Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2014-2853

Summary
Assigner-mitre
Assigner Org ID-8254265b-2729-46b6-b9e3-3dfca2d5bfca
Published At-29 Apr, 2014 | 18:00
Updated At-06 Aug, 2024 | 10:28
Rejected At-
Credits

Cross-site scripting (XSS) vulnerability in includes/actions/InfoAction.php in MediaWiki before 1.21.9 and 1.22.x before 1.22.6 allows remote attackers to inject arbitrary web script or HTML via the sort key in an info action.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:mitre
Assigner Org ID:8254265b-2729-46b6-b9e3-3dfca2d5bfca
Published At:29 Apr, 2014 | 18:00
Updated At:06 Aug, 2024 | 10:28
Rejected At:
▼CVE Numbering Authority (CNA)

Cross-site scripting (XSS) vulnerability in includes/actions/InfoAction.php in MediaWiki before 1.21.9 and 1.22.x before 1.22.6 allows remote attackers to inject arbitrary web script or HTML via the sort key in an info action.

Affected Products
Vendor
n/a
Product
n/a
Versions
Affected
  • n/a
Problem Types
TypeCWE IDDescription
textN/An/a
Type: text
CWE ID: N/A
Description: n/a
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
http://www.securityfocus.com/bid/67068
vdb-entry
x_refsource_BID
http://www.securitytracker.com/id/1030161
vdb-entry
x_refsource_SECTRACK
http://secunia.com/advisories/58262
third-party-advisory
x_refsource_SECUNIA
https://github.com/wikimedia/mediawiki-core/commit/0b695ae09aada343ab59be4a3c9963995a1143b6
x_refsource_MISC
http://lists.wikimedia.org/pipermail/mediawiki-announce/2014-April/000149.html
mailing-list
x_refsource_MLIST
https://www.mediawiki.org/wiki/Release_notes/1.22#Changes_since_1.22.5
x_refsource_CONFIRM
https://bugzilla.wikimedia.org/show_bug.cgi?id=63251
x_refsource_CONFIRM
https://www.mediawiki.org/wiki/Release_notes/1.21#Changes_since_1.21.8
x_refsource_CONFIRM
https://bugzilla.redhat.com/show_bug.cgi?id=1091967
x_refsource_MISC
Hyperlink: http://www.securityfocus.com/bid/67068
Resource:
vdb-entry
x_refsource_BID
Hyperlink: http://www.securitytracker.com/id/1030161
Resource:
vdb-entry
x_refsource_SECTRACK
Hyperlink: http://secunia.com/advisories/58262
Resource:
third-party-advisory
x_refsource_SECUNIA
Hyperlink: https://github.com/wikimedia/mediawiki-core/commit/0b695ae09aada343ab59be4a3c9963995a1143b6
Resource:
x_refsource_MISC
Hyperlink: http://lists.wikimedia.org/pipermail/mediawiki-announce/2014-April/000149.html
Resource:
mailing-list
x_refsource_MLIST
Hyperlink: https://www.mediawiki.org/wiki/Release_notes/1.22#Changes_since_1.22.5
Resource:
x_refsource_CONFIRM
Hyperlink: https://bugzilla.wikimedia.org/show_bug.cgi?id=63251
Resource:
x_refsource_CONFIRM
Hyperlink: https://www.mediawiki.org/wiki/Release_notes/1.21#Changes_since_1.21.8
Resource:
x_refsource_CONFIRM
Hyperlink: https://bugzilla.redhat.com/show_bug.cgi?id=1091967
Resource:
x_refsource_MISC
▼Authorized Data Publishers (ADP)
CVE Program Container
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
http://www.securityfocus.com/bid/67068
vdb-entry
x_refsource_BID
x_transferred
http://www.securitytracker.com/id/1030161
vdb-entry
x_refsource_SECTRACK
x_transferred
http://secunia.com/advisories/58262
third-party-advisory
x_refsource_SECUNIA
x_transferred
https://github.com/wikimedia/mediawiki-core/commit/0b695ae09aada343ab59be4a3c9963995a1143b6
x_refsource_MISC
x_transferred
http://lists.wikimedia.org/pipermail/mediawiki-announce/2014-April/000149.html
mailing-list
x_refsource_MLIST
x_transferred
https://www.mediawiki.org/wiki/Release_notes/1.22#Changes_since_1.22.5
x_refsource_CONFIRM
x_transferred
https://bugzilla.wikimedia.org/show_bug.cgi?id=63251
x_refsource_CONFIRM
x_transferred
https://www.mediawiki.org/wiki/Release_notes/1.21#Changes_since_1.21.8
x_refsource_CONFIRM
x_transferred
https://bugzilla.redhat.com/show_bug.cgi?id=1091967
x_refsource_MISC
x_transferred
Hyperlink: http://www.securityfocus.com/bid/67068
Resource:
vdb-entry
x_refsource_BID
x_transferred
Hyperlink: http://www.securitytracker.com/id/1030161
Resource:
vdb-entry
x_refsource_SECTRACK
x_transferred
Hyperlink: http://secunia.com/advisories/58262
Resource:
third-party-advisory
x_refsource_SECUNIA
x_transferred
Hyperlink: https://github.com/wikimedia/mediawiki-core/commit/0b695ae09aada343ab59be4a3c9963995a1143b6
Resource:
x_refsource_MISC
x_transferred
Hyperlink: http://lists.wikimedia.org/pipermail/mediawiki-announce/2014-April/000149.html
Resource:
mailing-list
x_refsource_MLIST
x_transferred
Hyperlink: https://www.mediawiki.org/wiki/Release_notes/1.22#Changes_since_1.22.5
Resource:
x_refsource_CONFIRM
x_transferred
Hyperlink: https://bugzilla.wikimedia.org/show_bug.cgi?id=63251
Resource:
x_refsource_CONFIRM
x_transferred
Hyperlink: https://www.mediawiki.org/wiki/Release_notes/1.21#Changes_since_1.21.8
Resource:
x_refsource_CONFIRM
x_transferred
Hyperlink: https://bugzilla.redhat.com/show_bug.cgi?id=1091967
Resource:
x_refsource_MISC
x_transferred
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:cve@mitre.org
Published At:29 Apr, 2014 | 18:55
Updated At:12 Apr, 2025 | 10:46

Cross-site scripting (XSS) vulnerability in includes/actions/InfoAction.php in MediaWiki before 1.21.9 and 1.22.x before 1.22.6 allows remote attackers to inject arbitrary web script or HTML via the sort key in an info action.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Primary2.04.3MEDIUM
AV:N/AC:M/Au:N/C:N/I:P/A:N
Type: Primary
Version: 2.0
Base score: 4.3
Base severity: MEDIUM
Vector:
AV:N/AC:M/Au:N/C:N/I:P/A:N
CPE Matches
Wikimedia Foundation
mediawiki
>>mediawiki>>Versions up to 1.21.8(inclusive)
cpe:2.3:a:mediawiki:mediawiki:*:*:*:*:*:*:*:*
Wikimedia Foundation
mediawiki
>>mediawiki>>1.1.0
cpe:2.3:a:mediawiki:mediawiki:1.1.0:*:*:*:*:*:*:*
Wikimedia Foundation
mediawiki
>>mediawiki>>1.2.0
cpe:2.3:a:mediawiki:mediawiki:1.2.0:*:*:*:*:*:*:*
Wikimedia Foundation
mediawiki
>>mediawiki>>1.2.1
cpe:2.3:a:mediawiki:mediawiki:1.2.1:*:*:*:*:*:*:*
Wikimedia Foundation
mediawiki
>>mediawiki>>1.2.2
cpe:2.3:a:mediawiki:mediawiki:1.2.2:*:*:*:*:*:*:*
Wikimedia Foundation
mediawiki
>>mediawiki>>1.2.3
cpe:2.3:a:mediawiki:mediawiki:1.2.3:*:*:*:*:*:*:*
Wikimedia Foundation
mediawiki
>>mediawiki>>1.2.4
cpe:2.3:a:mediawiki:mediawiki:1.2.4:*:*:*:*:*:*:*
Wikimedia Foundation
mediawiki
>>mediawiki>>1.2.5
cpe:2.3:a:mediawiki:mediawiki:1.2.5:*:*:*:*:*:*:*
Wikimedia Foundation
mediawiki
>>mediawiki>>1.2.6
cpe:2.3:a:mediawiki:mediawiki:1.2.6:*:*:*:*:*:*:*
Wikimedia Foundation
mediawiki
>>mediawiki>>1.3
cpe:2.3:a:mediawiki:mediawiki:1.3:*:*:*:*:*:*:*
Wikimedia Foundation
mediawiki
>>mediawiki>>1.3.0
cpe:2.3:a:mediawiki:mediawiki:1.3.0:*:*:*:*:*:*:*
Wikimedia Foundation
mediawiki
>>mediawiki>>1.3.1
cpe:2.3:a:mediawiki:mediawiki:1.3.1:*:*:*:*:*:*:*
Wikimedia Foundation
mediawiki
>>mediawiki>>1.3.2
cpe:2.3:a:mediawiki:mediawiki:1.3.2:*:*:*:*:*:*:*
Wikimedia Foundation
mediawiki
>>mediawiki>>1.3.3
cpe:2.3:a:mediawiki:mediawiki:1.3.3:*:*:*:*:*:*:*
Wikimedia Foundation
mediawiki
>>mediawiki>>1.3.4
cpe:2.3:a:mediawiki:mediawiki:1.3.4:*:*:*:*:*:*:*
Wikimedia Foundation
mediawiki
>>mediawiki>>1.3.5
cpe:2.3:a:mediawiki:mediawiki:1.3.5:*:*:*:*:*:*:*
Wikimedia Foundation
mediawiki
>>mediawiki>>1.3.6
cpe:2.3:a:mediawiki:mediawiki:1.3.6:*:*:*:*:*:*:*
Wikimedia Foundation
mediawiki
>>mediawiki>>1.3.7
cpe:2.3:a:mediawiki:mediawiki:1.3.7:*:*:*:*:*:*:*
Wikimedia Foundation
mediawiki
>>mediawiki>>1.3.8
cpe:2.3:a:mediawiki:mediawiki:1.3.8:*:*:*:*:*:*:*
Wikimedia Foundation
mediawiki
>>mediawiki>>1.3.9
cpe:2.3:a:mediawiki:mediawiki:1.3.9:*:*:*:*:*:*:*
Wikimedia Foundation
mediawiki
>>mediawiki>>1.3.10
cpe:2.3:a:mediawiki:mediawiki:1.3.10:*:*:*:*:*:*:*
Wikimedia Foundation
mediawiki
>>mediawiki>>1.3.11
cpe:2.3:a:mediawiki:mediawiki:1.3.11:*:*:*:*:*:*:*
Wikimedia Foundation
mediawiki
>>mediawiki>>1.3.12
cpe:2.3:a:mediawiki:mediawiki:1.3.12:*:*:*:*:*:*:*
Wikimedia Foundation
mediawiki
>>mediawiki>>1.3.13
cpe:2.3:a:mediawiki:mediawiki:1.3.13:*:*:*:*:*:*:*
Wikimedia Foundation
mediawiki
>>mediawiki>>1.3.14
cpe:2.3:a:mediawiki:mediawiki:1.3.14:*:*:*:*:*:*:*
Wikimedia Foundation
mediawiki
>>mediawiki>>1.3.15
cpe:2.3:a:mediawiki:mediawiki:1.3.15:*:*:*:*:*:*:*
Wikimedia Foundation
mediawiki
>>mediawiki>>1.4
cpe:2.3:a:mediawiki:mediawiki:1.4:beta1:*:*:*:*:*:*
Wikimedia Foundation
mediawiki
>>mediawiki>>1.4
cpe:2.3:a:mediawiki:mediawiki:1.4:beta2:*:*:*:*:*:*
Wikimedia Foundation
mediawiki
>>mediawiki>>1.4
cpe:2.3:a:mediawiki:mediawiki:1.4:beta3:*:*:*:*:*:*
Wikimedia Foundation
mediawiki
>>mediawiki>>1.4
cpe:2.3:a:mediawiki:mediawiki:1.4:beta4:*:*:*:*:*:*
Wikimedia Foundation
mediawiki
>>mediawiki>>1.4
cpe:2.3:a:mediawiki:mediawiki:1.4:beta5:*:*:*:*:*:*
Wikimedia Foundation
mediawiki
>>mediawiki>>1.4
cpe:2.3:a:mediawiki:mediawiki:1.4:beta6:*:*:*:*:*:*
Wikimedia Foundation
mediawiki
>>mediawiki>>1.4.0
cpe:2.3:a:mediawiki:mediawiki:1.4.0:*:*:*:*:*:*:*
Wikimedia Foundation
mediawiki
>>mediawiki>>1.4.1
cpe:2.3:a:mediawiki:mediawiki:1.4.1:*:*:*:*:*:*:*
Wikimedia Foundation
mediawiki
>>mediawiki>>1.4.2
cpe:2.3:a:mediawiki:mediawiki:1.4.2:*:*:*:*:*:*:*
Wikimedia Foundation
mediawiki
>>mediawiki>>1.4.3
cpe:2.3:a:mediawiki:mediawiki:1.4.3:*:*:*:*:*:*:*
Wikimedia Foundation
mediawiki
>>mediawiki>>1.4.4
cpe:2.3:a:mediawiki:mediawiki:1.4.4:*:*:*:*:*:*:*
Wikimedia Foundation
mediawiki
>>mediawiki>>1.4.5
cpe:2.3:a:mediawiki:mediawiki:1.4.5:*:*:*:*:*:*:*
Wikimedia Foundation
mediawiki
>>mediawiki>>1.4.6
cpe:2.3:a:mediawiki:mediawiki:1.4.6:*:*:*:*:*:*:*
Wikimedia Foundation
mediawiki
>>mediawiki>>1.4.7
cpe:2.3:a:mediawiki:mediawiki:1.4.7:*:*:*:*:*:*:*
Wikimedia Foundation
mediawiki
>>mediawiki>>1.4.8
cpe:2.3:a:mediawiki:mediawiki:1.4.8:*:*:*:*:*:*:*
Wikimedia Foundation
mediawiki
>>mediawiki>>1.4.9
cpe:2.3:a:mediawiki:mediawiki:1.4.9:*:*:*:*:*:*:*
Wikimedia Foundation
mediawiki
>>mediawiki>>1.4.10
cpe:2.3:a:mediawiki:mediawiki:1.4.10:*:*:*:*:*:*:*
Wikimedia Foundation
mediawiki
>>mediawiki>>1.4.11
cpe:2.3:a:mediawiki:mediawiki:1.4.11:*:*:*:*:*:*:*
Wikimedia Foundation
mediawiki
>>mediawiki>>1.4.12
cpe:2.3:a:mediawiki:mediawiki:1.4.12:*:*:*:*:*:*:*
Wikimedia Foundation
mediawiki
>>mediawiki>>1.4.13
cpe:2.3:a:mediawiki:mediawiki:1.4.13:*:*:*:*:*:*:*
Wikimedia Foundation
mediawiki
>>mediawiki>>1.4.14
cpe:2.3:a:mediawiki:mediawiki:1.4.14:*:*:*:*:*:*:*
Wikimedia Foundation
mediawiki
>>mediawiki>>1.5
cpe:2.3:a:mediawiki:mediawiki:1.5:alpha1:*:*:*:*:*:*
Wikimedia Foundation
mediawiki
>>mediawiki>>1.5
cpe:2.3:a:mediawiki:mediawiki:1.5:alpha2:*:*:*:*:*:*
Wikimedia Foundation
mediawiki
>>mediawiki>>1.5
cpe:2.3:a:mediawiki:mediawiki:1.5:beta1:*:*:*:*:*:*
Weaknesses
CWE IDTypeSource
CWE-79Primarynvd@nist.gov
CWE ID: CWE-79
Type: Primary
Source: nvd@nist.gov
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
http://lists.wikimedia.org/pipermail/mediawiki-announce/2014-April/000149.htmlcve@mitre.org
N/A
http://secunia.com/advisories/58262cve@mitre.org
Vendor Advisory
http://www.securityfocus.com/bid/67068cve@mitre.org
N/A
http://www.securitytracker.com/id/1030161cve@mitre.org
N/A
https://bugzilla.redhat.com/show_bug.cgi?id=1091967cve@mitre.org
N/A
https://bugzilla.wikimedia.org/show_bug.cgi?id=63251cve@mitre.org
N/A
https://github.com/wikimedia/mediawiki-core/commit/0b695ae09aada343ab59be4a3c9963995a1143b6cve@mitre.org
N/A
https://www.mediawiki.org/wiki/Release_notes/1.21#Changes_since_1.21.8cve@mitre.org
Vendor Advisory
https://www.mediawiki.org/wiki/Release_notes/1.22#Changes_since_1.22.5cve@mitre.org
Vendor Advisory
http://lists.wikimedia.org/pipermail/mediawiki-announce/2014-April/000149.htmlaf854a3a-2127-422b-91ae-364da2661108
N/A
http://secunia.com/advisories/58262af854a3a-2127-422b-91ae-364da2661108
Vendor Advisory
http://www.securityfocus.com/bid/67068af854a3a-2127-422b-91ae-364da2661108
N/A
http://www.securitytracker.com/id/1030161af854a3a-2127-422b-91ae-364da2661108
N/A
https://bugzilla.redhat.com/show_bug.cgi?id=1091967af854a3a-2127-422b-91ae-364da2661108
N/A
https://bugzilla.wikimedia.org/show_bug.cgi?id=63251af854a3a-2127-422b-91ae-364da2661108
N/A
https://github.com/wikimedia/mediawiki-core/commit/0b695ae09aada343ab59be4a3c9963995a1143b6af854a3a-2127-422b-91ae-364da2661108
N/A
https://www.mediawiki.org/wiki/Release_notes/1.21#Changes_since_1.21.8af854a3a-2127-422b-91ae-364da2661108
Vendor Advisory
https://www.mediawiki.org/wiki/Release_notes/1.22#Changes_since_1.22.5af854a3a-2127-422b-91ae-364da2661108
Vendor Advisory
Hyperlink: http://lists.wikimedia.org/pipermail/mediawiki-announce/2014-April/000149.html
Source: cve@mitre.org
Resource: N/A
Hyperlink: http://secunia.com/advisories/58262
Source: cve@mitre.org
Resource:
Vendor Advisory
Hyperlink: http://www.securityfocus.com/bid/67068
Source: cve@mitre.org
Resource: N/A
Hyperlink: http://www.securitytracker.com/id/1030161
Source: cve@mitre.org
Resource: N/A
Hyperlink: https://bugzilla.redhat.com/show_bug.cgi?id=1091967
Source: cve@mitre.org
Resource: N/A
Hyperlink: https://bugzilla.wikimedia.org/show_bug.cgi?id=63251
Source: cve@mitre.org
Resource: N/A
Hyperlink: https://github.com/wikimedia/mediawiki-core/commit/0b695ae09aada343ab59be4a3c9963995a1143b6
Source: cve@mitre.org
Resource: N/A
Hyperlink: https://www.mediawiki.org/wiki/Release_notes/1.21#Changes_since_1.21.8
Source: cve@mitre.org
Resource:
Vendor Advisory
Hyperlink: https://www.mediawiki.org/wiki/Release_notes/1.22#Changes_since_1.22.5
Source: cve@mitre.org
Resource:
Vendor Advisory
Hyperlink: http://lists.wikimedia.org/pipermail/mediawiki-announce/2014-April/000149.html
Source: af854a3a-2127-422b-91ae-364da2661108
Resource: N/A
Hyperlink: http://secunia.com/advisories/58262
Source: af854a3a-2127-422b-91ae-364da2661108
Resource:
Vendor Advisory
Hyperlink: http://www.securityfocus.com/bid/67068
Source: af854a3a-2127-422b-91ae-364da2661108
Resource: N/A
Hyperlink: http://www.securitytracker.com/id/1030161
Source: af854a3a-2127-422b-91ae-364da2661108
Resource: N/A
Hyperlink: https://bugzilla.redhat.com/show_bug.cgi?id=1091967
Source: af854a3a-2127-422b-91ae-364da2661108
Resource: N/A
Hyperlink: https://bugzilla.wikimedia.org/show_bug.cgi?id=63251
Source: af854a3a-2127-422b-91ae-364da2661108
Resource: N/A
Hyperlink: https://github.com/wikimedia/mediawiki-core/commit/0b695ae09aada343ab59be4a3c9963995a1143b6
Source: af854a3a-2127-422b-91ae-364da2661108
Resource: N/A
Hyperlink: https://www.mediawiki.org/wiki/Release_notes/1.21#Changes_since_1.21.8
Source: af854a3a-2127-422b-91ae-364da2661108
Resource:
Vendor Advisory
Hyperlink: https://www.mediawiki.org/wiki/Release_notes/1.22#Changes_since_1.22.5
Source: af854a3a-2127-422b-91ae-364da2661108
Resource:
Vendor Advisory

Change History

0
Information is not available yet

Similar CVEs

12312Records found
CVE-2020-25814
Matching Score-10
Assigner-MITRE Corporation
ShareView Details
Matching Score-10
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-0.46% / 63.36%
||
7 Day CHG~0.00%
Published-27 Sep, 2020 | 20:29
Updated-04 Aug, 2024 | 15:40
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In MediaWiki before 1.31.10 and 1.32.x through 1.34.x before 1.34.4, XSS related to jQuery can occur. The attacker creates a message with [javascript:payload xss] and turns it into a jQuery object with mw.message().parse(). The expected result is that the jQuery object does not contain an <a> tag (or it does not have a href attribute, or it's empty, etc.). The actual result is that the object contains an <a href ="javascript... that executes when clicked.

Action-Not Available
Vendor-n/aWikimedia FoundationFedora Project
Product-fedoramediawikin/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2020-25812
Matching Score-10
Assigner-MITRE Corporation
ShareView Details
Matching Score-10
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-0.43% / 61.81%
||
7 Day CHG~0.00%
Published-27 Sep, 2020 | 20:25
Updated-04 Aug, 2024 | 15:40
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in MediaWiki 1.34.x before 1.34.4. On Special:Contributions, the NS filter uses unescaped messages as keys in the option key for an HTMLForm specifier. This is vulnerable to a mild XSS if one of those messages is changed to include raw HTML.

Action-Not Available
Vendor-n/aWikimedia FoundationFedora Project
Product-fedoramediawikin/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-45474
Matching Score-10
Assigner-MITRE Corporation
ShareView Details
Matching Score-10
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-0.33% / 55.24%
||
7 Day CHG~0.00%
Published-24 Dec, 2021 | 01:03
Updated-04 Aug, 2024 | 04:39
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In MediaWiki through 1.37, the Special:ImportFile URI (aka FileImporter) allows XSS, as demonstrated by the clientUrl parameter.

Action-Not Available
Vendor-n/aWikimedia FoundationFedora Project
Product-fedoramediawikin/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-45473
Matching Score-10
Assigner-MITRE Corporation
ShareView Details
Matching Score-10
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-0.33% / 54.86%
||
7 Day CHG~0.00%
Published-24 Dec, 2021 | 01:03
Updated-04 Aug, 2024 | 04:39
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In MediaWiki through 1.37, Wikibase item descriptions allow XSS, which is triggered upon a visit to an action=info URL (aka a page-information sidebar).

Action-Not Available
Vendor-n/aWikimedia FoundationFedora Project
Product-fedoramediawikin/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-42041
Matching Score-10
Assigner-MITRE Corporation
ShareView Details
Matching Score-10
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-0.81% / 73.30%
||
7 Day CHG~0.00%
Published-06 Oct, 2021 | 20:28
Updated-04 Aug, 2024 | 03:22
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in CentralAuth in MediaWiki through 1.36.2. The rightsnone MediaWiki message was not being properly sanitized and allowed for the injection and execution of HTML and JavaScript via the setchange log.

Action-Not Available
Vendor-n/aWikimedia Foundation
Product-mediawikin/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-42043
Matching Score-10
Assigner-MITRE Corporation
ShareView Details
Matching Score-10
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-0.70% / 71.10%
||
7 Day CHG~0.00%
Published-06 Oct, 2021 | 20:28
Updated-04 Aug, 2024 | 03:22
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in Special:MediaSearch in the MediaSearch extension in MediaWiki through 1.36.2. The suggestion text (a parameter to mediasearch-did-you-mean) was not being properly sanitized and allowed for the injection and execution of HTML and JavaScript via the intitle: search operator within the query.

Action-Not Available
Vendor-n/aWikimedia Foundation
Product-mediawikin/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-45472
Matching Score-10
Assigner-MITRE Corporation
ShareView Details
Matching Score-10
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-0.33% / 55.24%
||
7 Day CHG~0.00%
Published-24 Dec, 2021 | 01:04
Updated-04 Aug, 2024 | 04:39
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In MediaWiki through 1.37, XSS can occur in Wikibase because an external identifier property can have a URL format that includes a $1 formatter substitution marker, and the javascript: URL scheme (among others) can be used.

Action-Not Available
Vendor-n/aWikimedia FoundationFedora Project
Product-fedoramediawikin/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2019-19910
Matching Score-10
Assigner-MITRE Corporation
ShareView Details
Matching Score-10
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-0.42% / 61.12%
||
7 Day CHG~0.00%
Published-19 Dec, 2019 | 18:41
Updated-05 Aug, 2024 | 02:32
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The MinervaNeue Skin in MediaWiki from 2019-11-05 to 2019-12-13 (1.35 and/or 1.34) mishandles certain HTML attributes, as demonstrated by IMG onmouseover= (impact is XSS) and IMG src=http (impact is disclosing the client's IP address). This can occur within a talk page topical header that is viewed within a mobile (MobileFrontend) context.

Action-Not Available
Vendor-n/aWikimedia Foundation
Product-mediawikin/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-41798
Matching Score-10
Assigner-MITRE Corporation
ShareView Details
Matching Score-10
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-0.10% / 28.33%
||
7 Day CHG~0.00%
Published-11 Oct, 2021 | 00:00
Updated-04 Aug, 2024 | 03:22
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

MediaWiki before 1.36.2 allows XSS. Month related MediaWiki messages are not escaped before being used on the Special:Search results page.

Action-Not Available
Vendor-n/aWikimedia FoundationFedora Project
Product-fedoramediawikin/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2011-1587
Matching Score-10
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-10
Assigner-Red Hat, Inc.
CVSS Score-4.3||MEDIUM
EPSS-0.26% / 48.75%
||
7 Day CHG~0.00%
Published-27 Apr, 2011 | 00:00
Updated-11 Apr, 2025 | 00:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting (XSS) vulnerability in MediaWiki before 1.16.4, when Internet Explorer 6 or earlier is used, allows remote attackers to inject arbitrary web script or HTML via an uploaded file accessed with a dangerous extension such as .html located before a ? (question mark) in a query string, in conjunction with a modified URI path that has a %2E sequence in place of the . (dot) character. NOTE: this vulnerability exists because of an incomplete fix for CVE-2011-1578.

Action-Not Available
Vendor-n/aWikimedia FoundationMicrosoft Corporation
Product-mediawikiinternet_explorern/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2011-1765
Matching Score-10
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-10
Assigner-Red Hat, Inc.
CVSS Score-4.3||MEDIUM
EPSS-0.43% / 61.71%
||
7 Day CHG~0.00%
Published-23 May, 2011 | 22:00
Updated-11 Apr, 2025 | 00:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting (XSS) vulnerability in MediaWiki before 1.16.5, when Internet Explorer 6 or earlier is used, allows remote attackers to inject arbitrary web script or HTML via an uploaded file accessed with a dangerous extension such as .shtml at the end of the query string, in conjunction with a modified URI path that has a %2E sequence in place of the . (dot) character. NOTE: this vulnerability exists because of an incomplete fix for CVE-2011-1578 and CVE-2011-1587.

Action-Not Available
Vendor-n/aWikimedia FoundationMicrosoft Corporation
Product-mediawikiinternet_explorern/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2011-1578
Matching Score-10
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-10
Assigner-Red Hat, Inc.
CVSS Score-4.3||MEDIUM
EPSS-0.70% / 71.01%
||
7 Day CHG~0.00%
Published-27 Apr, 2011 | 00:00
Updated-11 Apr, 2025 | 00:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting (XSS) vulnerability in MediaWiki before 1.16.3, when Internet Explorer 6 or earlier is used, allows remote attackers to inject arbitrary web script or HTML via an uploaded file accessed with a dangerous extension such as .html at the end of the query string, in conjunction with a modified URI path that has a %2E sequence in place of the . (dot) character.

Action-Not Available
Vendor-n/aWikimedia FoundationMicrosoft Corporation
Product-mediawikiinternet_explorern/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2019-14807
Matching Score-10
Assigner-MITRE Corporation
ShareView Details
Matching Score-10
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-0.24% / 47.16%
||
7 Day CHG~0.00%
Published-09 Aug, 2019 | 20:28
Updated-05 Aug, 2024 | 00:26
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In the MobileFrontend extension 1.31 through 1.33 for MediaWiki, XSS exists within the edit summary field in includes/specials/MobileSpecialPageFeed.php.

Action-Not Available
Vendor-n/aWikimedia Foundation
Product-mobilefrontendn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2019-19708
Matching Score-10
Assigner-MITRE Corporation
ShareView Details
Matching Score-10
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-0.37% / 57.81%
||
7 Day CHG~0.00%
Published-11 Dec, 2019 | 01:33
Updated-05 Aug, 2024 | 02:25
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The VisualEditor extension through 1.34 for MediaWiki allows XSS via pasted content containing an element with a data-ve-clipboard-key attribute.

Action-Not Available
Vendor-n/aWikimedia Foundation
Product-visual_editorn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2016-6334
Matching Score-10
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-10
Assigner-Red Hat, Inc.
CVSS Score-6.1||MEDIUM
EPSS-0.21% / 43.67%
||
7 Day CHG~0.00%
Published-20 Apr, 2017 | 17:00
Updated-20 Apr, 2025 | 01:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting (XSS) vulnerability in the Parser::replaceInternalLinks2 method in MediaWiki before 1.23.15, 1.26.x before 1.26.4, and 1.27.x before 1.27.1 allows remote attackers to inject arbitrary web script or HTML via vectors involving replacement of percent encoding in unclosed internal links.

Action-Not Available
Vendor-n/aWikimedia Foundation
Product-mediawikin/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2016-6333
Matching Score-10
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-10
Assigner-Red Hat, Inc.
CVSS Score-6.1||MEDIUM
EPSS-0.28% / 50.61%
||
7 Day CHG~0.00%
Published-20 Apr, 2017 | 17:00
Updated-20 Apr, 2025 | 01:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting (XSS) vulnerability in the CSS user subpage preview feature in MediaWiki before 1.23.15, 1.26.x before 1.26.4, and 1.27.x before 1.27.1 allows remote attackers to inject arbitrary web script or HTML via the edit box in Special:MyPage/common.css.

Action-Not Available
Vendor-n/aWikimedia Foundation
Product-mediawikin/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-30157
Matching Score-10
Assigner-MITRE Corporation
ShareView Details
Matching Score-10
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-1.04% / 76.53%
||
7 Day CHG~0.00%
Published-06 Apr, 2021 | 06:43
Updated-03 Aug, 2024 | 22:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in MediaWiki before 1.31.12 and 1.32.x through 1.35.x before 1.35.2. On ChangesList special pages such as Special:RecentChanges and Special:Watchlist, some of the rcfilters-filter-* label messages are output in HTML unescaped, leading to XSS.

Action-Not Available
Vendor-n/aDebian GNU/LinuxWikimedia FoundationFedora Project
Product-debian_linuxmediawikifedoran/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2019-15124
Matching Score-10
Assigner-MITRE Corporation
ShareView Details
Matching Score-10
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-0.32% / 54.13%
||
7 Day CHG~0.00%
Published-19 Mar, 2020 | 18:09
Updated-05 Aug, 2024 | 00:34
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In the MobileFrontend extension for MediaWiki, XSS exists within the edit summary field of the watchlist feed. This affects REL1_31, REL1_32, and REL1_33.

Action-Not Available
Vendor-n/aWikimedia Foundation
Product-mobilefrontendn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2020-35622
Matching Score-10
Assigner-MITRE Corporation
ShareView Details
Matching Score-10
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-0.22% / 44.92%
||
7 Day CHG~0.00%
Published-21 Dec, 2020 | 22:37
Updated-04 Aug, 2024 | 17:09
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in the GlobalUsage extension for MediaWiki through 1.35.1. SpecialGlobalUsage.php calls WikiMap::makeForeignLink unsafely. The $page variable within the formatItem function was not being properly escaped, allowing for XSS under certain conditions.

Action-Not Available
Vendor-n/aWikimedia Foundation
Product-mediawikin/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2019-12471
Matching Score-10
Assigner-MITRE Corporation
ShareView Details
Matching Score-10
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-0.32% / 54.27%
||
7 Day CHG~0.00%
Published-10 Jul, 2019 | 15:49
Updated-04 Aug, 2024 | 23:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Wikimedia MediaWiki 1.30.0 through 1.32.1 has XSS. Loading user JavaScript from a non-existent account allows anyone to create the account, and perform XSS on users loading that script. Fixed in 1.32.2, 1.31.2, 1.30.2 and 1.27.6.

Action-Not Available
Vendor-n/aDebian GNU/LinuxWikimedia Foundation
Product-debian_linuxmediawikin/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2015-8622
Matching Score-10
Assigner-MITRE Corporation
ShareView Details
Matching Score-10
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-0.43% / 61.72%
||
7 Day CHG~0.00%
Published-23 Mar, 2017 | 20:00
Updated-20 Apr, 2025 | 01:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting (XSS) vulnerability in MediaWiki before 1.23.12, 1.24.x before 1.24.5, 1.25.x before 1.25.4, and 1.26.x before 1.26.1, when is configured with a relative URL, allows remote authenticated users to inject arbitrary web script or HTML via wikitext, as demonstrated by a wikilink to a page named "javascript:alert('XSS!')."

Action-Not Available
Vendor-n/aWikimedia Foundation
Product-mediawikin/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2015-6730
Matching Score-10
Assigner-MITRE Corporation
ShareView Details
Matching Score-10
Assigner-MITRE Corporation
CVSS Score-4.3||MEDIUM
EPSS-0.41% / 60.30%
||
7 Day CHG~0.00%
Published-01 Sep, 2015 | 14:00
Updated-12 Apr, 2025 | 10:46
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting (XSS) vulnerability in thumb.php in MediaWiki before 1.23.10, 1.24.x before 1.24.3, and 1.25.x before 1.25.2 allows remote attackers to inject arbitrary web script or HTML via the f parameter, which is not properly handled in an error page, related to "ForeignAPI images."

Action-Not Available
Vendor-n/aWikimedia Foundation
Product-mediawikin/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2015-2933
Matching Score-10
Assigner-MITRE Corporation
ShareView Details
Matching Score-10
Assigner-MITRE Corporation
CVSS Score-4.3||MEDIUM
EPSS-0.41% / 60.30%
||
7 Day CHG~0.00%
Published-13 Apr, 2015 | 14:00
Updated-12 Apr, 2025 | 10:46
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting (XSS) vulnerability in the Html class in MediaWiki before 1.19.24, 1.2x before 1.23.9, and 1.24.x before 1.24.2 allows remote attackers to inject arbitrary web script or HTML via a LanguageConverter substitution string when using a language variant.

Action-Not Available
Vendor-n/aWikimedia Foundation
Product-mediawikin/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2015-2938
Matching Score-10
Assigner-MITRE Corporation
ShareView Details
Matching Score-10
Assigner-MITRE Corporation
CVSS Score-4.3||MEDIUM
EPSS-0.41% / 60.30%
||
7 Day CHG~0.00%
Published-13 Apr, 2015 | 14:00
Updated-12 Apr, 2025 | 10:46
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting (XSS) vulnerability in MediaWiki before 1.19.24, 1.2x before 1.23.9, and 1.24.x before 1.24.2 allows remote attackers to inject arbitrary web script or HTML via a custom JavaScript file, which is not properly handled when previewing the file.

Action-Not Available
Vendor-n/aWikimedia Foundation
Product-mediawikin/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2015-2941
Matching Score-10
Assigner-MITRE Corporation
ShareView Details
Matching Score-10
Assigner-MITRE Corporation
CVSS Score-4.3||MEDIUM
EPSS-0.41% / 60.30%
||
7 Day CHG~0.00%
Published-13 Apr, 2015 | 14:00
Updated-12 Apr, 2025 | 10:46
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting (XSS) vulnerability in MediaWiki before 1.19.24, 1.2x before 1.23.9, and 1.24.x before 1.24.2, when using HHVM, allows remote attackers to inject arbitrary web script or HTML via an invalid parameter in a wddx format request to api.php, which is not properly handled in an error message, related to unsafe calls to wddx_serialize_value.

Action-Not Available
Vendor-n/aWikimedia Foundation
Product-mediawikin/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2020-6163
Matching Score-10
Assigner-MITRE Corporation
ShareView Details
Matching Score-10
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-0.33% / 55.08%
||
7 Day CHG~0.00%
Published-08 Jan, 2020 | 01:45
Updated-04 Aug, 2024 | 08:55
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The WikibaseMediaInfo extension 1.35 for MediaWiki allows XSS because of improper template syntax within the PropertySuggestionsWidget template (in the templates/search/PropertySuggestionsWidget.mustache+dom file).

Action-Not Available
Vendor-n/aWikimedia Foundation
Product-mediawikin/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2020-35474
Matching Score-10
Assigner-MITRE Corporation
ShareView Details
Matching Score-10
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-0.45% / 62.68%
||
7 Day CHG~0.00%
Published-18 Dec, 2020 | 07:30
Updated-04 Aug, 2024 | 17:02
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In MediaWiki before 1.35.1, the combination of Html::rawElement and Message::text leads to XSS because the definition of MediaWiki:recentchanges-legend-watchlistexpiry can be changed onwiki so that the output is raw HTML.

Action-Not Available
Vendor-n/aWikimedia FoundationFedora Project
Product-fedoramediawikin/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2020-25815
Matching Score-10
Assigner-MITRE Corporation
ShareView Details
Matching Score-10
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-0.43% / 61.81%
||
7 Day CHG~0.00%
Published-27 Sep, 2020 | 20:27
Updated-04 Aug, 2024 | 15:40
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in MediaWiki 1.32.x through 1.34.x before 1.34.4. LogEventList::getFiltersDesc is insecurely using message text to build options names for an HTML multi-select field. The relevant code should use escaped() instead of text().

Action-Not Available
Vendor-n/aWikimedia FoundationFedora Project
Product-fedoramediawikin/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2013-4568
Matching Score-8
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-8
Assigner-Red Hat, Inc.
CVSS Score-4.3||MEDIUM
EPSS-0.57% / 67.52%
||
7 Day CHG~0.00%
Published-13 Dec, 2013 | 18:00
Updated-11 Apr, 2025 | 00:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Incomplete blacklist vulnerability in Sanitizer::checkCss in MediaWiki before 1.19.9, 1.20.x before 1.20.8, and 1.21.x before 1.21.3 allows remote attackers to conduct cross-site scripting (XSS) attacks via certain non-ASCII characters in CSS, as demonstrated using variations of "expression" containing (1) full width characters or (2) IPA extensions, which are converted and rendered by Internet Explorer.

Action-Not Available
Vendor-n/aWikimedia Foundation
Product-mediawikin/a
CVE-2013-4567
Matching Score-8
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-8
Assigner-Red Hat, Inc.
CVSS Score-4.3||MEDIUM
EPSS-0.52% / 65.87%
||
7 Day CHG~0.00%
Published-13 Dec, 2013 | 18:00
Updated-11 Apr, 2025 | 00:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Incomplete blacklist vulnerability in Sanitizer::checkCss in MediaWiki before 1.19.9, 1.20.x before 1.20.8, and 1.21.x before 1.21.3 allows remote attackers to conduct cross-site scripting (XSS) attacks via a \b (backspace) character in CSS.

Action-Not Available
Vendor-n/aWikimedia Foundation
Product-mediawikin/a
CVE-2017-8811
Matching Score-8
Assigner-Debian GNU/Linux
ShareView Details
Matching Score-8
Assigner-Debian GNU/Linux
CVSS Score-6.1||MEDIUM
EPSS-0.29% / 52.17%
||
7 Day CHG~0.00%
Published-15 Nov, 2017 | 08:00
Updated-20 Apr, 2025 | 01:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The implementation of raw message parameter expansion in MediaWiki before 1.27.4, 1.28.x before 1.28.3, and 1.29.x before 1.29.2 allows HTML mangling attacks.

Action-Not Available
Vendor-n/aWikimedia FoundationDebian GNU/Linux
Product-mediawikidebian_linuxMediaWiki before 1.27.4, 1.28.x before 1.28.3, and 1.29.x before 1.29.2
CWE ID-CWE-20
Improper Input Validation
CVE-2014-5243
Matching Score-8
Assigner-MITRE Corporation
ShareView Details
Matching Score-8
Assigner-MITRE Corporation
CVSS Score-4.3||MEDIUM
EPSS-0.47% / 63.40%
||
7 Day CHG~0.00%
Published-22 Aug, 2014 | 17:00
Updated-12 Apr, 2025 | 10:46
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

MediaWiki before 1.19.18, 1.20.x through 1.22.x before 1.22.9, and 1.23.x before 1.23.2 does not enforce an IFRAME protection mechanism for transcluded pages, which makes it easier for remote attackers to conduct clickjacking attacks via a crafted web site.

Action-Not Available
Vendor-n/aWikimedia Foundation
Product-mediawikin/a
CWE ID-CWE-20
Improper Input Validation
CVE-2012-4379
Matching Score-8
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-8
Assigner-Red Hat, Inc.
CVSS Score-6.5||MEDIUM
EPSS-0.61% / 68.77%
||
7 Day CHG~0.00%
Published-19 Oct, 2017 | 21:00
Updated-20 Apr, 2025 | 01:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

MediaWiki before 1.18.5, and 1.19.x before 1.19.2 does not send a restrictive X-Frame-Options HTTP header, which allows remote attackers to conduct clickjacking attacks via an embedded API response in an IFRAME element.

Action-Not Available
Vendor-n/aWikimedia Foundation
Product-mediawikin/a
CWE ID-CWE-284
Improper Access Control
CVE-2022-34912
Matching Score-8
Assigner-MITRE Corporation
ShareView Details
Matching Score-8
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-0.19% / 41.50%
||
7 Day CHG~0.00%
Published-02 Jul, 2022 | 00:00
Updated-03 Aug, 2024 | 09:22
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in MediaWiki before 1.37.3 and 1.38.x before 1.38.1. The contributions-title, used on Special:Contributions, is used as page title without escaping. Hence, in a non-default configuration where a username contains HTML entities, it won't be escaped.

Action-Not Available
Vendor-n/aWikimedia FoundationFedora Project
Product-fedoramediawikin/a
CVE-2007-0788
Matching Score-8
Assigner-MITRE Corporation
ShareView Details
Matching Score-8
Assigner-MITRE Corporation
CVSS Score-4.3||MEDIUM
EPSS-0.51% / 65.28%
||
7 Day CHG~0.00%
Published-06 Feb, 2007 | 19:00
Updated-07 Aug, 2024 | 12:34
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting (XSS) vulnerability in MediaWiki 1.9.x before 1.9.2 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors related to "sortable tables JavaScript."

Action-Not Available
Vendor-n/aWikimedia Foundation
Product-mediawikin/a
CVE-2022-29905
Matching Score-8
Assigner-MITRE Corporation
ShareView Details
Matching Score-8
Assigner-MITRE Corporation
CVSS Score-4.3||MEDIUM
EPSS-0.12% / 31.55%
||
7 Day CHG~0.00%
Published-29 Apr, 2022 | 03:43
Updated-03 Aug, 2024 | 06:33
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The FanBoxes extension for MediaWiki through 1.37.2 (before 027ffb0b9d6fe0d823810cf03f5b562a212162d4) allows Special:UserBoxes CSRF.

Action-Not Available
Vendor-n/aWikimedia Foundation
Product-mediawikin/a
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2022-29903
Matching Score-8
Assigner-MITRE Corporation
ShareView Details
Matching Score-8
Assigner-MITRE Corporation
CVSS Score-4.3||MEDIUM
EPSS-0.09% / 25.90%
||
7 Day CHG~0.00%
Published-29 Apr, 2022 | 03:44
Updated-03 Aug, 2024 | 06:33
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The Private Domains extension for MediaWiki through 1.37.2 (before 1ad65d4c1c199b375ea80988d99ab51ae068f766) allows CSRF for editing pages that store the extension's configuration. The attacker must trigger a POST request to Special:PrivateDomains.

Action-Not Available
Vendor-n/aWikimedia Foundation
Product-mediawikin/a
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2005-1888
Matching Score-8
Assigner-MITRE Corporation
ShareView Details
Matching Score-8
Assigner-MITRE Corporation
CVSS Score-4.3||MEDIUM
EPSS-0.36% / 57.67%
||
7 Day CHG~0.00%
Published-08 Jun, 2005 | 04:00
Updated-03 Apr, 2025 | 01:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting (XSS) vulnerability in MediaWiki before 1.4.5 allows remote attackers to inject arbitrary web script via HTML attributes in page templates.

Action-Not Available
Vendor-n/aWikimedia Foundation
Product-mediawikin/a
CVE-2006-2611
Matching Score-8
Assigner-MITRE Corporation
ShareView Details
Matching Score-8
Assigner-MITRE Corporation
CVSS Score-4.3||MEDIUM
EPSS-1.41% / 79.74%
||
7 Day CHG~0.00%
Published-26 May, 2006 | 01:00
Updated-03 Apr, 2025 | 01:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting (XSS) vulnerability in includes/Sanitizer.php in the variable handler in MediaWiki 1.6.x before r14349 allows remote attackers to inject arbitrary Javascript via unspecified vectors, possibly involving the usage of the | (pipe) character.

Action-Not Available
Vendor-n/aWikimedia Foundation
Product-mediawikin/a
CVE-2006-1498
Matching Score-8
Assigner-MITRE Corporation
ShareView Details
Matching Score-8
Assigner-MITRE Corporation
CVSS Score-4.3||MEDIUM
EPSS-1.03% / 76.40%
||
7 Day CHG~0.00%
Published-30 Mar, 2006 | 00:00
Updated-03 Apr, 2025 | 01:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting (XSS) vulnerability in MediaWiki before 1.5.8 and 1.4.15 allows remote attackers to inject arbitrary web script or HTML via crafted encoded links.

Action-Not Available
Vendor-n/aWikimedia Foundation
Product-mediawikin/a
CVE-2005-2396
Matching Score-8
Assigner-MITRE Corporation
ShareView Details
Matching Score-8
Assigner-MITRE Corporation
CVSS Score-4.3||MEDIUM
EPSS-0.61% / 68.88%
||
7 Day CHG~0.00%
Published-27 Jul, 2005 | 04:00
Updated-03 Apr, 2025 | 01:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting (XSS) vulnerability in MediaWiki 1.4.6 and earlier allows remote attackers to inject arbitrary web script or HTML via a parameter to the page move template.

Action-Not Available
Vendor-n/aWikimedia Foundation
Product-mediawikin/a
CVE-2005-4501
Matching Score-8
Assigner-MITRE Corporation
ShareView Details
Matching Score-8
Assigner-MITRE Corporation
CVSS Score-4.3||MEDIUM
EPSS-0.57% / 67.65%
||
7 Day CHG~0.00%
Published-22 Dec, 2005 | 21:00
Updated-03 Apr, 2025 | 01:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

MediaWiki before 1.5.4 uses a hard-coded "internal placeholder string", which allows remote attackers to bypass protection against cross-site scripting (XSS) attacks and execute Javascript using inline style attributes, which are processed by Internet Explorer.

Action-Not Available
Vendor-n/aWikimedia Foundation
Product-mediawikin/a
CVE-2005-3167
Matching Score-8
Assigner-MITRE Corporation
ShareView Details
Matching Score-8
Assigner-MITRE Corporation
CVSS Score-4.3||MEDIUM
EPSS-0.46% / 63.24%
||
7 Day CHG~0.00%
Published-06 Oct, 2005 | 04:00
Updated-03 Apr, 2025 | 01:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Incomplete blacklist vulnerability in MediaWiki before 1.4.11 does not properly remove certain CSS inputs (HTML inline style attributes) that are processed as active content by Internet Explorer, which allows remote attackers to conduct cross-site scripting (XSS) attacks.

Action-Not Available
Vendor-n/aWikimedia Foundation
Product-mediawikin/a
CVE-2005-3165
Matching Score-8
Assigner-MITRE Corporation
ShareView Details
Matching Score-8
Assigner-MITRE Corporation
CVSS Score-4.3||MEDIUM
EPSS-0.27% / 49.98%
||
7 Day CHG~0.00%
Published-06 Oct, 2005 | 04:00
Updated-03 Apr, 2025 | 01:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Multiple cross-site scripting (XSS) vulnerabilities in MediaWiki before 1.4.9 allow remote attackers to inject arbitrary web script or HTML via (1) <math> tags or (2) Extension or <nowiki> sections that "bypass HTML style attribute restrictions" that are intended to protect against XSS vulnerabilities in Internet Explorer clients.

Action-Not Available
Vendor-n/aWikimedia Foundation
Product-mediawikin/a
CVE-2005-2215
Matching Score-8
Assigner-MITRE Corporation
ShareView Details
Matching Score-8
Assigner-MITRE Corporation
CVSS Score-4.3||MEDIUM
EPSS-0.35% / 56.48%
||
7 Day CHG~0.00%
Published-12 Jul, 2005 | 04:00
Updated-03 Apr, 2025 | 01:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting (XSS) vulnerability in MediaWiki before 1.4.x before 1.4.6 and 1.5 before 1.5beta3 allows remote attackers to inject arbitrary web script or HTML via a parameter in the page move template, a different vulnerability than CVE-2005-1888.

Action-Not Available
Vendor-n/aWikimedia Foundation
Product-mediawikin/a
CVE-2005-1245
Matching Score-8
Assigner-MITRE Corporation
ShareView Details
Matching Score-8
Assigner-MITRE Corporation
CVSS Score-4.3||MEDIUM
EPSS-0.43% / 61.52%
||
7 Day CHG~0.00%
Published-24 Apr, 2005 | 04:00
Updated-03 Apr, 2025 | 01:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting (XSS) vulnerability in MediaWiki before 1.4.2, when using HTML Tidy ($wgUseTidy), allows remote attackers to inject arbitrary web script or HTML via unknown vectors.

Action-Not Available
Vendor-n/aWikimedia Foundation
Product-mediawikin/a
CVE-2005-0534
Matching Score-8
Assigner-MITRE Corporation
ShareView Details
Matching Score-8
Assigner-MITRE Corporation
CVSS Score-4.3||MEDIUM
EPSS-0.44% / 62.44%
||
7 Day CHG~0.00%
Published-24 Feb, 2005 | 05:00
Updated-03 Apr, 2025 | 01:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Multiple cross-site scripting (XSS) vulnerabilities in MediaWiki 1.3.x before 1.3.11 and 1.4 beta before 1.4 rc1 allow remote attackers to inject arbitrary web script.

Action-Not Available
Vendor-n/aWikimedia Foundation
Product-mediawikin/a
CVE-2004-2152
Matching Score-8
Assigner-MITRE Corporation
ShareView Details
Matching Score-8
Assigner-MITRE Corporation
CVSS Score-4.3||MEDIUM
EPSS-0.46% / 63.29%
||
7 Day CHG~0.00%
Published-01 Jul, 2005 | 04:00
Updated-03 Apr, 2025 | 01:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting (XSS) vulnerability in 'raw' page output mode for MediaWiki 1.3.4 and earlier allows remote attackers to inject arbitrary web script or HTML.

Action-Not Available
Vendor-n/aWikimedia Foundation
Product-mediawikin/a
CVE-2010-2788
Matching Score-6
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-6
Assigner-Red Hat, Inc.
CVSS Score-2.6||LOW
EPSS-0.66% / 70.28%
||
7 Day CHG~0.00%
Published-27 Apr, 2011 | 00:00
Updated-11 Apr, 2025 | 00:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting (XSS) vulnerability in profileinfo.php in MediaWiki before 1.15.5, when wgEnableProfileInfo is enabled, allows remote attackers to inject arbitrary web script or HTML via the filter parameter.

Action-Not Available
Vendor-n/aWikimedia Foundation
Product-mediawikin/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-23174
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-5.4||MEDIUM
EPSS-0.43% / 62.03%
||
7 Day CHG~0.00%
Published-12 Jan, 2024 | 00:00
Updated-20 Jun, 2025 | 17:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in the PageTriage extension in MediaWiki before 1.35.14, 1.36.x through 1.39.x before 1.39.6, and 1.40.x before 1.40.2. XSS can occur via the rev-deleted-user, pagetriage-tags-quickfilter-label, pagetriage-triage, pagetriage-filter-date-range-format-placeholder, pagetriage-filter-date-range-to, pagetriage-filter-date-range-from, pagetriage-filter-date-range-heading, pagetriage-filter-set-button, or pagetriage-filter-reset-button message.

Action-Not Available
Vendor-n/aWikimedia Foundation
Product-mediawikin/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
  • Previous
  • 1
  • 2
  • 3
  • 4
  • ...
  • 246
  • 247
  • Next
Details not found