Latest Mediawiki Vulnerabilities

CVE-2024-23178
An issue was discovered in the Phonos extension in MediaWiki before 1.40.2. PhonosButton.js allows i18n-based XSS via the phonos-purge-needed-error message.
MediaWiki MediaWiki<1.40.2
CVE-2024-23173
An issue was discovered in the Cargo extension in MediaWiki before 1.35.14, 1.36.x through 1.39.x before 1.39.6, and 1.40.x before 1.40.2. The Special:Drilldown page allows XSS via artist, album, and ...
MediaWiki MediaWiki<1.35.14
MediaWiki MediaWiki>=1.36.0<1.39.6
MediaWiki MediaWiki>=1.40.0<1.40.2
CVE-2024-23172
An issue was discovered in the CheckUser extension in MediaWiki before 1.35.14, 1.36.x through 1.39.x before 1.39.6, and 1.40.x before 1.40.2. XSS can occur via message definitions. e.g., in SpecialCh...
MediaWiki MediaWiki<1.35.14
MediaWiki MediaWiki>=1.36.0<1.39.6
MediaWiki MediaWiki>=1.40.0<1.40.2
CVE-2024-23174
An issue was discovered in the PageTriage extension in MediaWiki before 1.35.14, 1.36.x through 1.39.x before 1.39.6, and 1.40.x before 1.40.2. XSS can occur via the rev-deleted-user, pagetriage-tags-...
MediaWiki MediaWiki<1.35.14
MediaWiki MediaWiki>=1.36.0<1.39.6
MediaWiki MediaWiki>=1.40.0<1.40.2
CVE-2024-23179
An issue was discovered in the GlobalBlocking extension in MediaWiki before 1.40.2. For a Special:GlobalBlock?uselang=x-xss URI, i18n-based XSS can occur via the parentheses message. This affects subt...
MediaWiki MediaWiki<1.40.2
CVE-2024-23171
An issue was discovered in the CampaignEvents extension in MediaWiki before 1.35.14, 1.36.x through 1.39.x before 1.39.6, and 1.40.x before 1.40.2. The Special:EventDetails page allows XSS via the x-x...
MediaWiki MediaWiki<1.35.14
MediaWiki MediaWiki>=1.36.0<1.39.6
MediaWiki MediaWiki>=1.40.0<1.40.2
CVE-2024-23177
An issue was discovered in the WatchAnalytics extension in MediaWiki before 1.40.2. XSS can occur via the Special:PageStatistics page parameter.
MediaWiki MediaWiki<1.40.2
CVE-2023-51704
An issue was discovered in MediaWiki before 1.35.14, 1.36.x through 1.39.x before 1.39.6, and 1.40.x before 1.40.2. In includes/logging/RightsLogFormatter.php, group-*-member messages can result in XS...
MediaWiki MediaWiki<1.35.14
MediaWiki MediaWiki>=1.36.0<1.39.6
MediaWiki MediaWiki>=1.40.0<1.40.2
CVE-2023-45360
An issue was discovered in MediaWiki before 1.35.12, 1.36.x through 1.39.x before 1.39.5, and 1.40.x before 1.40.1. There is XSS in youhavenewmessagesmanyusers and youhavenewmessages i18n messages. Th...
debian/mediawiki<=1:1.31.16-1+deb10u2<=1:1.31.16-1+deb10u7<=1:1.35.11-1~deb11u1
MediaWiki MediaWiki<1.35.12
MediaWiki MediaWiki>=1.39.0<1.39.5
MediaWiki MediaWiki=1.40.0
MediaWiki MediaWiki=1.40.0-rc0
CVE-2023-45362
An issue was discovered in DifferenceEngine.php in MediaWiki before 1.35.12, 1.36.x through 1.39.x before 1.39.5, and 1.40.x before 1.40.1. diff-multi-sameuser (aka "X intermediate revisions by the sa...
debian/mediawiki<=1:1.31.16-1+deb10u2<=1:1.35.11-1~deb11u1
MediaWiki MediaWiki<1.35.12
MediaWiki MediaWiki>=1.36.0<1.39.5
MediaWiki MediaWiki=1.40.0
MediaWiki MediaWiki=1.40.0-rc0
CVE-2023-45374
An issue was discovered in the SportsTeams extension for MediaWiki before 1.35.12, 1.36.x through 1.39.x before 1.39.5, and 1.40.x before 1.40.1. It does not check for the anti-CSRF edit token in Spec...
MediaWiki MediaWiki<1.35.12
MediaWiki MediaWiki>=1.36.0<1.39.5
MediaWiki MediaWiki=1.40.0
CVE-2023-45371
An issue was discovered in the Wikibase extension for MediaWiki before 1.35.12, 1.36.x through 1.39.x before 1.39.5, and 1.40.x before 1.40.1. There is no rate limit for merging items.
MediaWiki MediaWiki<1.35.12
MediaWiki MediaWiki>=1.36.0<1.39.5
MediaWiki MediaWiki=1.40.0
CVE-2023-45373
An issue was discovered in the ProofreadPage extension for MediaWiki before 1.35.12, 1.36.x through 1.39.x before 1.39.5, and 1.40.x before 1.40.1. XSS can occur via formatNumNoSeparators.
MediaWiki MediaWiki<1.35.12
MediaWiki MediaWiki>=1.36.0<1.39.5
MediaWiki MediaWiki=1.40.0
CVE-2023-45370
An issue was discovered in the SportsTeams extension for MediaWiki before 1.35.12, 1.36.x through 1.39.x before 1.39.5, and 1.40.x before 1.40.1. SportsTeams: Special:SportsManagerLogo and Special:Spo...
MediaWiki MediaWiki<1.35.12
MediaWiki MediaWiki>=1.36.0<1.39.5
MediaWiki MediaWiki=1.40.0
CVE-2023-45372
An issue was discovered in the Wikibase extension for MediaWiki before 1.35.12, 1.36.x through 1.39.x before 1.39.5, and 1.40.x before 1.40.1. During item merging, ItemMergeInteractor does not have an...
MediaWiki MediaWiki<1.35.12
MediaWiki MediaWiki>=1.36.0<1.39.5
MediaWiki MediaWiki=1.40.0
CVE-2023-45369
An issue was discovered in the PageTriage extension for MediaWiki before 1.35.12, 1.36.x through 1.39.x before 1.39.5, and 1.40.x before 1.40.1. Usernames of hidden users are exposed.
MediaWiki MediaWiki<1.35.12
MediaWiki MediaWiki>=1.36.0<1.39.5
MediaWiki MediaWiki=1.40.0
CVE-2023-45367
An issue was discovered in the CheckUser extension for MediaWiki before 1.35.12, 1.36.x through 1.39.x before 1.39.5, and 1.40.x before 1.40.1. A user can use a rest.php/checkuser/v0/useragent-clienth...
MediaWiki MediaWiki<1.35.12
MediaWiki MediaWiki>=1.36.0<1.39.5
MediaWiki MediaWiki=1.40.0
CVE-2023-45364
An issue was discovered in includes/page/Article.php in MediaWiki 1.36.x through 1.39.x before 1.39.5 and 1.40.x before 1.40.1. Deleted revision existence is leaked due to incorrect permissions being ...
debian/mediawiki
MediaWiki MediaWiki>=1.36.0<1.39.5
MediaWiki MediaWiki=1.40.0
Debian Debian Linux=11.0
Debian Debian Linux=12.0
CVE-2023-45363
An issue was discovered in ApiPageSet.php in MediaWiki before 1.35.12, 1.36.x through 1.39.x before 1.39.5, and 1.40.x before 1.40.1. It allows attackers to cause a denial of service (unbounded loop a...
debian/mediawiki<=1:1.31.16-1+deb10u2<=1:1.35.11-1~deb11u1
MediaWiki MediaWiki<1.35.12
MediaWiki MediaWiki>=1.36.0<1.39.5
MediaWiki MediaWiki=1.40.0
Debian Debian Linux=11.0
Debian Debian Linux=12.0
CVE-2023-3550
Stored XSS leads to privilege escalation in MediaWiki v1.40.0
debian/mediawiki<=1:1.31.16-1+deb10u2<=1:1.35.11-1~deb11u1
MediaWiki MediaWiki=1.40.0
Debian Debian Linux=10.0
Debian Debian Linux=11.0
CVE-2023-36674
An issue was discovered in MediaWiki before 1.35.11, 1.36.x through 1.38.x before 1.38.7, 1.39.x before 1.39.4, and 1.40.x before 1.40.1. It is possible to bypass the Bad image list (aka badFile) by u...
debian/mediawiki
MediaWiki MediaWiki<1.35.11
MediaWiki MediaWiki>=1.36.0<1.38.7
MediaWiki MediaWiki>=1.39.0<1.39.4
MediaWiki MediaWiki=1.40.0
CVE-2023-37305
An issue was discovered in the ProofreadPage (aka Proofread Page) extension for MediaWiki through 1.39.3. In includes/Page/PageContentHandler.php and includes/Page/PageDisplayHandler.php, hidden users...
MediaWiki MediaWiki<=1.39.3
CVE-2023-37302
An issue was discovered in SiteLinksView.php in Wikibase in MediaWiki through 1.39.3. There is XSS via a crafted badge title attribute. This is also related to lack of escaping in wbTemplate (from res...
MediaWiki MediaWiki<=1.39.3
CVE-2023-37304
An issue was discovered in the DoubleWiki extension for MediaWiki through 1.39.3. includes/DoubleWiki.php allows XSS via the column alignment feature.
MediaWiki MediaWiki<=1.39.3
CVE-2023-37303
An issue was discovered in the CheckUser extension for MediaWiki through 1.39.3. In certain situations, an attempt to block a user fails after a temporary browser hang and a DBQueryDisconnectedError e...
MediaWiki MediaWiki<=1.39.3
CVE-2023-37301
An issue was discovered in SubmitEntityAction in Wikibase in MediaWiki through 1.39.3. Because it doesn't use EditEntity for undo and restore, the intended interaction with AbuseFilter does not occur.
MediaWiki MediaWiki<=1.39.3
CVE-2023-37300
An issue was discovered in the CheckUserLog API in the CheckUser extension for MediaWiki through 1.39.3. There is incorrect access control for visibility of hidden users.
MediaWiki MediaWiki<=1.39.3
CVE-2023-37256
An issue was discovered in the Cargo extension for MediaWiki through 1.39.3. It allows one to store javascript: URLs in URL fields, and automatically links these URLs.
MediaWiki MediaWiki<=1.39.3
CVE-2023-37254
An issue was discovered in the Cargo extension for MediaWiki through 1.39.3. XSS can occur in Special:CargoQuery via a crafted page item when using the default format.
MediaWiki MediaWiki<=1.39.3
CVE-2023-37255
An issue was discovered in the CheckUser extension for MediaWiki through 1.39.3. In Special:CheckUser, a check of the "get edits" type is vulnerable to HTML injection through the User-Agent HTTP reque...
MediaWiki MediaWiki<=1.39.3
CVE-2023-37251
An issue was discovered in the GoogleAnalyticsMetrics extension for MediaWiki through 1.39.3. The googleanalyticstrackurl parser function does not properly escape JavaScript in the onclick handler and...
MediaWiki MediaWiki<=1.39.3
CVE-2023-36675
An issue was discovered in MediaWiki before 1.35.11, 1.36.x through 1.38.x before 1.38.7, and 1.39.x before 1.39.4. BlockLogFormatter.php in BlockLogFormatter allows XSS in the partial blocks feature.
debian/mediawiki
MediaWiki MediaWiki<1.35.11
MediaWiki MediaWiki>=1.36.0<1.38.7
MediaWiki MediaWiki>=1.39.0<1.39.4
CVE-2022-41766
An issue was discovered in MediaWiki before 1.35.8, 1.36.x and 1.37.x before 1.37.5, and 1.38.x before 1.38.3. Upon an action=rollback operation, the alreadyrolled message can leak a user name (when t...
MediaWiki MediaWiki<1.35.8
MediaWiki MediaWiki>=1.36.0<1.37.5
MediaWiki MediaWiki>=1.38.0<1.38.3
CVE-2020-29007
The Score extension through 0.3.0 for MediaWiki has a remote code execution vulnerability due to improper sandboxing of the GNU LilyPond executable. This allows any user with an ability to edit articl...
Mediawiki Score<=0.3.0
CVE-2021-30153
An issue was discovered in the VisualEditor extension in MediaWiki before 1.31.13, and 1.32.x through 1.35.x before 1.35.2. . When using VisualEditor to edit a MediaWiki user page belonging to an exis...
MediaWiki MediaWiki<1.31.13
MediaWiki MediaWiki>=1.32.0<1.35.2
CVE-2023-29140
An issue was discovered in the GrowthExperiments extension for MediaWiki through 1.39.3. Attackers might be able to see edits for which the username has been hidden, because there is no check for rev_...
MediaWiki MediaWiki<=1.39.3
CVE-2023-29137
An issue was discovered in the GrowthExperiments extension for MediaWiki through 1.39.3. The UserImpactHandler for GrowthExperiments inadvertently returns the timezone preference for arbitrary users, ...
MediaWiki MediaWiki<=1.39.3
CVE-2023-29141
An issue was discovered in MediaWiki before 1.35.10, 1.36.x through 1.38.x before 1.38.6, and 1.39.x before 1.39.3. An auto-block can occur for an untrusted X-Forwarded-For header.
debian/mediawiki<=1:1.31.16-1+deb10u2
MediaWiki MediaWiki<1.35.10
MediaWiki MediaWiki>=1.36.0<1.38.6
MediaWiki MediaWiki>=1.39.0<1.39.3
Fedoraproject Fedora=37
CVE-2023-29139
An issue was discovered in the CheckUser extension for MediaWiki through 1.39.3. When a user with checkuserlog permissions makes many CheckUserLog API requests in some configurations, denial of servic...
MediaWiki MediaWiki<=1.39.3
CVE-2017-20175
DaSchTour matomo-mediawiki-extension Username Piwik.hooks.php cross site scripting
composer/mediawiki/matomo<2.4.3
Mediawiki Matomo>=2.4.0<2.4.3
>=2.4.0<2.4.3
CVE-2022-39193
An issue was discovered in the CheckUser extension for MediaWiki through 1.39.x. Various components of this extension can expose information on the performer of edits and logged actions. This informat...
MediaWiki MediaWiki=1.39.0
MediaWiki MediaWiki=1.39.0-rc0
MediaWiki MediaWiki=1.39.0-rc1
MediaWiki MediaWiki=1.39.1
CVE-2023-22910
An issue was discovered in MediaWiki before 1.35.9, 1.36.x through 1.38.x before 1.38.5, and 1.39.x before 1.39.1. There is XSS in Wikibase date formatting via wikibase-time-precision-* fields. This a...
MediaWiki MediaWiki<1.35.9
MediaWiki MediaWiki>=1.36.0<1.38.5
MediaWiki MediaWiki=1.39.0
MediaWiki MediaWiki=1.39.0-rc0
MediaWiki MediaWiki=1.39.0-rc1
CVE-2023-22912
An issue was discovered in MediaWiki before 1.35.9, 1.36.x through 1.38.x before 1.38.5, and 1.39.x before 1.39.1. CheckUser TokenManager insecurely uses AES-CTR encryption with a repeated (aka re-use...
MediaWiki MediaWiki<1.35.9
MediaWiki MediaWiki>=1.36.0<1.38.5
MediaWiki MediaWiki=1.39.0
MediaWiki MediaWiki=1.39.0-rc0
MediaWiki MediaWiki=1.39.0-rc1
CVE-2015-10058
A vulnerability, which was classified as problematic, was found in Wikisource Category Browser. This affects an unknown part of the file index.php. The manipulation of the argument lang leads to cross...
Mediawiki Wikisource Category Browser<2015-07-10
<2015-07-10
CVE-2022-47927
An issue was discovered in MediaWiki before 1.35.9, 1.36.x through 1.38.x before 1.38.5, and 1.39.x before 1.39.1. When installing with a pre-existing data directory that has weak permissions, the SQL...
MediaWiki MediaWiki<1.35.9
MediaWiki MediaWiki>=1.36.0<1.38.5
MediaWiki MediaWiki=1.39.0
MediaWiki MediaWiki=1.39.0-rc0
MediaWiki MediaWiki=1.39.0-rc1
Fedoraproject Fedora=37
CVE-2023-22945
In the GrowthExperiments extension for MediaWiki through 1.39, the growthmanagementorlist API allows blocked users (blocked in ApiManageMentorList) to enroll as mentors or edit any of their mentorship...
MediaWiki MediaWiki<=1.39.0
Fedoraproject Fedora=37
CVE-2023-22909
An issue was discovered in MediaWiki before 1.35.9, 1.36.x through 1.38.x before 1.38.5, and 1.39.x before 1.39.1. SpecialMobileHistory allows remote attackers to cause a denial of service because dat...
MediaWiki MediaWiki<1.35.9
MediaWiki MediaWiki>=1.36.0<1.38.5
MediaWiki MediaWiki=1.39.0
MediaWiki MediaWiki=1.39.0-rc0
MediaWiki MediaWiki=1.39.0-rc1
Fedoraproject Fedora=37
CVE-2023-22911
An issue was discovered in MediaWiki before 1.35.9, 1.36.x through 1.38.x before 1.38.5, and 1.39.x before 1.39.1. E-Widgets does widget replacement in HTML attributes, which can lead to XSS, because ...
MediaWiki MediaWiki<1.35.9
MediaWiki MediaWiki>=1.36.0<1.38.5
MediaWiki MediaWiki=1.39.0
MediaWiki MediaWiki=1.39.0-rc0
MediaWiki MediaWiki=1.39.0-rc1
Fedoraproject Fedora=37
CVE-2022-41765
An issue was discovered in MediaWiki before 1.35.8, 1.36.x and 1.37.x before 1.37.5, and 1.38.x before 1.38.3. HTMLUserTextField exposes the existence of hidden users.
debian/mediawiki<=1:1.31.16-1+deb10u2
MediaWiki MediaWiki<1.35.8
MediaWiki MediaWiki>=1.36.0<1.37.5
MediaWiki MediaWiki>=1.38.0<1.38.3
CVE-2022-41767
An issue was discovered in MediaWiki before 1.35.8, 1.36.x and 1.37.x before 1.37.5, and 1.38.x before 1.38.3. When changes made by an IP address are reassigned to a user (using reassignEdits.php), th...
debian/mediawiki<=1:1.31.16-1+deb10u2
MediaWiki MediaWiki<1.35.8
MediaWiki MediaWiki>=1.36.0<1.37.5
MediaWiki MediaWiki>=1.38.0<1.38.3

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2024 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203