki:mediawiki:1.2.2:*:*:*:*:*:*:*
Wikimedia Foundation
mediawiki
>>mediawiki>>1.2.3
cpe:2.3:a:mediawiki:mediawiki:1.2.3:*:*:*:*:*:*:*
Wikimedia Foundation
mediawiki
>>mediawiki>>1.2.4
cpe:2.3:a:mediawiki:mediawiki:1.2.4:*:*:*:*:*:*:*
Wikimedia Foundation
mediawiki
>>mediawiki>>1.2.5
cpe:2.3:a:mediawiki:mediawiki:1.2.5:*:*:*:*:*:*:*
Wikimedia Foundation
mediawiki
>>mediawiki>>1.2.6
cpe:2.3:a:mediawiki:mediawiki:1.2.6:*:*:*:*:*:*:*
Wikimedia Foundation
mediawiki
>>mediawiki>>1.3
cpe:2.3:a:mediawiki:mediawiki:1.3:*:*:*:*:*:*:*
Wikimedia Foundation
mediawiki
>>mediawiki>>1.3.0
cpe:2.3:a:mediawiki:mediawiki:1.3.0:*:*:*:*:*:*:*
Wikimedia Foundation
mediawiki
>>mediawiki>>1.3.1
cpe:2.3:a:mediawiki:mediawiki:1.3.1:*:*:*:*:*:*:*
Wikimedia Foundation
mediawiki
>>mediawiki>>1.3.2
cpe:2.3:a:mediawiki:mediawiki:1.3.2:*:*:*:*:*:*:*
Wikimedia Foundation
mediawiki
>>mediawiki>>1.3.3
cpe:2.3:a:mediawiki:mediawiki:1.3.3:*:*:*:*:*:*:*
Wikimedia Foundation
mediawiki
>>mediawiki>>1.3.4
cpe:2.3:a:mediawiki:mediawiki:1.3.4:*:*:*:*:*:*:*
Wikimedia Foundation
mediawiki
>>mediawiki>>1.3.5
cpe:2.3:a:mediawiki:mediawiki:1.3.5:*:*:*:*:*:*:*
Wikimedia Foundation
mediawiki
>>mediawiki>>1.3.6
cpe:2.3:a:mediawiki:mediawiki:1.3.6:*:*:*:*:*:*:*
Wikimedia Foundation
mediawiki
>>mediawiki>>1.3.7
cpe:2.3:a:mediawiki:mediawiki:1.3.7:*:*:*:*:*:*:*
Wikimedia Foundation
mediawiki
>>mediawiki>>1.3.8
cpe:2.3:a:mediawiki:mediawiki:1.3.8:*:*:*:*:*:*:*
Wikimedia Foundation
mediawiki
>>mediawiki>>1.3.9
cpe:2.3:a:mediawiki:mediawiki:1.3.9:*:*:*:*:*:*:*
Wikimedia Foundation
mediawiki
>>mediawiki>>1.3.10
cpe:2.3:a:mediawiki:mediawiki:1.3.10:*:*:*:*:*:*:*
Wikimedia Foundation
mediawiki
>>mediawiki>>1.3.11
cpe:2.3:a:mediawiki:mediawiki:1.3.11:*:*:*:*:*:*:*
Wikimedia Foundation
mediawiki
>>mediawiki>>1.3.12
cpe:2.3:a:mediawiki:mediawiki:1.3.12:*:*:*:*:*:*:*
Wikimedia Foundation
mediawiki
>>mediawiki>>1.3.13
cpe:2.3:a:mediawiki:mediawiki:1.3.13:*:*:*:*:*:*:*
Wikimedia Foundation
mediawiki
>>mediawiki>>1.3.14
cpe:2.3:a:mediawiki:mediawiki:1.3.14:*:*:*:*:*:*:*
Wikimedia Foundation
mediawiki
>>mediawiki>>1.3.15
cpe:2.3:a:mediawiki:mediawiki:1.3.15:*:*:*:*:*:*:*
Wikimedia Foundation
mediawiki
>>mediawiki>>1.4
cpe:2.3:a:mediawiki:mediawiki:1.4:beta1:*:*:*:*:*:*
Wikimedia Foundation
mediawiki
>>mediawiki>>1.4
cpe:2.3:a:mediawiki:mediawiki:1.4:beta2:*:*:*:*:*:*
Wikimedia Foundation
mediawiki
>>mediawiki>>1.4
cpe:2.3:a:mediawiki:mediawiki:1.4:beta3:*:*:*:*:*:*
Wikimedia Foundation
mediawiki
>>mediawiki>>1.4
cpe:2.3:a:mediawiki:mediawiki:1.4:beta4:*:*:*:*:*:*
Wikimedia Foundation
mediawiki
>>mediawiki>>1.4
cpe:2.3:a:mediawiki:mediawiki:1.4:beta5:*:*:*:*:*:*
Wikimedia Foundation
mediawiki
>>mediawiki>>1.4
cpe:2.3:a:mediawiki:mediawiki:1.4:beta6:*:*:*:*:*:*
Wikimedia Foundation
mediawiki
>>mediawiki>>1.4.0
cpe:2.3:a:mediawiki:mediawiki:1.4.0:*:*:*:*:*:*:*
Wikimedia Foundation
mediawiki
>>mediawiki>>1.4.1
cpe:2.3:a:mediawiki:mediawiki:1.4.1:*:*:*:*:*:*:*
Wikimedia Foundation
mediawiki
>>mediawiki>>1.4.2
cpe:2.3:a:mediawiki:mediawiki:1.4.2:*:*:*:*:*:*:*
Wikimedia Foundation
mediawiki
>>mediawiki>>1.4.3
cpe:2.3:a:mediawiki:mediawiki:1.4.3:*:*:*:*:*:*:*
Wikimedia Foundation
mediawiki
>>mediawiki>>1.4.4
cpe:2.3:a:mediawiki:mediawiki:1.4.4:*:*:*:*:*:*:*
Wikimedia Foundation
mediawiki
>>mediawiki>>1.4.5
cpe:2.3:a:mediawiki:mediawiki:1.4.5:*:*:*:*:*:*:*
Wikimedia Foundation
mediawiki
>>mediawiki>>1.4.6
cpe:2.3:a:mediawiki:mediawiki:1.4.6:*:*:*:*:*:*:*
Wikimedia Foundation
mediawiki
>>mediawiki>>1.4.7
cpe:2.3:a:mediawiki:mediawiki:1.4.7:*:*:*:*:*:*:*
Wikimedia Foundation
mediawiki
>>mediawiki>>1.4.8
cpe:2.3:a:mediawiki:mediawiki:1.4.8:*:*:*:*:*:*:*
Wikimedia Foundation
mediawiki
>>mediawiki>>1.4.9
cpe:2.3:a:mediawiki:mediawiki:1.4.9:*:*:*:*:*:*:*
Wikimedia Foundation
mediawiki
>>mediawiki>>1.4.10
cpe:2.3:a:mediawiki:mediawiki:1.4.10:*:*:*:*:*:*:*
Weaknesses
CWE IDTypeSource
CWE-79Primarynvd@nist.gov
CWE ID: CWE-79
Type: Primary
Source: nvd@nist.gov
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
http://lists.wikimedia.org/pipermail/mediawiki-announce/2012-June/000116.htmlsecalert@redhat.com
N/A
http://lists.wikimedia.org/pipermail/mediawiki-announce/2012-June/000117.htmlsecalert@redhat.com
N/A
http://lists.wikimedia.org/pipermail/mediawiki-announce/2012-June/000118.htmlsecalert@redhat.com
Vendor Advisory
http://secunia.com/advisories/49484secalert@redhat.com
Vendor Advisory
http://securitytracker.com/id?1027179secalert@redhat.com
N/A
http://www.openwall.com/lists/oss-security/2012/06/14/2secalert@redhat.com
N/A
http://www.osvdb.org/82983secalert@redhat.com
N/A
https://bugzilla.wikimedia.org/show_bug.cgi?id=36938secalert@redhat.com
N/A
https://exchange.xforce.ibmcloud.com/vulnerabilities/76311secalert@redhat.com
N/A
https://gerrit.wikimedia.org/r/#/c/7979/1/includes/SkinTemplate.phpsecalert@redhat.com
Exploit
Patch
https://www.mediawiki.org/wiki/Release_notes/1.17secalert@redhat.com
N/A
https://www.mediawiki.org/wiki/Release_notes/1.18secalert@redhat.com
N/A
https://www.mediawiki.org/wiki/Release_notes/1.19secalert@redhat.com
N/A
http://lists.wikimedia.org/pipermail/mediawiki-announce/2012-June/000116.htmlaf854a3a-2127-422b-91ae-364da2661108
N/A
http://lists.wikimedia.org/pipermail/mediawiki-announce/2012-June/000117.htmlaf854a3a-2127-422b-91ae-364da2661108
N/A
http://lists.wikimedia.org/pipermail/mediawiki-announce/2012-June/000118.htmlaf854a3a-2127-422b-91ae-364da2661108
Vendor Advisory
http://secunia.com/advisories/49484af854a3a-2127-422b-91ae-364da2661108
Vendor Advisory
http://securitytracker.com/id?1027179af854a3a-2127-422b-91ae-364da2661108
N/A
http://www.openwall.com/lists/oss-security/2012/06/14/2af854a3a-2127-422b-91ae-364da2661108
N/A
http://www.osvdb.org/82983af854a3a-2127-422b-91ae-364da2661108
N/A
https://bugzilla.wikimedia.org/show_bug.cgi?id=36938af854a3a-2127-422b-91ae-364da2661108
N/A
https://exchange.xforce.ibmcloud.com/vulnerabilities/76311af854a3a-2127-422b-91ae-364da2661108
N/A
https://gerrit.wikimedia.org/r/#/c/7979/1/includes/SkinTemplate.phpaf854a3a-2127-422b-91ae-364da2661108
Exploit
Patch
https://www.mediawiki.org/wiki/Release_notes/1.17af854a3a-2127-422b-91ae-364da2661108
N/A
https://www.mediawiki.org/wiki/Release_notes/1.18af854a3a-2127-422b-91ae-364da2661108
N/A
https://www.mediawiki.org/wiki/Release_notes/1.19af854a3a-2127-422b-91ae-364da2661108
N/A
Hyperlink: http://lists.wikimedia.org/pipermail/mediawiki-announce/2012-June/000116.html
Source: secalert@redhat.com
Resource: N/A
Hyperlink: http://lists.wikimedia.org/pipermail/mediawiki-announce/2012-June/000117.html
Source: secalert@redhat.com
Resource: N/A
Hyperlink: http://lists.wikimedia.org/pipermail/mediawiki-announce/2012-June/000118.html
Source: secalert@redhat.com
Resource:
Vendor Advisory
Hyperlink: http://secunia.com/advisories/49484
Source: secalert@redhat.com
Resource:
Vendor Advisory
Hyperlink: http://securitytracker.com/id?1027179
Source: secalert@redhat.com
Resource: N/A
Hyperlink: http://www.openwall.com/lists/oss-security/2012/06/14/2
Source: secalert@redhat.com
Resource: N/A
Hyperlink: http://www.osvdb.org/82983
Source: secalert@redhat.com
Resource: N/A
Hyperlink: https://bugzilla.wikimedia.org/show_bug.cgi?id=36938
Source: secalert@redhat.com
Resource: N/A
Hyperlink: https://exchange.xforce.ibmcloud.com/vulnerabilities/76311
Source: secalert@redhat.com
Resource: N/A
Hyperlink: https://gerrit.wikimedia.org/r/#/c/7979/1/includes/SkinTemplate.php
Source: secalert@redhat.com
Resource:
Exploit
Patch
Hyperlink: https://www.mediawiki.org/wiki/Release_notes/1.17
Source: secalert@redhat.com
Resource: N/A
Hyperlink: https://www.mediawiki.org/wiki/Release_notes/1.18
Source: secalert@redhat.com
Resource: N/A
Hyperlink: https://www.mediawiki.org/wiki/Release_notes/1.19
Source: secalert@redhat.com
Resource: N/A
Hyperlink: http://lists.wikimedia.org/pipermail/mediawiki-announce/2012-June/000116.html
Source: af854a3a-2127-422b-91ae-364da2661108
Resource: N/A
Hyperlink: http://lists.wikimedia.org/pipermail/mediawiki-announce/2012-June/000117.html
Source: af854a3a-2127-422b-91ae-364da2661108
Resource: N/A
Hyperlink: http://lists.wikimedia.org/pipermail/mediawiki-announce/2012-June/000118.html
Source: af854a3a-2127-422b-91ae-364da2661108
Resource:
Vendor Advisory
Hyperlink: http://secunia.com/advisories/49484
Source: af854a3a-2127-422b-91ae-364da2661108
Resource:
Vendor Advisory
Hyperlink: http://securitytracker.com/id?1027179
Source: af854a3a-2127-422b-91ae-364da2661108
Resource: N/A
Hyperlink: http://www.openwall.com/lists/oss-security/2012/06/14/2
Source: af854a3a-2127-422b-91ae-364da2661108
Resource: N/A
Hyperlink: http://www.osvdb.org/82983
Source: af854a3a-2127-422b-91ae-364da2661108
Resource: N/A
Hyperlink: https://bugzilla.wikimedia.org/show_bug.cgi?id=36938
Source: af854a3a-2127-422b-91ae-364da2661108
Resource: N/A
Hyperlink: https://exchange.xforce.ibmcloud.com/vulnerabilities/76311
Source: af854a3a-2127-422b-91ae-364da2661108
Resource: N/A
Hyperlink: https://gerrit.wikimedia.org/r/#/c/7979/1/includes/SkinTemplate.php
Source: af854a3a-2127-422b-91ae-364da2661108
Resource:
Exploit
Patch
Hyperlink: https://www.mediawiki.org/wiki/Release_notes/1.17
Source: af854a3a-2127-422b-91ae-364da2661108
Resource: N/A
Hyperlink: https://www.mediawiki.org/wiki/Release_notes/1.18
Source: af854a3a-2127-422b-91ae-364da2661108
Resource: N/A
Hyperlink: https://www.mediawiki.org/wiki/Release_notes/1.19
Source: af854a3a-2127-422b-91ae-364da2661108
Resource: N/A

Change History

0
Information is not available yet

Similar CVEs

12339Records found
CVE-2013-4303
Matching Score-10
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-10
Assigner-Red Hat, Inc.
CVSS Score-6.1||MEDIUM
EPSS-0.57% / 68.51%
||
7 Day CHG~0.00%
Published-11 Dec, 2019 | 18:30
Updated-06 Aug, 2024 | 16:38
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

includes/libs/IEUrlExtension.php in the MediaWiki API in MediaWiki 1.19.x before 1.19.8, 1.20.x before 1.20.7, and 1.21.x before 1.21.2 does not properly detect extensions when there are an even number of "." (period) characters in a string, which allows remote attackers to conduct cross-site scripting (XSS) attacks via the siprop parameter in a query action to wiki/api.php.

Action-Not Available
Vendor-Wikimedia Foundation
Product-mediawikiMediaWiki
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2012-6453
Matching Score-10
Assigner-MITRE Corporation
ShareView Details
Matching Score-10
Assigner-MITRE Corporation
CVSS Score-4.3||MEDIUM
EPSS-0.22% / 45.33%
||
7 Day CHG~0.00%
Published-31 Dec, 2012 | 11:00
Updated-11 Apr, 2025 | 00:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting (XSS) vulnerability in the RSS Reader extension before 0.2.6 for MediaWiki allows remote attackers to inject arbitrary web script or HTML via a crafted feed.

Action-Not Available
Vendor-n/aWikimedia Foundation
Product-rssreadern/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2013-1951
Matching Score-10
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-10
Assigner-Red Hat, Inc.
CVSS Score-6.1||MEDIUM
EPSS-1.98% / 83.61%
||
7 Day CHG~0.00%
Published-31 Oct, 2019 | 19:33
Updated-06 Aug, 2024 | 15:20
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A cross-site scripting (XSS) vulnerability in MediaWiki before 1.19.5 and 1.20.x before 1.20.4 and allows remote attackers to inject arbitrary web script or HTML via Lua function names.

Action-Not Available
Vendor-Linux Kernel Organization, IncWikimedia FoundationDebian GNU/Linux
Product-mediawikidebian_linuxlinux_kernelMediaWiki
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2013-2031
Matching Score-10
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-10
Assigner-Red Hat, Inc.
CVSS Score-4.3||MEDIUM
EPSS-1.60% / 81.76%
||
7 Day CHG~0.00%
Published-15 Nov, 2013 | 18:16
Updated-11 Apr, 2025 | 00:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

MediaWiki before 1.19.6 and 1.20.x before 1.20.5 allows remote attackers to conduct cross-site scripting (XSS) attacks, as demonstrated by a CDATA section containing valid UTF-7 encoded sequences in a SVG file, which is then incorrectly interpreted as UTF-8 by Chrome and Firefox.

Action-Not Available
Vendor-n/aWikimedia FoundationGentoo Foundation, Inc.
Product-linuxmediawikin/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2012-4378
Matching Score-10
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-10
Assigner-Red Hat, Inc.
CVSS Score-6.1||MEDIUM
EPSS-0.51% / 66.31%
||
7 Day CHG~0.00%
Published-26 Oct, 2017 | 20:00
Updated-20 Apr, 2025 | 01:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Multiple cross-site scripting (XSS) vulnerabilities in MediaWiki before 1.18.5 and 1.19.x before 1.19.2, when unspecified JavaScript gadgets are used, allow remote attackers to inject arbitrary web script or HTML via the userlang parameter to w/index.php.

Action-Not Available
Vendor-n/aWikimedia Foundation
Product-mediawikin/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2012-4377
Matching Score-10
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-10
Assigner-Red Hat, Inc.
CVSS Score-6.1||MEDIUM
EPSS-1.00% / 76.99%
||
7 Day CHG~0.00%
Published-26 Oct, 2017 | 20:00
Updated-20 Apr, 2025 | 01:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting (XSS) vulnerability in MediaWiki before 1.18.5 and 1.19.x before 1.19.2 allows remote attackers to inject arbitrary web script or HTML via a File: link to a nonexistent image.

Action-Not Available
Vendor-n/aWikimedia Foundation
Product-mediawikin/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2012-1582
Matching Score-10
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-10
Assigner-Red Hat, Inc.
CVSS Score-4.3||MEDIUM
EPSS-0.64% / 70.65%
||
7 Day CHG~0.00%
Published-09 Sep, 2012 | 21:00
Updated-11 Apr, 2025 | 00:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting (XSS) vulnerability in the wikitext parser in MediaWiki 1.17.x before 1.17.3 and 1.18.x before 1.18.2 allows remote attackers to inject arbitrary web script or HTML via a crafted page with "forged strip item markers," as demonstrated using the CharInsert extension.

Action-Not Available
Vendor-n/aWikimedia Foundation
Product-mediawikin/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2011-1587
Matching Score-10
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-10
Assigner-Red Hat, Inc.
CVSS Score-4.3||MEDIUM
EPSS-0.22% / 44.99%
||
7 Day CHG~0.00%
Published-27 Apr, 2011 | 00:00
Updated-11 Apr, 2025 | 00:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting (XSS) vulnerability in MediaWiki before 1.16.4, when Internet Explorer 6 or earlier is used, allows remote attackers to inject arbitrary web script or HTML via an uploaded file accessed with a dangerous extension such as .html located before a ? (question mark) in a query string, in conjunction with a modified URI path that has a %2E sequence in place of the . (dot) character. NOTE: this vulnerability exists because of an incomplete fix for CVE-2011-1578.

Action-Not Available
Vendor-n/aWikimedia FoundationMicrosoft Corporation
Product-mediawikiinternet_explorern/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2011-1578
Matching Score-10
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-10
Assigner-Red Hat, Inc.
CVSS Score-4.3||MEDIUM
EPSS-0.71% / 72.34%
||
7 Day CHG~0.00%
Published-27 Apr, 2011 | 00:00
Updated-11 Apr, 2025 | 00:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting (XSS) vulnerability in MediaWiki before 1.16.3, when Internet Explorer 6 or earlier is used, allows remote attackers to inject arbitrary web script or HTML via an uploaded file accessed with a dangerous extension such as .html at the end of the query string, in conjunction with a modified URI path that has a %2E sequence in place of the . (dot) character.

Action-Not Available
Vendor-n/aWikimedia FoundationMicrosoft Corporation
Product-mediawikiinternet_explorern/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2011-1765
Matching Score-10
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-10
Assigner-Red Hat, Inc.
CVSS Score-4.3||MEDIUM
EPSS-0.33% / 55.96%
||
7 Day CHG~0.00%
Published-23 May, 2011 | 22:00
Updated-11 Apr, 2025 | 00:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting (XSS) vulnerability in MediaWiki before 1.16.5, when Internet Explorer 6 or earlier is used, allows remote attackers to inject arbitrary web script or HTML via an uploaded file accessed with a dangerous extension such as .shtml at the end of the query string, in conjunction with a modified URI path that has a %2E sequence in place of the . (dot) character. NOTE: this vulnerability exists because of an incomplete fix for CVE-2011-1578 and CVE-2011-1587.

Action-Not Available
Vendor-n/aWikimedia FoundationMicrosoft Corporation
Product-mediawikiinternet_explorern/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2011-0047
Matching Score-10
Assigner-MITRE Corporation
ShareView Details
Matching Score-10
Assigner-MITRE Corporation
CVSS Score-4.3||MEDIUM
EPSS-0.84% / 74.67%
||
7 Day CHG~0.00%
Published-04 Feb, 2011 | 00:00
Updated-11 Apr, 2025 | 00:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting (XSS) vulnerability in MediaWiki before 1.16.2 allows remote attackers to inject arbitrary web script or HTML via crafted Cascading Style Sheets (CSS) comments, aka "CSS injection vulnerability."

Action-Not Available
Vendor-n/aWikimedia Foundation
Product-mediawikin/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-45474
Matching Score-10
Assigner-MITRE Corporation
ShareView Details
Matching Score-10
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-0.26% / 49.05%
||
7 Day CHG~0.00%
Published-24 Dec, 2021 | 01:03
Updated-04 Aug, 2024 | 04:39
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In MediaWiki through 1.37, the Special:ImportFile URI (aka FileImporter) allows XSS, as demonstrated by the clientUrl parameter.

Action-Not Available
Vendor-n/aWikimedia FoundationFedora Project
Product-fedoramediawikin/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-30157
Matching Score-10
Assigner-MITRE Corporation
ShareView Details
Matching Score-10
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-0.73% / 72.80%
||
7 Day CHG-0.27%
Published-06 Apr, 2021 | 06:43
Updated-03 Aug, 2024 | 22:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in MediaWiki before 1.31.12 and 1.32.x through 1.35.x before 1.35.2. On ChangesList special pages such as Special:RecentChanges and Special:Watchlist, some of the rcfilters-filter-* label messages are output in HTML unescaped, leading to XSS.

Action-Not Available
Vendor-n/aDebian GNU/LinuxWikimedia FoundationFedora Project
Product-debian_linuxmediawikifedoran/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2020-6163
Matching Score-10
Assigner-MITRE Corporation
ShareView Details
Matching Score-10
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-0.33% / 55.83%
||
7 Day CHG~0.00%
Published-08 Jan, 2020 | 01:45
Updated-04 Aug, 2024 | 08:55
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The WikibaseMediaInfo extension 1.35 for MediaWiki allows XSS because of improper template syntax within the PropertySuggestionsWidget template (in the templates/search/PropertySuggestionsWidget.mustache+dom file).

Action-Not Available
Vendor-n/aWikimedia Foundation
Product-mediawikin/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-41798
Matching Score-10
Assigner-MITRE Corporation
ShareView Details
Matching Score-10
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-0.16% / 36.65%
||
7 Day CHG~0.00%
Published-11 Oct, 2021 | 00:00
Updated-04 Aug, 2024 | 03:22
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

MediaWiki before 1.36.2 allows XSS. Month related MediaWiki messages are not escaped before being used on the Special:Search results page.

Action-Not Available
Vendor-n/aWikimedia FoundationFedora Project
Product-fedoramediawikin/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-42043
Matching Score-10
Assigner-MITRE Corporation
ShareView Details
Matching Score-10
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-0.44% / 63.21%
||
7 Day CHG~0.00%
Published-06 Oct, 2021 | 20:28
Updated-04 Aug, 2024 | 03:22
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in Special:MediaSearch in the MediaSearch extension in MediaWiki through 1.36.2. The suggestion text (a parameter to mediasearch-did-you-mean) was not being properly sanitized and allowed for the injection and execution of HTML and JavaScript via the intitle: search operator within the query.

Action-Not Available
Vendor-n/aWikimedia Foundation
Product-mediawikin/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2009-4589
Matching Score-10
Assigner-MITRE Corporation
ShareView Details
Matching Score-10
Assigner-MITRE Corporation
CVSS Score-4.3||MEDIUM
EPSS-0.39% / 59.91%
||
7 Day CHG~0.00%
Published-07 Jan, 2010 | 18:13
Updated-07 Aug, 2024 | 07:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting (XSS) vulnerability in the Special:Block implementation in the getContribsLink function in SpecialBlockip.php in MediaWiki 1.14.0 and 1.15.0 allows remote attackers to inject arbitrary web script or HTML via the ip parameter.

Action-Not Available
Vendor-n/aWikimedia Foundation
Product-mediawikmediawikin/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2020-35622
Matching Score-10
Assigner-MITRE Corporation
ShareView Details
Matching Score-10
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-0.17% / 38.74%
||
7 Day CHG~0.00%
Published-21 Dec, 2020 | 22:37
Updated-04 Aug, 2024 | 17:09
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in the GlobalUsage extension for MediaWiki through 1.35.1. SpecialGlobalUsage.php calls WikiMap::makeForeignLink unsafely. The $page variable within the formatItem function was not being properly escaped, allowing for XSS under certain conditions.

Action-Not Available
Vendor-n/aWikimedia Foundation
Product-mediawikin/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2020-35479
Matching Score-10
Assigner-MITRE Corporation
ShareView Details
Matching Score-10
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-0.86% / 75.05%
||
7 Day CHG~0.00%
Published-18 Dec, 2020 | 07:42
Updated-04 Aug, 2024 | 17:02
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

MediaWiki before 1.35.1 allows XSS via BlockLogFormatter.php. Language::translateBlockExpiry itself does not escape in all code paths. For example, the return of Language::userTimeAndDate is is always unsafe for HTML in a month value. This affects MediaWiki 1.12.0 and later.

Action-Not Available
Vendor-n/aDebian GNU/LinuxWikimedia FoundationFedora Project
Product-debian_linuxmediawikifedoran/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2020-35478
Matching Score-10
Assigner-MITRE Corporation
ShareView Details
Matching Score-10
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-0.45% / 63.48%
||
7 Day CHG~0.00%
Published-18 Dec, 2020 | 07:33
Updated-04 Aug, 2024 | 17:02
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

MediaWiki before 1.35.1 allows XSS via BlockLogFormatter.php. MediaWiki:blanknamespace potentially can be output as raw HTML with SCRIPT tags via LogFormatter::makePageLink(). This affects MediaWiki 1.33.0 and later.

Action-Not Available
Vendor-n/aWikimedia FoundationFedora Project
Product-fedoramediawikin/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2020-35474
Matching Score-10
Assigner-MITRE Corporation
ShareView Details
Matching Score-10
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-0.47% / 64.50%
||
7 Day CHG~0.00%
Published-18 Dec, 2020 | 07:30
Updated-04 Aug, 2024 | 17:02
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In MediaWiki before 1.35.1, the combination of Html::rawElement and Message::text leads to XSS because the definition of MediaWiki:recentchanges-legend-watchlistexpiry can be changed onwiki so that the output is raw HTML.

Action-Not Available
Vendor-n/aWikimedia FoundationFedora Project
Product-fedoramediawikin/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2020-27620
Matching Score-10
Assigner-MITRE Corporation
ShareView Details
Matching Score-10
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-0.53% / 67.18%
||
7 Day CHG~0.00%
Published-22 Oct, 2020 | 03:05
Updated-04 Aug, 2024 | 16:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The Cosmos Skin for MediaWiki through 1.35.0 has stored XSS because MediaWiki messages were not being properly escaped. This is related to wfMessage and Html::rawElement, as demonstrated by CosmosSocialProfile::getUserGroups.

Action-Not Available
Vendor-n/aWikimedia Foundation
Product-skin\n/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2020-25812
Matching Score-10
Assigner-MITRE Corporation
ShareView Details
Matching Score-10
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-0.37% / 58.95%
||
7 Day CHG~0.00%
Published-27 Sep, 2020 | 20:25
Updated-04 Aug, 2024 | 15:40
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in MediaWiki 1.34.x before 1.34.4. On Special:Contributions, the NS filter uses unescaped messages as keys in the option key for an HTMLForm specifier. This is vulnerable to a mild XSS if one of those messages is changed to include raw HTML.

Action-Not Available
Vendor-n/aWikimedia FoundationFedora Project
Product-fedoramediawikin/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2020-25828
Matching Score-10
Assigner-MITRE Corporation
ShareView Details
Matching Score-10
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-0.39% / 59.86%
||
7 Day CHG~0.00%
Published-27 Sep, 2020 | 20:31
Updated-04 Aug, 2024 | 15:40
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in MediaWiki before 1.31.10 and 1.32.x through 1.34.x before 1.34.4. The non-jqueryMsg version of mw.message().parse() doesn't escape HTML. This affects both message contents (which are generally safe) and the parameters (which can be based on user input). (When jqueryMsg is loaded, it correctly accepts only whitelisted tags in message contents, and escapes all parameters. Situations with an unloaded jqueryMsg are rare in practice, but can for example occur for Special:SpecialPages on a wiki with no extensions installed.)

Action-Not Available
Vendor-n/aWikimedia FoundationFedora Project
Product-fedoramediawikin/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2010-1647
Matching Score-10
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-10
Assigner-Red Hat, Inc.
CVSS Score-4.3||MEDIUM
EPSS-0.25% / 48.19%
||
7 Day CHG~0.00%
Published-07 Jun, 2010 | 20:00
Updated-11 Apr, 2025 | 00:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting (XSS) vulnerability in MediaWiki 1.15 before 1.15.4 and 1.16 before 1.16 beta 3 allows remote attackers to inject arbitrary web script or HTML via crafted Cascading Style Sheets (CSS) strings that are processed as script by Internet Explorer.

Action-Not Available
Vendor-n/aWikimedia Foundation
Product-mediawikin/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2008-5249
Matching Score-10
Assigner-MITRE Corporation
ShareView Details
Matching Score-10
Assigner-MITRE Corporation
CVSS Score-4.3||MEDIUM
EPSS-0.44% / 63.30%
||
7 Day CHG~0.00%
Published-19 Dec, 2008 | 17:00
Updated-07 Aug, 2024 | 10:49
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting (XSS) vulnerability in MediaWiki 1.13.0 through 1.13.2 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

Action-Not Available
Vendor-n/aWikimedia Foundation
Product-mediawikin/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2008-4408
Matching Score-10
Assigner-MITRE Corporation
ShareView Details
Matching Score-10
Assigner-MITRE Corporation
CVSS Score-4.3||MEDIUM
EPSS-0.69% / 71.83%
||
7 Day CHG~0.00%
Published-03 Oct, 2008 | 17:18
Updated-07 Aug, 2024 | 10:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting (XSS) vulnerability in MediaWiki 1.13.1, 1.12.0, and possibly other versions before 1.13.2 allows remote attackers to inject arbitrary web script or HTML via the useskin parameter to an unspecified component.

Action-Not Available
Vendor-n/aWikimedia Foundation
Product-mediawikin/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2022-34911
Matching Score-10
Assigner-MITRE Corporation
ShareView Details
Matching Score-10
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-0.43% / 62.91%
||
7 Day CHG~0.00%
Published-02 Jul, 2022 | 00:00
Updated-03 Aug, 2024 | 09:22
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in MediaWiki before 1.35.7, 1.36.x and 1.37.x before 1.37.3, and 1.38.x before 1.38.1. XSS can occur in configurations that allow a JavaScript payload in a username. After account creation, when it sets the page title to "Welcome" followed by the username, the username is not escaped: SpecialCreateAccount::successfulAction() calls ::showSuccessPage() with a message as second parameter, and OutputPage::setPageTitle() uses text().

Action-Not Available
Vendor-n/aWikimedia FoundationFedora Project
Product-fedoramediawikin/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2007-0788
Matching Score-8
Assigner-MITRE Corporation
ShareView Details
Matching Score-8
Assigner-MITRE Corporation
CVSS Score-4.3||MEDIUM
EPSS-0.53% / 67.15%
||
7 Day CHG~0.00%
Published-06 Feb, 2007 | 19:00
Updated-07 Aug, 2024 | 12:34
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting (XSS) vulnerability in MediaWiki 1.9.x before 1.9.2 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors related to "sortable tables JavaScript."

Action-Not Available
Vendor-n/aWikimedia Foundation
Product-mediawikin/a
CVE-2006-1498
Matching Score-8
Assigner-MITRE Corporation
ShareView Details
Matching Score-8
Assigner-MITRE Corporation
CVSS Score-4.3||MEDIUM
EPSS-1.03% / 77.35%
||
7 Day CHG~0.00%
Published-30 Mar, 2006 | 00:00
Updated-16 Apr, 2026 | 00:27
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting (XSS) vulnerability in MediaWiki before 1.5.8 and 1.4.15 allows remote attackers to inject arbitrary web script or HTML via crafted encoded links.

Action-Not Available
Vendor-n/aWikimedia Foundation
Product-mediawikin/a
CVE-2005-3165
Matching Score-8
Assigner-MITRE Corporation
ShareView Details
Matching Score-8
Assigner-MITRE Corporation
CVSS Score-4.3||MEDIUM
EPSS-0.27% / 50.30%
||
7 Day CHG~0.00%
Published-06 Oct, 2005 | 04:00
Updated-16 Apr, 2026 | 00:27
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Multiple cross-site scripting (XSS) vulnerabilities in MediaWiki before 1.4.9 allow remote attackers to inject arbitrary web script or HTML via (1) <math> tags or (2) Extension or <nowiki> sections that "bypass HTML style attribute restrictions" that are intended to protect against XSS vulnerabilities in Internet Explorer clients.

Action-Not Available
Vendor-n/aWikimedia Foundation
Product-mediawikin/a
CVE-2005-2215
Matching Score-8
Assigner-MITRE Corporation
ShareView Details
Matching Score-8
Assigner-MITRE Corporation
CVSS Score-4.3||MEDIUM
EPSS-0.35% / 57.26%
||
7 Day CHG~0.00%
Published-12 Jul, 2005 | 04:00
Updated-16 Apr, 2026 | 00:27
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting (XSS) vulnerability in MediaWiki before 1.4.x before 1.4.6 and 1.5 before 1.5beta3 allows remote attackers to inject arbitrary web script or HTML via a parameter in the page move template, a different vulnerability than CVE-2005-1888.

Action-Not Available
Vendor-n/aWikimedia Foundation
Product-mediawikin/a
CVE-2005-2396
Matching Score-8
Assigner-MITRE Corporation
ShareView Details
Matching Score-8
Assigner-MITRE Corporation
CVSS Score-4.3||MEDIUM
EPSS-0.61% / 69.87%
||
7 Day CHG~0.00%
Published-27 Jul, 2005 | 04:00
Updated-16 Apr, 2026 | 00:27
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting (XSS) vulnerability in MediaWiki 1.4.6 and earlier allows remote attackers to inject arbitrary web script or HTML via a parameter to the page move template.

Action-Not Available
Vendor-n/aWikimedia Foundation
Product-mediawikin/a
CVE-2005-1888
Matching Score-8
Assigner-MITRE Corporation
ShareView Details
Matching Score-8
Assigner-MITRE Corporation
CVSS Score-4.3||MEDIUM
EPSS-0.36% / 58.49%
||
7 Day CHG~0.00%
Published-08 Jun, 2005 | 04:00
Updated-16 Apr, 2026 | 00:27
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting (XSS) vulnerability in MediaWiki before 1.4.5 allows remote attackers to inject arbitrary web script via HTML attributes in page templates.

Action-Not Available
Vendor-n/aWikimedia Foundation
Product-mediawikin/a
CVE-2004-2152
Matching Score-8
Assigner-MITRE Corporation
ShareView Details
Matching Score-8
Assigner-MITRE Corporation
CVSS Score-4.3||MEDIUM
EPSS-0.46% / 64.32%
||
7 Day CHG~0.00%
Published-01 Jul, 2005 | 04:00
Updated-16 Apr, 2026 | 00:27
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting (XSS) vulnerability in 'raw' page output mode for MediaWiki 1.3.4 and earlier allows remote attackers to inject arbitrary web script or HTML.

Action-Not Available
Vendor-n/aWikimedia Foundation
Product-mediawikin/a
CVE-2006-2611
Matching Score-8
Assigner-MITRE Corporation
ShareView Details
Matching Score-8
Assigner-MITRE Corporation
CVSS Score-4.3||MEDIUM
EPSS-1.41% / 80.56%
||
7 Day CHG~0.00%
Published-26 May, 2006 | 01:00
Updated-16 Apr, 2026 | 00:27
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting (XSS) vulnerability in includes/Sanitizer.php in the variable handler in MediaWiki 1.6.x before r14349 allows remote attackers to inject arbitrary Javascript via unspecified vectors, possibly involving the usage of the | (pipe) character.

Action-Not Available
Vendor-n/aWikimedia Foundation
Product-mediawikin/a
CVE-2022-34912
Matching Score-8
Assigner-MITRE Corporation
ShareView Details
Matching Score-8
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-0.24% / 46.55%
||
7 Day CHG~0.00%
Published-02 Jul, 2022 | 00:00
Updated-03 Aug, 2024 | 09:22
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in MediaWiki before 1.37.3 and 1.38.x before 1.38.1. The contributions-title, used on Special:Contributions, is used as page title without escaping. Hence, in a non-default configuration where a username contains HTML entities, it won't be escaped.

Action-Not Available
Vendor-n/aWikimedia FoundationFedora Project
Product-fedoramediawikin/a
CVE-2022-29905
Matching Score-8
Assigner-MITRE Corporation
ShareView Details
Matching Score-8
Assigner-MITRE Corporation
CVSS Score-4.3||MEDIUM
EPSS-0.09% / 25.96%
||
7 Day CHG~0.00%
Published-29 Apr, 2022 | 03:43
Updated-03 Aug, 2024 | 06:33
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The FanBoxes extension for MediaWiki through 1.37.2 (before 027ffb0b9d6fe0d823810cf03f5b562a212162d4) allows Special:UserBoxes CSRF.

Action-Not Available
Vendor-n/aWikimedia Foundation
Product-mediawikin/a
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2022-29903
Matching Score-8
Assigner-MITRE Corporation
ShareView Details
Matching Score-8
Assigner-MITRE Corporation
CVSS Score-4.3||MEDIUM
EPSS-0.07% / 20.52%
||
7 Day CHG~0.00%
Published-29 Apr, 2022 | 03:44
Updated-03 Aug, 2024 | 06:33
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The Private Domains extension for MediaWiki through 1.37.2 (before 1ad65d4c1c199b375ea80988d99ab51ae068f766) allows CSRF for editing pages that store the extension's configuration. The attacker must trigger a POST request to Special:PrivateDomains.

Action-Not Available
Vendor-n/aWikimedia Foundation
Product-mediawikin/a
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2005-4501
Matching Score-8
Assigner-MITRE Corporation
ShareView Details
Matching Score-8
Assigner-MITRE Corporation
CVSS Score-4.3||MEDIUM
EPSS-0.57% / 68.68%
||
7 Day CHG~0.00%
Published-22 Dec, 2005 | 21:00
Updated-16 Apr, 2026 | 00:27
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

MediaWiki before 1.5.4 uses a hard-coded "internal placeholder string", which allows remote attackers to bypass protection against cross-site scripting (XSS) attacks and execute Javascript using inline style attributes, which are processed by Internet Explorer.

Action-Not Available
Vendor-n/aWikimedia Foundation
Product-mediawikin/a
CVE-2005-3167
Matching Score-8
Assigner-MITRE Corporation
ShareView Details
Matching Score-8
Assigner-MITRE Corporation
CVSS Score-4.3||MEDIUM
EPSS-0.46% / 64.27%
||
7 Day CHG~0.00%
Published-06 Oct, 2005 | 04:00
Updated-16 Apr, 2026 | 00:27
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Incomplete blacklist vulnerability in MediaWiki before 1.4.11 does not properly remove certain CSS inputs (HTML inline style attributes) that are processed as active content by Internet Explorer, which allows remote attackers to conduct cross-site scripting (XSS) attacks.

Action-Not Available
Vendor-n/aWikimedia Foundation
Product-mediawikin/a
CVE-2014-5243
Matching Score-8
Assigner-MITRE Corporation
ShareView Details
Matching Score-8
Assigner-MITRE Corporation
CVSS Score-4.3||MEDIUM
EPSS-0.37% / 58.75%
||
7 Day CHG~0.00%
Published-22 Aug, 2014 | 17:00
Updated-12 Apr, 2025 | 10:46
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

MediaWiki before 1.19.18, 1.20.x through 1.22.x before 1.22.9, and 1.23.x before 1.23.2 does not enforce an IFRAME protection mechanism for transcluded pages, which makes it easier for remote attackers to conduct clickjacking attacks via a crafted web site.

Action-Not Available
Vendor-n/aWikimedia Foundation
Product-mediawikin/a
CWE ID-CWE-20
Improper Input Validation
CVE-2013-4568
Matching Score-8
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-8
Assigner-Red Hat, Inc.
CVSS Score-4.3||MEDIUM
EPSS-0.50% / 65.88%
||
7 Day CHG~0.00%
Published-13 Dec, 2013 | 18:00
Updated-11 Apr, 2025 | 00:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Incomplete blacklist vulnerability in Sanitizer::checkCss in MediaWiki before 1.19.9, 1.20.x before 1.20.8, and 1.21.x before 1.21.3 allows remote attackers to conduct cross-site scripting (XSS) attacks via certain non-ASCII characters in CSS, as demonstrated using variations of "expression" containing (1) full width characters or (2) IPA extensions, which are converted and rendered by Internet Explorer.

Action-Not Available
Vendor-n/aWikimedia Foundation
Product-mediawikin/a
CVE-2013-4567
Matching Score-8
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-8
Assigner-Red Hat, Inc.
CVSS Score-4.3||MEDIUM
EPSS-0.46% / 63.92%
||
7 Day CHG~0.00%
Published-13 Dec, 2013 | 18:00
Updated-11 Apr, 2025 | 00:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Incomplete blacklist vulnerability in Sanitizer::checkCss in MediaWiki before 1.19.9, 1.20.x before 1.20.8, and 1.21.x before 1.21.3 allows remote attackers to conduct cross-site scripting (XSS) attacks via a \b (backspace) character in CSS.

Action-Not Available
Vendor-n/aWikimedia Foundation
Product-mediawikin/a
CVE-2005-1245
Matching Score-8
Assigner-MITRE Corporation
ShareView Details
Matching Score-8
Assigner-MITRE Corporation
CVSS Score-4.3||MEDIUM
EPSS-0.43% / 62.42%
||
7 Day CHG~0.00%
Published-24 Apr, 2005 | 04:00
Updated-16 Apr, 2026 | 00:27
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting (XSS) vulnerability in MediaWiki before 1.4.2, when using HTML Tidy ($wgUseTidy), allows remote attackers to inject arbitrary web script or HTML via unknown vectors.

Action-Not Available
Vendor-n/aWikimedia Foundation
Product-mediawikin/a
CVE-2012-4379
Matching Score-8
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-8
Assigner-Red Hat, Inc.
CVSS Score-6.5||MEDIUM
EPSS-0.43% / 62.55%
||
7 Day CHG~0.00%
Published-19 Oct, 2017 | 21:00
Updated-20 Apr, 2025 | 01:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

MediaWiki before 1.18.5, and 1.19.x before 1.19.2 does not send a restrictive X-Frame-Options HTTP header, which allows remote attackers to conduct clickjacking attacks via an embedded API response in an IFRAME element.

Action-Not Available
Vendor-n/aWikimedia Foundation
Product-mediawikin/a
CWE ID-CWE-284
Improper Access Control
CVE-2005-0534
Matching Score-8
Assigner-MITRE Corporation
ShareView Details
Matching Score-8
Assigner-MITRE Corporation
CVSS Score-4.3||MEDIUM
EPSS-0.44% / 63.40%
||
7 Day CHG~0.00%
Published-24 Feb, 2005 | 05:00
Updated-16 Apr, 2026 | 00:27
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Multiple cross-site scripting (XSS) vulnerabilities in MediaWiki 1.3.x before 1.3.11 and 1.4 beta before 1.4 rc1 allow remote attackers to inject arbitrary web script.

Action-Not Available
Vendor-n/aWikimedia Foundation
Product-mediawikin/a
CVE-2017-8811
Matching Score-8
Assigner-Debian GNU/Linux
ShareView Details
Matching Score-8
Assigner-Debian GNU/Linux
CVSS Score-6.1||MEDIUM
EPSS-0.33% / 55.60%
||
7 Day CHG~0.00%
Published-15 Nov, 2017 | 08:00
Updated-20 Apr, 2025 | 01:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The implementation of raw message parameter expansion in MediaWiki before 1.27.4, 1.28.x before 1.28.3, and 1.29.x before 1.29.2 allows HTML mangling attacks.

Action-Not Available
Vendor-n/aWikimedia FoundationDebian GNU/Linux
Product-mediawikidebian_linuxMediaWiki before 1.27.4, 1.28.x before 1.28.3, and 1.29.x before 1.29.2
CWE ID-CWE-20
Improper Input Validation
CVE-2023-51704
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-0.40% / 60.64%
||
7 Day CHG~0.00%
Published-22 Dec, 2023 | 00:00
Updated-04 Nov, 2025 | 18:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in MediaWiki before 1.35.14, 1.36.x through 1.39.x before 1.39.6, and 1.40.x before 1.40.2. In includes/logging/RightsLogFormatter.php, group-*-member messages can result in XSS on Special:log/rights.

Action-Not Available
Vendor-n/aWikimedia Foundation
Product-mediawikin/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2017-20175
Matching Score-6
Assigner-VulDB
ShareView Details
Matching Score-6
Assigner-VulDB
CVSS Score-2.6||LOW
EPSS-0.28% / 51.82%
||
7 Day CHG~0.00%
Published-05 Feb, 2023 | 19:57
Updated-05 Aug, 2024 | 21:45
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
DaSchTour matomo-mediawiki-extension Username Piwik.hooks.php cross site scripting

A vulnerability classified as problematic has been found in DaSchTour matomo-mediawiki-extension up to 2.4.2 on MediaWiki. This affects an unknown part of the file Piwik.hooks.php of the component Username Handler. The manipulation leads to cross site scripting. It is possible to initiate the attack remotely. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used. Upgrading to version 2.4.3 is able to address this issue. The patch is named 681324e4f518a8af4bd1f93867074c728eb9923d. It is recommended to upgrade the affected component. The associated identifier of this vulnerability is VDB-220203.

Action-Not Available
Vendor-DaSchTourWikimedia Foundation
Product-matomomatomo-mediawiki-extension
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
  • Previous
  • 1
  • 2
  • 3
  • 4
  • ...
  • 246
  • 247
  • Next
Details not found