Search for packages
| purl | pkg:deb/debian/mediawiki@1:1.7 |
| Next non-vulnerable version | 1:1.43.8+dfsg-2 |
| Latest non-vulnerable version | 1:1.43.8+dfsg-2 |
| Risk | 10.0 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-1697-p35n-fber
Aliases: CVE-2019-12466 GHSA-27fw-r78j-h898 |
Wikimedia MediaWiki allows CSRF Wikimedia MediaWiki through 1.32.1 allows CSRF in logout feature. |
Affected by 106 other vulnerabilities. Affected by 87 other vulnerabilities. |
|
VCID-17bk-y8nb-kfc9
Aliases: CVE-2013-6454 |
security update |
Affected by 162 other vulnerabilities. |
|
VCID-1866-gt2g-1qfv
Aliases: CVE-2019-12469 GHSA-x3fr-w7r5-x7rg |
MediaWiki Incorrect Access Control vulnerability MediaWiki through 1.32.1 has Incorrect Access Control. Suppressed username or log in Special:EditTags are exposed. Fixed in 1.32.2, 1.31.2, 1.30.2 and 1.27.6. |
Affected by 106 other vulnerabilities. Affected by 87 other vulnerabilities. |
|
VCID-1993-aw6b-4kg7
Aliases: CVE-2017-8808 |
security update |
Affected by 106 other vulnerabilities. |
|
VCID-1bkk-tvsa-ukb1
Aliases: CVE-2015-2934 |
Multiple vulnerabilities have been found in MediaWiki, the worst of which may allow remote attackers to cause a Denial of Service. |
Affected by 147 other vulnerabilities. |
|
VCID-1f7s-dk69-mqg2
Aliases: CVE-2015-6727 |
The Special:DeletedContributions page in MediaWiki before 1.23.10, 1.24.x before 1.24.3, and 1.25.x before 1.25.2 allows remote attackers to determine if an IP is autoblocked via the "Change block" text. |
Affected by 113 other vulnerabilities. |
|
VCID-1fr2-q23d-ekdf
Aliases: CVE-2017-0371 |
mediawiki: remote information disclosure |
Affected by 113 other vulnerabilities. |
|
VCID-1hwd-avxk-fqbs
Aliases: CVE-2015-8628 |
The (1) Special:MyPage, (2) Special:MyTalk, (3) Special:MyContributions, (4) Special:MyUploads, and (5) Special:AllMyUploads pages in MediaWiki before 1.23.12, 1.24.x before 1.24.5, 1.25.x before 1.25.4, and 1.26.x before 1.26.1 allow remote attackers to obtain sensitive user login information via crafted links combined with page view statistics. |
Affected by 113 other vulnerabilities. |
|
VCID-1na8-nyq1-yfcy
Aliases: CVE-2021-20270 GHSA-9w8r-397f-prfh PYSEC-2021-140 |
An infinite loop in SMLLexer in Pygments versions 1.5 to 2.7.3 may lead to denial of service when performing syntax highlighting of a Standard ML (SML) source file, as demonstrated by input that only contains the "exception" keyword. |
Affected by 87 other vulnerabilities. Affected by 39 other vulnerabilities. |
|
VCID-1umc-vf94-87e6
Aliases: CVE-2013-6472 |
security update |
Affected by 162 other vulnerabilities. |
|
VCID-22yj-98wv-skc9
Aliases: CVE-2017-8815 |
security update |
Affected by 106 other vulnerabilities. |
|
VCID-29fv-52ge-mbft
Aliases: CVE-2017-0362 |
mediawiki: "Mark all pages visited" on the watchlist does not require a CSRF token |
Affected by 113 other vulnerabilities. |
|
VCID-2abz-k2yv-zkbp
Aliases: CVE-2017-8809 |
security update |
Affected by 106 other vulnerabilities. |
|
VCID-2fva-bc2j-dban
Aliases: CVE-2015-8003 |
MediaWiki before 1.23.11, 1.24.x before 1.24.4, and 1.25.x before 1.25.3 does not throttle file uploads, which allows remote authenticated users to have unspecified impact via multiple file uploads. |
Affected by 113 other vulnerabilities. |
|
VCID-2s26-v16e-6uds
Aliases: CVE-2014-2242 |
Multiple vulnerabilities have been found in MediaWiki, the worst of which may allow remote attackers to execute arbitrary code. |
Affected by 162 other vulnerabilities. |
|
VCID-2wcb-hty6-uyez
Aliases: CVE-2025-32072 |
Improper Encoding or Escaping of Output vulnerability in The Wikimedia Foundation Mediawiki Core - Feed Utils allows WebView Injection.This issue affects Mediawiki Core - Feed Utils: from 1.39 through 1.43. |
Affected by 7 other vulnerabilities. |
|
VCID-2xa5-1rmz-bfh3
Aliases: CVE-2011-1587 |
Cross-site scripting (XSS) vulnerability in MediaWiki before 1.16.4, when Internet Explorer 6 or earlier is used, allows remote attackers to inject arbitrary web script or HTML via an uploaded file accessed with a dangerous extension such as .html located before a ? (question mark) in a query string, in conjunction with a modified URI path that has a %2E sequence in place of the . (dot) character. NOTE: this vulnerability exists because of an incomplete fix for CVE-2011-1578. |
Affected by 162 other vulnerabilities. |
|
VCID-2xja-2whv-fqe4
Aliases: CVE-2023-45362 |
mediawiki: diff-multi-sameuser ("X intermediate revisions by the same user not shown") ignores username suppression |
Affected by 39 other vulnerabilities. |
|
VCID-2yav-jgcc-zyhc
Aliases: CVE-2011-1579 |
Multiple vulnerabilities have been found in MediaWiki, the worst of which leading to remote execution of arbitrary code. |
Affected by 162 other vulnerabilities. |
|
VCID-3181-j1se-eqgt
Aliases: CVE-2013-4572 |
security update |
Affected by 162 other vulnerabilities. |
|
VCID-32f4-khen-3yez
Aliases: CVE-2021-30159 |
Multiple vulnerabilities have been found in MediaWiki, the worst of which could result in a Denial of Service condition. |
Affected by 87 other vulnerabilities. Affected by 39 other vulnerabilities. |
|
VCID-3s9f-prpy-hbcx
Aliases: CVE-2019-11358 GHSA-6c3j-c64m-qhgq |
Cross-site Scripting The jQuery library, which is included in rdoc, mishandles `jQuery.extend(true, {}, ...)` because of Object.prototype pollution. If an unsanitized source object contained an enumerable `__proto__` property, it could extend the native `Object.prototype.` |
Affected by 106 other vulnerabilities. Affected by 87 other vulnerabilities. |
|
VCID-3yt6-jnfb-9fcw
Aliases: CVE-2015-8627 |
MediaWiki before 1.23.12, 1.24.x before 1.24.5, 1.25.x before 1.25.4, and 1.26.x before 1.26.1 do not properly normalize IP addresses containing zero-padded octets, which might allow remote attackers to bypass intended access restrictions by using an IP address that was not supposed to have been allowed. |
Affected by 113 other vulnerabilities. |
|
VCID-3zue-5ccg-23hs
Aliases: CVE-2025-67480 |
Vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/Api/ApiQueryRevisionsBase.Php. This issue affects MediaWiki: from * before 1.39.16, 1.43.6, 1.44.3, 1.45.1. |
Affected by 7 other vulnerabilities. |
|
VCID-41dt-sag4-tbc8
Aliases: CVE-2011-4360 |
MediaWiki before 1.17.1 allows remote attackers to obtain the page titles of all restricted pages via a series of requests involving the (1) curid or (2) oldid parameter. |
Affected by 162 other vulnerabilities. |
|
VCID-424y-cjxg-c7az
Aliases: CVE-2020-25815 GHSA-2f58-vf6g-6p8x |
MediaWiki Cross-site Scripting (XSS) vulnerability An issue was discovered in MediaWiki 1.32.x through 1.34.x before 1.34.4. LogEventList::getFiltersDesc is insecurely using message text to build options names for an HTML multi-select field. The relevant code should use escaped() instead of text(). |
Affected by 39 other vulnerabilities. |
|
VCID-4dfp-3qk9-j7fg
Aliases: CVE-2021-35197 |
Multiple vulnerabilities have been found in MediaWiki, the worst of which could result in a Denial of Service condition. |
Affected by 87 other vulnerabilities. Affected by 39 other vulnerabilities. |
|
VCID-4hp5-bdkg-fufh
Aliases: CVE-2015-2936 |
Multiple vulnerabilities have been found in MediaWiki, the worst of which may allow remote attackers to cause a Denial of Service. |
Affected by 147 other vulnerabilities. |
|
VCID-4keq-jcfa-13hc
Aliases: CVE-2019-19709 GHSA-pjv5-vv93-p648 |
Possible to circumvent title-blacklist MediaWiki through 1.33.1 allows attackers to bypass the Title_blacklist protection mechanism by starting with an arbitrary title, establishing a non-resolvable redirect for the associated page, and using redirect=1 in the action API when editing that page. |
Affected by 106 other vulnerabilities. Affected by 87 other vulnerabilities. |
|
VCID-4vc8-5xct-wke5
Aliases: CVE-2013-4301 |
Multiple vulnerabilities have been found in MediaWiki, the worst of which could lead to Denial of Service. |
Affected by 162 other vulnerabilities. |
|
VCID-4yhr-jjt9-afaq
Aliases: CVE-2025-61641 |
Vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/api/ApiQueryAllPages.Php. This issue affects MediaWiki: from * before 1.39.14, 1.43.4, 1.44.1. |
Affected by 7 other vulnerabilities. |
|
VCID-542a-pavw-b7ax
Aliases: CVE-2015-2932 |
Multiple vulnerabilities have been found in MediaWiki, the worst of which may allow remote attackers to cause a Denial of Service. |
Affected by 147 other vulnerabilities. |
|
VCID-5fsv-cduw-ybb8
Aliases: CVE-2015-8005 |
MediaWiki before 1.23.11, 1.24.x before 1.24.4, and 1.25.x before 1.25.3 uses the thumbnail ImageMagick command line argument, which allows remote attackers to obtain the installation path by reading the metadata of a PNG thumbnail file. |
Affected by 113 other vulnerabilities. |
|
VCID-5muy-wgqw-dffa
Aliases: CVE-2016-6332 |
MediaWiki before 1.23.15, 1.26.x before 1.26.4, and 1.27.x before 1.27.1, when $wgBlockDisablesLogin is true, might allow remote attackers to obtain sensitive information by leveraging failure to terminate sessions when a user account is blocked. |
Affected by 113 other vulnerabilities. |
|
VCID-5myd-ngfx-5qhb
Aliases: CVE-2023-51704 |
mediawiki: group-.*-member messages are not properly escaped on Special:log/rights |
Affected by 7 other vulnerabilities. |
|
VCID-5ye5-j6zz-bkau
Aliases: CVE-2011-1578 |
Cross-site scripting (XSS) vulnerability in MediaWiki before 1.16.3, when Internet Explorer 6 or earlier is used, allows remote attackers to inject arbitrary web script or HTML via an uploaded file accessed with a dangerous extension such as .html at the end of the query string, in conjunction with a modified URI path that has a %2E sequence in place of the . (dot) character. |
Affected by 162 other vulnerabilities. |
|
VCID-674z-nf4t-b7ez
Aliases: CVE-2022-29248 GHSA-cwmx-hcrq-mhc3 |
Cross-domain cookie leakage in Guzzle ### Impact Previous version of Guzzle contain a vulnerability with the cookie middleware. The vulnerability is that it is not checked if the cookie domain equals the domain of the server which sets the cookie via the `Set-Cookie` header, allowing a malicious server to set cookies for unrelated domains. For example an attacker at `www.example.com` might set a session cookie for `api.example.net`, logging the Guzzle client into their account and retrieving private API requests from the security log of their account. Note that our cookie middleware is disabled by default, so most library consumers will not be affected by this issue. Only those who manually add the cookie middleware to the handler stack or construct the client with `['cookies' => true]` are affected. Moreover, those who do not use the same Guzzle client to call multiple domains and have disabled redirect forwarding are not affected by this vulnerability. ### Patches Affected Guzzle 7 users should upgrade to Guzzle 7.4.3 as soon as possible. Affected users using any earlier series of Guzzle should upgrade to Guzzle 6.5.6 or 7.4.3. ### Workarounds If you do not need support for cookies, turn off the cookie middleware. It is already off by default, but if you have turned it on and no longer need it, turn it off. ### References * [RFC6265 Section 5.3](https://datatracker.ietf.org/doc/html/rfc6265#section-5.3) * [RFC9110 Section 15.4](https://www.rfc-editor.org/rfc/rfc9110.html#name-redirection-3xx) ### For more information If you have any questions or comments about this advisory, please get in touch with us in `#guzzle` on the [PHP HTTP Slack](https://php-http.slack.com/). Do not report additional security advisories in that public channel, however - please follow our [vulnerability reporting process](https://github.com/guzzle/guzzle/security/policy). |
Affected by 39 other vulnerabilities. |
|
VCID-6ads-gs3n-dubh
Aliases: CVE-2021-30458 GHSA-5pqx-77vf-85rw |
Multiple vulnerabilities have been found in MediaWiki, the worst of which could result in a Denial of Service condition. |
Affected by 39 other vulnerabilities. |
|
VCID-6gjh-cn8c-3yfp
Aliases: CVE-2014-9277 |
Multiple vulnerabilities have been found in MediaWiki, the worst of which may allow remote attackers to execute arbitrary code. |
Affected by 162 other vulnerabilities. Affected by 147 other vulnerabilities. |
|
VCID-6jq2-8mv5-pqaa
Aliases: CVE-2017-8811 |
security update |
Affected by 106 other vulnerabilities. |
|
VCID-6nqq-qzjq-bkc8
Aliases: CVE-2012-2698 |
Cross-site scripting (XSS) vulnerability in the outputPage function in includes/SkinTemplate.php in MediaWiki before 1.17.5, 1.18.x before 1.18.4, and 1.19.x before 1.19.1 allows remote attackers to inject arbitrary web script or HTML via the uselang parameter to index.php/Main_page. |
Affected by 162 other vulnerabilities. |
|
VCID-73p6-esc6-tydd
Aliases: CVE-2020-35478 |
mediawiki: potential XSS via MediaWiki:blanknamespace outputting Block Logs |
Affected by 39 other vulnerabilities. |
|
VCID-74ej-8sna-jyek
Aliases: CVE-2025-32698 |
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/logging/LogPager.Php. This issue affects MediaWiki: before 1.39.12, 1.42.6, 1.43.1. |
Affected by 7 other vulnerabilities. |
|
VCID-7ar6-14bb-yfc5
Aliases: CVE-2020-35480 |
mediawiki: divergent behavior for contributions and user pages of hidden users and missing users |
Affected by 87 other vulnerabilities. Affected by 39 other vulnerabilities. |
|
VCID-7eba-7gsc-hbfg
Aliases: CVE-2023-29141 GHSA-5vj8-g3qg-4qh6 |
X-Forwarded-For header allows brute-forcing autoblocked IP addresses An issue was discovered in MediaWiki before 1.35.10, 1.36.x through 1.38.x before 1.38.6, and 1.39.x before 1.39.3. An auto-block can occur for an untrusted X-Forwarded-For header. |
Affected by 39 other vulnerabilities. |
|
VCID-7j54-uz1w-y3dn
Aliases: CVE-2021-41801 |
security update |
Affected by 87 other vulnerabilities. Affected by 39 other vulnerabilities. |
|
VCID-7m3q-wuh7-k7fn
Aliases: CVE-2021-30154 |
Multiple vulnerabilities have been found in MediaWiki, the worst of which could result in a Denial of Service condition. |
Affected by 87 other vulnerabilities. Affected by 39 other vulnerabilities. |
|
VCID-7ncu-yjpc-puf6
Aliases: CVE-2012-4885 |
The wikitext parser in MediaWiki 1.17.x before 1.17.3 and 1.18.x before 1.18.2 allows remote attackers to cause a denial of service (infinite loop) via certain input, as demonstrated by the padleft function. |
Affected by 162 other vulnerabilities. |
|
VCID-7r33-m2f3-dkbm
Aliases: CVE-2013-2031 |
Multiple vulnerabilities have been found in MediaWiki, the worst of which could lead to Denial of Service. |
Affected by 162 other vulnerabilities. |
|
VCID-7sm8-2ced-6ba8
Aliases: CVE-2012-0046 |
mediawiki allows deleted text to be exposed |
Affected by 162 other vulnerabilities. |
|
VCID-7wh4-say2-pqap
Aliases: CVE-2025-61656 |
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation VisualEditor. This vulnerability is associated with program files src/ce/ve.Ce.ClipboardHandler.Js. This issue affects VisualEditor: from * before 1.39.14, 1.43.4, 1.44.1. |
Affected by 7 other vulnerabilities. |
|
VCID-812q-n5hg-u7dx
Aliases: CVE-2020-35474 |
mediawiki: message recentchanges-legend-watchlistexpiry can contain raw html |
Affected by 39 other vulnerabilities. |
|
VCID-8sqw-6aae-13f5
Aliases: CVE-2021-30157 |
Multiple vulnerabilities have been found in MediaWiki, the worst of which could result in a Denial of Service condition. |
Affected by 87 other vulnerabilities. Affected by 39 other vulnerabilities. |
|
VCID-8svz-zhz1-vyh6
Aliases: CVE-2016-6331 |
ApiParse in MediaWiki before 1.23.15, 1.26.x before 1.26.4, and 1.27.x before 1.27.1 allows remote attackers to bypass intended per-title read restrictions via a parse action to api.php. |
Affected by 113 other vulnerabilities. |
|
VCID-8sym-py6e-fkf2
Aliases: CVE-2014-5241 |
security update |
Affected by 162 other vulnerabilities. |
|
VCID-8u2s-64jg-v3gc
Aliases: CVE-2013-4568 |
security update |
Affected by 162 other vulnerabilities. |
|
VCID-8uw8-ja3w-r3da
Aliases: CVE-2025-11261 |
MediaWiki: MediaWiki: Cross-site Scripting (XSS) vulnerability |
Affected by 7 other vulnerabilities. |
|
VCID-92hf-r3sb-jbhy
Aliases: CVE-2021-44855 |
Multiple vulnerabilities have been found in MediaWiki, the worst of which could result in denial of service. |
Affected by 39 other vulnerabilities. |
|
VCID-9346-9aaj-fkfw
Aliases: CVE-2022-41765 |
Multiple vulnerabilities have been found in MediaWiki, the worst of which could result in denial of service. |
Affected by 39 other vulnerabilities. |
|
VCID-95d1-mkm6-r3cq
Aliases: CVE-2025-6591 |
Vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/api/ApiFeedContributions.Php. This issue affects MediaWiki: from * before 1.39.13, 1.42.7 1.43.2, 1.44.0. |
Affected by 7 other vulnerabilities. |
|
VCID-9e5y-vgvx-73d6
Aliases: CVE-2017-0372 |
Parameters injection in the SyntaxHighlight extension of Mediawiki before 1.23.16, 1.27.3 and 1.28.2 might result in multiple vulnerabilities. |
Affected by 113 other vulnerabilities. |
|
VCID-9exs-x5s1-4bhg
Aliases: CVE-2022-31042 GHSA-f2wf-25xc-69c9 |
Failure to strip the Cookie header on change in host or HTTP downgrade ### Impact `Cookie` headers on requests are sensitive information. On making a request using the `https` scheme to a server which responds with a redirect to a URI with the `http` scheme, or on making a request to a server which responds with a redirect to a a URI to a different host, we should not forward the `Cookie` header on. Prior to this fix, only cookies that were managed by our cookie middleware would be safely removed, and any `Cookie` header manually added to the initial request would not be stripped. We now always strip it, and allow the cookie middleware to re-add any cookies that it deems should be there. ### Patches Affected Guzzle 7 users should upgrade to Guzzle 7.4.4 as soon as possible. Affected users using any earlier series of Guzzle should upgrade to Guzzle 6.5.7 or 7.4.4. ### Workarounds An alternative approach would be to use your own redirect middleware, rather than ours, if you are unable to upgrade. If you do not require or expect redirects to be followed, one should simply disable redirects all together. ### References * [RFC9110 Section 15.4](https://www.rfc-editor.org/rfc/rfc9110.html#name-redirection-3xx) ### For more information If you have any questions or comments about this advisory, please get in touch with us in `#guzzle` on the [PHP HTTP Slack](https://php-http.slack.com/). Do not report additional security advisories in that public channel, however - please follow our [vulnerability reporting process](https://github.com/guzzle/guzzle/security/policy). |
Affected by 39 other vulnerabilities. |
|
VCID-9fzf-gj7f-6ken
Aliases: CVE-2013-6452 |
security update |
Affected by 162 other vulnerabilities. |
|
VCID-9g1g-z7d8-c7ah
Aliases: CVE-2020-36649 GHSA-qvjc-g5vr-mfgr GMS-2020-421 |
Regular Expression Denial of Service in papaparse Versions of `papaparse` prior to 5.2.0 are vulnerable to Regular Expression Denial of Service (ReDos). The `parse` function contains a malformed regular expression that takes exponentially longer to process non-numerical inputs. This allows attackers to stall systems and lead to Denial of Service. ## Recommendation Upgrade to version 5.2.0 or later. |
Affected by 39 other vulnerabilities. |
|
VCID-9nnu-4mda-7qg9
Aliases: CVE-2021-41798 |
Multiple vulnerabilities have been found in MediaWiki, the worst of which could result in denial of service. |
Affected by 87 other vulnerabilities. Affected by 39 other vulnerabilities. |
|
VCID-9xyz-wzr8-wqhz
Aliases: CVE-2022-31090 GHSA-25mq-v84q-4j7r GMS-2022-2528 |
Multiple vulnerabilities have been found in MediaWiki, the worst of which could result in denial of service. |
Affected by 39 other vulnerabilities. |
|
VCID-a8nh-mvhd-bka7
Aliases: CVE-2025-6597 |
MediaWiki: MediaWiki: Vulnerability in authentication management |
Affected by 7 other vulnerabilities. |
|
VCID-ad34-frk5-kqds
Aliases: CVE-2021-30158 |
Multiple vulnerabilities have been found in MediaWiki, the worst of which could result in a Denial of Service condition. |
Affected by 87 other vulnerabilities. Affected by 39 other vulnerabilities. |
|
VCID-aeju-gazv-abfz
Aliases: CVE-2015-2935 |
Multiple vulnerabilities have been found in MediaWiki, the worst of which may allow remote attackers to cause a Denial of Service. |
Affected by 147 other vulnerabilities. |
|
VCID-ammy-qfbj-sfdu
Aliases: CVE-2013-1817 |
Multiple vulnerabilities have been found in MediaWiki, the worst of which could lead to Denial of Service. |
Affected by 162 other vulnerabilities. |
|
VCID-arzd-7xhw-qqb4
Aliases: CVE-2020-25827 GHSA-rqvj-fc2x-99q6 |
OATHAuth extension in MediaWiki is not implementing rate limit An issue was discovered in the OATHAuth extension in MediaWiki before 1.31.9 and 1.32.x through 1.34.x before 1.34.3. For Wikis using OATHAuth on a farm/cluster (such as via CentralAuth), rate limiting of OATH tokens is only done on a single site level. Thus, multiple requests can be made across many wikis/sites concurrently. |
Affected by 87 other vulnerabilities. Affected by 39 other vulnerabilities. |
|
VCID-at9r-vw7p-6bfv
Aliases: CVE-2020-10960 GHSA-pfm2-mqwj-ggm5 |
MediaWiki makeCollapsible allows applying event handler to any CSS selector In MediaWiki before 1.34.1, users can add various Cascading Style Sheets (CSS) classes (which can affect what content is shown or hidden in the user interface) to arbitrary DOM nodes via HTML content within a MediaWiki page. This occurs because jquery.makeCollapsible allows applying an event handler to any Cascading Style Sheets (CSS) selector. There is no known way to exploit this for cross-site scripting (XSS). |
Affected by 87 other vulnerabilities. |
|
VCID-av7r-cpew-xkcn
Aliases: CVE-2021-45038 |
Multiple vulnerabilities have been found in MediaWiki, the worst of which could result in denial of service. |
Affected by 39 other vulnerabilities. |
|
VCID-azup-qzq7-sbh6
Aliases: CVE-2020-25814 GHSA-4vr7-m8p8-434h |
MediaWiki Cross-site Scripting (XSS) vulnerability In MediaWiki before 1.31.9 and 1.32.x through 1.34.x before 1.34.3, XSS related to jQuery can occur. The attacker creates a message with [javascript:payload xss] and turns it into a jQuery object with mw.message().parse(). The expected result is that the jQuery object does not contain an <a> tag (or it does not have a href attribute, or it's empty, etc.). The actual result is that the object contains an <a href ="javascript... that executes when clicked. |
Affected by 87 other vulnerabilities. Affected by 39 other vulnerabilities. |
|
VCID-b31c-cuwj-pqcm
Aliases: CVE-2014-5243 |
security update |
Affected by 162 other vulnerabilities. |
|
VCID-b5ke-cjtq-q3ev
Aliases: CVE-2025-6595 |
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation MultimediaViewer.This issue affects MultimediaViewer: from * before 1.39.13, 1.42.7, 1.43.2, 1.44.0. |
Affected by 7 other vulnerabilities. |
|
VCID-b8r6-r39r-3ffm
Aliases: CVE-2023-36674 |
MediaWiki: Manualthumb bypasses badFile lookup |
Affected by 39 other vulnerabilities. |
|
VCID-bbef-akjp-a3gp
Aliases: CVE-2019-12473 GHSA-33xw-x3pr-rvqj |
Wikimedia Potential DOS due to slow WatchedItemStore::countVisitingWatchersMultiple Wikimedia MediaWiki 1.27.0 through 1.32.1 might allow DoS. Passing invalid titles to the API could cause a DoS by querying the entire watchlist table. Fixed in 1.32.2, 1.31.2, 1.30.2 and 1.27.6. |
Affected by 106 other vulnerabilities. Affected by 87 other vulnerabilities. |
|
VCID-bg3q-tt6z-2ycw
Aliases: CVE-2010-2787 |
Multiple vulnerabilities have been found in MediaWiki, the worst of which leading to remote execution of arbitrary code. |
Affected by 206 other vulnerabilities. |
|
VCID-bgjt-nzue-bqc1
Aliases: CVE-2016-6334 |
Cross-site scripting (XSS) vulnerability in the Parser::replaceInternalLinks2 method in MediaWiki before 1.23.15, 1.26.x before 1.26.4, and 1.27.x before 1.27.1 allows remote attackers to inject arbitrary web script or HTML via vectors involving replacement of percent encoding in unclosed internal links. |
Affected by 113 other vulnerabilities. |
|
VCID-bncm-yfp5-1fdg
Aliases: CVE-2013-1951 |
Multiple vulnerabilities have been found in MediaWiki, the worst of which could lead to Denial of Service. |
Affected by 162 other vulnerabilities. |
|
VCID-brg4-rv29-1fgz
Aliases: CVE-2021-27291 GHSA-pq64-v7f5-gqh8 PYSEC-2021-141 |
In pygments 1.1+, fixed in 2.7.4, the lexers used to parse programming languages rely heavily on regular expressions. Some of the regular expressions have exponential or cubic worst-case complexity and are vulnerable to ReDoS. By crafting malicious input, an attacker can cause a denial of service. |
Affected by 87 other vulnerabilities. Affected by 39 other vulnerabilities. |
|
VCID-bst2-2v56-a3h9
Aliases: CVE-2014-2243 |
Multiple vulnerabilities have been found in MediaWiki, the worst of which may allow remote attackers to execute arbitrary code. |
Affected by 162 other vulnerabilities. |
|
VCID-bwnb-xxrw-9khf
Aliases: CVE-2013-4303 |
Multiple vulnerabilities have been found in MediaWiki, the worst of which could lead to Denial of Service. |
Affected by 162 other vulnerabilities. |
|
VCID-c8zy-wsn9-63af
Aliases: CVE-2021-41799 |
Multiple vulnerabilities have been found in MediaWiki, the worst of which could result in denial of service. |
Affected by 87 other vulnerabilities. Affected by 39 other vulnerabilities. |
|
VCID-ckkj-z5nq-akhb
Aliases: CVE-2021-44857 |
Multiple vulnerabilities have been found in MediaWiki, the worst of which could result in denial of service. |
Affected by 39 other vulnerabilities. |
|
VCID-cm78-savr-xuf7
Aliases: CVE-2015-6730 |
Multiple vulnerabilities have been found in MediaWiki, the worst of which may allow remote attackers to cause a Denial of Service. |
Affected by 113 other vulnerabilities. |
|
VCID-cww2-7sas-ufbw
Aliases: CVE-2008-5688 |
MediaWiki 1.8.1, and other versions before 1.13.3, when the wgShowExceptionDetails variable is enabled, sometimes provides the full installation path in a debugging message, which might allow remote attackers to obtain sensitive information via unspecified requests that trigger an uncaught exception. |
Affected by 206 other vulnerabilities. |
|
VCID-d2d1-77g2-9kac
Aliases: CVE-2014-7199 |
security update |
Affected by 162 other vulnerabilities. |
|
VCID-d6kz-e82q-6kh3
Aliases: CVE-2020-35479 |
mediawiki: potential XSS via the month messages such as MediaWiki:january through MediaWiki:december outputting Block Logs |
Affected by 87 other vulnerabilities. Affected by 39 other vulnerabilities. |
|
VCID-dbed-h6a2-fucf
Aliases: CVE-2017-8814 |
security update |
Affected by 106 other vulnerabilities. |
|
VCID-den1-257q-euc9
Aliases: CVE-2025-61653 |
Vulnerability in Wikimedia Foundation TextExtracts. This vulnerability is associated with program files includes/ApiQueryExtracts.Php. This issue affects TextExtracts: from * before 1.39.14, 1.43.4, 1.44.1. |
Affected by 7 other vulnerabilities. |
|
VCID-dgmf-63vf-gkhp
Aliases: CVE-2015-2937 |
Multiple vulnerabilities have been found in MediaWiki, the worst of which may allow remote attackers to cause a Denial of Service. |
Affected by 147 other vulnerabilities. |
|
VCID-e2td-jqbd-vbaa
Aliases: CVE-2015-8624 |
The User::matchEditToken function in includes/User.php in MediaWiki before 1.23.12, 1.24.x before 1.24.5, 1.25.x before 1.25.4, and 1.26.x before 1.26.1 does not perform token comparison in constant time before determining if a debugging message should be logged, which allows remote attackers to guess the edit token and bypass CSRF protection via a timing attack, a different vulnerability than CVE-2015-8623. |
Affected by 113 other vulnerabilities. |
|
VCID-e3ad-yw1a-nbbu
Aliases: CVE-2017-0368 |
mediawiki: Make rawHTML mode not apply to system messages |
Affected by 113 other vulnerabilities. |
|
VCID-e8np-4nbw-t3b3
Aliases: CVE-2025-11173 |
Vulnerability in Wikimedia Foundation OATHAuth. This vulnerability is associated with program files src/Special/OATHManage.Php. This issue affects OATHAuth: from * before 1.39.14, 1.43.4, 1.44.1. |
Affected by 7 other vulnerabilities. |
|
VCID-e9pq-ynp8-nygx
Aliases: CVE-2012-4382 |
MediaWiki before 1.18.5, and 1.19.x before 1.19.2 does not properly protect user block metadata, which allows remote administrators to read a user block reason via a reblock attempt. |
Affected by 162 other vulnerabilities. |
|
VCID-ea7c-xk4h-13fs
Aliases: CVE-2023-3550 |
mediawiki: stored XSS leads to privilege escalation |
Affected by 39 other vulnerabilities. |
|
VCID-edpm-d35f-qfch
Aliases: CVE-2011-4361 |
MediaWiki before 1.17.1 does not check for read permission before handling action=ajax requests, which allows remote attackers to obtain sensitive information by (1) leveraging the SpecialUpload::ajaxGetExistsWarning function, or by (2) leveraging an extension, as demonstrated by the CategoryTree, ExtTab, and InlineEditor extensions. |
Affected by 162 other vulnerabilities. |
|
VCID-eefm-65rj-pyg2
Aliases: CVE-2021-44858 |
Multiple vulnerabilities have been found in MediaWiki, the worst of which could result in denial of service. |
Affected by 39 other vulnerabilities. |
|
VCID-eud3-k24q-6ber
Aliases: CVE-2020-17368 |
Multiple vulnerabilities have been found in Firejail, the worst of which could result in the arbitrary execution of code. |
Affected by 87 other vulnerabilities. |
|
VCID-fkvy-961u-37be
Aliases: CVE-2015-2940 |
Multiple vulnerabilities have been found in MediaWiki, the worst of which may allow remote attackers to cause a Denial of Service. |
Affected by 147 other vulnerabilities. |
|
VCID-fm5x-32wy-57e3
Aliases: CVE-2012-4379 |
MediaWiki before 1.18.5, and 1.19.x before 1.19.2 does not send a restrictive X-Frame-Options HTTP header, which allows remote attackers to conduct clickjacking attacks via an embedded API response in an IFRAME element. |
Affected by 162 other vulnerabilities. |
|
VCID-fnzm-dxb3-v7hr
Aliases: CVE-2021-30153 |
An issue was discovered in the VisualEditor extension in MediaWiki before 1.31.13, and 1.32.x through 1.35.x before 1.35.2. . When using VisualEditor to edit a MediaWiki user page belonging to an existing, but hidden, user, VisualEditor will disclose that the user exists. (It shouldn't because they are hidden.) This is related to ApiVisualEditor. |
Affected by 39 other vulnerabilities. |
|
VCID-fpkf-8mcr-6bee
Aliases: CVE-2016-6337 |
MediaWiki 1.27.x before 1.27.1 might allow remote attackers to bypass intended session access restrictions by leveraging a call to the UserGetRights function after Session::getAllowedUserRights. |
Affected by 113 other vulnerabilities. |
|
VCID-fptt-2t1j-8fec
Aliases: CVE-2025-61639 |
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/logging/ManualLogEntry.Php, includes/recentchanges/RecentChangeFactory.Php, includes/recentchanges/RecentChangeStore.Php. This issue affects MediaWiki: from * before 1.39.14, 1.43.4, 1.44.1. |
Affected by 7 other vulnerabilities. |
|
VCID-fsk6-nkuk-wqa3
Aliases: CVE-2012-4378 |
Multiple cross-site scripting (XSS) vulnerabilities in MediaWiki before 1.18.5 and 1.19.x before 1.19.2, when unspecified JavaScript gadgets are used, allow remote attackers to inject arbitrary web script or HTML via the userlang parameter to w/index.php. |
Affected by 162 other vulnerabilities. |
|
VCID-fujm-vb7d-vfhe
Aliases: CVE-2015-8002 |
The chunked upload API (ApiUpload) in MediaWiki before 1.23.11, 1.24.x before 1.24.4, and 1.25.x before 1.25.3 allows remote authenticated users to cause a denial of service (disk consumption) via a file upload using one byte chunks. |
Affected by 113 other vulnerabilities. |
|
VCID-fwb3-kxy8-73hz
Aliases: CVE-2020-35477 |
mediawiki: unable to change visibility of log entries when MediaWiki:Mainpage uses Special:MyLanguage |
Affected by 87 other vulnerabilities. Affected by 39 other vulnerabilities. |
|
VCID-g2h7-8fye-wqcz
Aliases: CVE-2012-1582 |
Multiple vulnerabilities have been found in MediaWiki, the worst of which leading to remote execution of arbitrary code. |
Affected by 162 other vulnerabilities. |
|
VCID-g46d-hscr-u7cj
Aliases: CVE-2008-1318 |
Unspecified vulnerability in MediaWiki 1.11 before 1.11.2 allows remote attackers to obtain sensitive "cross-site" information via the callback parameter in an API call for JavaScript Object Notation (JSON) formatted results. |
Affected by 222 other vulnerabilities. |
|
VCID-gefx-bbtq-xyhj
Aliases: CVE-2013-2032 |
Multiple vulnerabilities have been found in MediaWiki, the worst of which could lead to Denial of Service. |
Affected by 162 other vulnerabilities. |
|
VCID-gma6-b9cy-kqee
Aliases: CVE-2019-12467 GHSA-6vfg-8ppv-h5hg |
MediaWiki Incorrect Access Control vulnerability MediaWiki through 1.32.1 has Incorrect Access Control (issue 1 of 3). A spammer can use Special:ChangeEmail to send out spam with no rate limiting or ability to block them. Fixed in 1.32.2, 1.31.2, 1.30.2 and 1.27.6. |
Affected by 106 other vulnerabilities. Affected by 87 other vulnerabilities. |
|
VCID-gq2p-qjcs-rbaf
Aliases: CVE-2012-5391 |
Session fixation vulnerability in Special:UserLogin in MediaWiki before 1.18.6, 1.19.x before 1.19.3, and 1.20.x before 1.20.1 allows remote attackers to hijack web sessions via the session_id. |
Affected by 162 other vulnerabilities. |
|
VCID-h3d2-nr9e-nqbk
Aliases: CVE-2025-6926 |
Improper Authentication vulnerability in Wikimedia Foundation Mediawiki - CentralAuth Extension allows : Bypass Authentication.This issue affects Mediawiki - CentralAuth Extension: from 1.39.X before 1.39.13, from 1.42.X before 1.42.7, from 1.43.X before 1.43.2. |
Affected by 7 other vulnerabilities. |
|
VCID-h5xs-ky4t-b7ad
Aliases: CVE-2016-6333 |
Cross-site scripting (XSS) vulnerability in the CSS user subpage preview feature in MediaWiki before 1.23.15, 1.26.x before 1.26.4, and 1.27.x before 1.27.1 allows remote attackers to inject arbitrary web script or HTML via the edit box in Special:MyPage/common.css. |
Affected by 113 other vulnerabilities. |
|
VCID-h6k9-uykg-pqhx
Aliases: CVE-2011-0003 |
Multiple vulnerabilities have been found in MediaWiki, the worst of which leading to remote execution of arbitrary code. |
Affected by 206 other vulnerabilities. |
|
VCID-h789-pcxv-kbgd
Aliases: CVE-2025-6590 |
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/htmlform/fields/HTMLUserTextField.Php. This issue affects MediaWiki: from * through 1.39.12, 1.42.76 1.43.1, 1.44.0. |
Affected by 7 other vulnerabilities. |
|
VCID-h8jw-brz8-hkfn
Aliases: CVE-2020-25812 GHSA-rj9p-8jxj-2ch4 |
MediaWiki Cross-site Scripting (XSS) vulnerability An issue was discovered in MediaWiki 1.34.x before 1.34.3. On Special:Contributions, the NS filter uses unescaped messages as keys in the option key for an HTMLForm specifier. This is vulnerable to a mild XSS if one of those messages is changed to include raw HTML. |
Affected by 87 other vulnerabilities. Affected by 39 other vulnerabilities. |
|
VCID-hrye-skfn-zbdx
Aliases: CVE-2013-4302 |
Multiple vulnerabilities have been found in MediaWiki, the worst of which could lead to Denial of Service. |
Affected by 162 other vulnerabilities. |
|
VCID-ht8a-qas7-4kce
Aliases: CVE-2013-6453 |
security update |
Affected by 162 other vulnerabilities. |
|
VCID-hzhn-4f3y-vyhs
Aliases: CVE-2014-1610 |
security update |
Affected by 162 other vulnerabilities. |
|
VCID-j1bz-4bex-4key
Aliases: CVE-2020-35475 |
mediawiki: messages userrights-expiry-current and userrights-expiry-none can contain raw html |
Affected by 87 other vulnerabilities. Affected by 39 other vulnerabilities. |
|
VCID-ja6g-fvjy-77ck
Aliases: CVE-2014-3966 |
security update |
Affected by 162 other vulnerabilities. |
|
VCID-jm7q-2w3j-buhh
Aliases: CVE-2023-45363 GHSA-w5fx-cx7f-6vr9 |
MediaWiki Denial of Service vulnerability An issue was discovered in ApiPageSet.php in MediaWiki before 1.35.12, 1.36.x through 1.39.x before 1.39.5, and 1.40.x before 1.40.1. It allows attackers to cause a denial of service (unbounded loop and RequestTimeoutException) when querying pages redirected to other variants with redirects and converttitles set. |
Affected by 39 other vulnerabilities. |
|
VCID-jndf-ke83-tug8
Aliases: CVE-2009-0737 |
mediawiki: multiple XSS issues in the installer |
Affected by 206 other vulnerabilities. |
|
VCID-jwkd-wdus-6ygg
Aliases: CVE-2022-47927 |
Multiple vulnerabilities have been found in MediaWiki, the worst of which could result in denial of service. |
Affected by 39 other vulnerabilities. |
|
VCID-k1f5-msra-4kam
Aliases: CVE-2021-30155 |
Multiple vulnerabilities have been found in MediaWiki, the worst of which could result in a Denial of Service condition. |
Affected by 87 other vulnerabilities. Affected by 39 other vulnerabilities. |
|
VCID-k6ry-6a7f-eqd7
Aliases: CVE-2017-0370 |
mediawiki: Improper URL sanitization in Spam blacklist |
Affected by 113 other vulnerabilities. |
|
VCID-k7qb-7hbj-1qc2
Aliases: CVE-2025-6594 |
MediaWiki: MediaWiki: Cross-site Scripting vulnerability via improper input neutralization |
Affected by 7 other vulnerabilities. |
|
VCID-kjp3-cs2f-t7b4
Aliases: CVE-2019-12471 GHSA-2rm7-xxx8-35jh |
MediaWiki Cross-site Scripting (XSS) Wikimedia MediaWiki 1.30.0 through 1.32.1 has XSS. Loading user JavaScript from a non-existent account allows anyone to create the account, and perform XSS on users loading that script. Fixed in 1.32.2, 1.31.2, 1.30.2 and 1.27.6. |
Affected by 106 other vulnerabilities. Affected by 87 other vulnerabilities. |
|
VCID-m1j5-3ecf-dffj
Aliases: CVE-2022-28202 |
Multiple vulnerabilities have been found in MediaWiki, the worst of which could result in denial of service. |
Affected by 39 other vulnerabilities. |
|
VCID-m1xy-yucr-dqfs
Aliases: CVE-2025-61635 |
Vulnerability in Wikimedia Foundation ConfirmEdit. This vulnerability is associated with program files includes/FancyCaptcha/ApiFancyCaptchaReload.Php. This issue affects ConfirmEdit: *. |
Affected by 7 other vulnerabilities. |
|
VCID-m5a4-k87e-skaq
Aliases: CVE-2012-4377 |
Cross-site scripting (XSS) vulnerability in MediaWiki before 1.18.5 and 1.19.x before 1.19.2 allows remote attackers to inject arbitrary web script or HTML via a File: link to a nonexistent image. |
Affected by 162 other vulnerabilities. |
|
VCID-m7uw-sa5j-u3bw
Aliases: CVE-2025-67481 |
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files resources/src/mediawiki.JqueryMsg/mediawiki.JqueryMsg.Js. This issue affects MediaWiki: from * before 1.39.16, 1.43.6, 1.44.3, 1.45.1. |
Affected by 7 other vulnerabilities. |
|
VCID-mbs4-gs37-1fh5
Aliases: CVE-2025-61646 |
Vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/RecentChanges/EnhancedChangesList.Php. This issue affects MediaWiki: from * before 1.39.14, 1.43.4, 1.44.1. |
Affected by 7 other vulnerabilities. |
|
VCID-mzd9-bu4b-wfar
Aliases: CVE-2013-7444 |
The Special:Contributions page in MediaWiki before 1.22.0 allows remote attackers to determine if an IP is autoblocked via the "Change block" text. |
Affected by 113 other vulnerabilities. |
|
VCID-nqg1-1fyx-ruf9
Aliases: CVE-2017-0364 |
mediawiki: redirects to any interwiki link in special search |
Affected by 113 other vulnerabilities. |
|
VCID-nre7-4fpc-9keb
Aliases: CVE-2016-6336 |
MediaWiki before 1.23.15, 1.26.x before 1.26.4, and 1.27.x before 1.27.1 allows remote authenticated users with undelete permissions to bypass intended suppressrevision and deleterevision restrictions and remove the revision deletion status of arbitrary file revisions by using Special:Undelete. |
Affected by 113 other vulnerabilities. |
|
VCID-nsd6-kt5p-w7fe
Aliases: CVE-2015-8622 |
Cross-site scripting (XSS) vulnerability in MediaWiki before 1.23.12, 1.24.x before 1.24.5, 1.25.x before 1.25.4, and 1.26.x before 1.26.1, when is configured with a relative URL, allows remote authenticated users to inject arbitrary web script or HTML via wikitext, as demonstrated by a wikilink to a page named "javascript:alert('XSS!')." |
Affected by 113 other vulnerabilities. |
|
VCID-nwsr-ruca-2kha
Aliases: CVE-2022-31043 GHSA-w248-ffj2-4v5q |
Fix failure to strip Authorization header on HTTP downgrade ### Impact `Authorization` headers on requests are sensitive information. On making a request using the `https` scheme to a server which responds with a redirect to a URI with the `http` scheme, we should not forward the `Authorization` header on. This is much the same as to how we don't forward on the header if the host changes. Prior to this fix, `https` to `http` downgrades did not result in the `Authorization` header being removed, only changes to the host. ### Patches Affected Guzzle 7 users should upgrade to Guzzle 7.4.4 as soon as possible. Affected users using any earlier series of Guzzle should upgrade to Guzzle 6.5.7 or 7.4.4. ### Workarounds An alternative approach would be to use your own redirect middleware, rather than ours, if you are unable to upgrade. If you do not require or expect redirects to be followed, one should simply disable redirects all together. ### References * [RFC9110 Section 15.4](https://www.rfc-editor.org/rfc/rfc9110.html#name-redirection-3xx) ### For more information If you have any questions or comments about this advisory, please get in touch with us in `#guzzle` on the [PHP HTTP Slack](https://php-http.slack.com/). Do not report additional security advisories in that public channel, however - please follow our [vulnerability reporting process](https://github.com/guzzle/guzzle/security/policy). |
Affected by 39 other vulnerabilities. |
|
VCID-p4xx-4b17-4ka6
Aliases: CVE-2014-2665 |
security update |
Affected by 162 other vulnerabilities. |
|
VCID-peaj-crkx-yfgz
Aliases: CVE-2015-2933 |
Multiple vulnerabilities have been found in MediaWiki, the worst of which may allow remote attackers to cause a Denial of Service. |
Affected by 147 other vulnerabilities. |
|
VCID-pm3s-z5ap-qqay
Aliases: CVE-2025-61640 |
MediaWiki: MediaWiki: Arbitrary code execution via Cross-site Scripting (XSS) |
Affected by 7 other vulnerabilities. |
|
VCID-pm5t-23j4-6yh6
Aliases: CVE-2020-25828 GHSA-h8qx-mj6v-2934 |
MediaWiki Cross-site Scripting (XSS) vulnerability An issue was discovered in MediaWiki before 1.31.9 and 1.32.x through 1.34.x before 1.34.3. The non-jqueryMsg version of mw.message().parse() doesn't escape HTML. This affects both message contents (which are generally safe) and the parameters (which can be based on user input). (When jqueryMsg is loaded, it correctly accepts only whitelisted tags in message contents, and escapes all parameters. Situations with an unloaded jqueryMsg are rare in practice, but can for example occur for Special:SpecialPages on a wiki with no extensions installed.) |
Affected by 87 other vulnerabilities. Affected by 39 other vulnerabilities. |
|
VCID-pqtu-ce8a-q7bk
Aliases: CVE-2012-4381 |
MediaWiki before 1.18.5, and 1.19.x before 1.19.2 saves passwords in the local database, (1) which could make it easier for context-dependent attackers to obtain cleartext passwords via a brute-force attack or, (2) when an authentication plugin returns a false in the strict function, could allow remote attackers to use old passwords for non-existing accounts in an external authentication system via unspecified vectors. |
Affected by 162 other vulnerabilities. |
|
VCID-pw9d-1cwb-tyb9
Aliases: CVE-2022-28201 |
security update |
Affected by 39 other vulnerabilities. |
|
VCID-pwjk-pzpj-aff6
Aliases: CVE-2025-32699 |
Vulnerability in Wikimedia Foundation MediaWiki, Wikimedia Foundation Parsoid.This issue affects MediaWiki: before 1.39.12, 1.42.6, 1.43.1; Parsoid: before 0.16.5, 0.19.2, 0.20.2. |
Affected by 7 other vulnerabilities. |
|
VCID-q1sz-4wvv-9kc5
Aliases: CVE-2013-1816 |
Multiple vulnerabilities have been found in MediaWiki, the worst of which could lead to Denial of Service. |
Affected by 162 other vulnerabilities. |
|
VCID-qgzv-a881-9khq
Aliases: CVE-2015-2939 |
Multiple vulnerabilities have been found in MediaWiki, the worst of which may allow remote attackers to cause a Denial of Service. |
Affected by 147 other vulnerabilities. |
|
VCID-qjhk-97j6-2qfm
Aliases: CVE-2021-44854 |
Multiple vulnerabilities have been found in MediaWiki, the worst of which could result in denial of service. |
Affected by 39 other vulnerabilities. |
|
VCID-qme5-cvje-1fg4
Aliases: CVE-2015-8004 |
MediaWiki before 1.23.11, 1.24.x before 1.24.4, and 1.25.x before 1.25.3 does not properly restrict access to revisions, which allows remote authenticated users with the viewsuppressed user right to remove revision suppressions via a crafted revisiondelete action, which returns a valid a change form. |
Affected by 113 other vulnerabilities. |
|
VCID-qmx3-kcnd-zuhe
Aliases: CVE-2019-12468 GHSA-wrhx-3pxr-6vgg |
Wikimedia MediaWiki Incorrect Access Control vulnerability An Incorrect Access Control vulnerability was found in Wikimedia MediaWiki 1.27.0 through 1.32.1. Directly POSTing to Special:ChangeEmail would allow for bypassing re-authentication, allowing for potential account takeover. |
Affected by 106 other vulnerabilities. Affected by 87 other vulnerabilities. |
|
VCID-qpgu-mg6m-vyef
Aliases: CVE-2025-67482 |
Vulnerability in Wikimedia Foundation Scribunto, Wikimedia Foundation luasandbox. This vulnerability is associated with program files includes/Engines/LuaCommon/lualib/mwInit.Lua, library.C. This issue affects Scribunto: from * before 1.39.16, 1.43.6, 1.44.3, 1.45.1; luasandbox: from * before fea2304f8f6ab30314369a612f4f5b165e68e95a. |
Affected by 7 other vulnerabilities. |
|
VCID-qqvd-cjs3-7kab
Aliases: CVE-2022-34912 |
Multiple vulnerabilities have been found in MediaWiki, the worst of which could result in denial of service. |
Affected by 39 other vulnerabilities. |
|
VCID-qwcp-5hh8-z3gp
Aliases: CVE-2022-41767 |
Multiple vulnerabilities have been found in MediaWiki, the worst of which could result in denial of service. |
Affected by 39 other vulnerabilities. |
|
VCID-r4d2-1pxc-cqfh
Aliases: CVE-2008-0460 |
Multiple MediaWiki XSS vulnerabilities |
Affected by 222 other vulnerabilities. |
|
VCID-rd7h-vb4p-v3c3
Aliases: CVE-2010-1150 |
v.1.15.3: Login CSRF |
Affected by 206 other vulnerabilities. |
|
VCID-rhq2-r3hq-tqc5
Aliases: CVE-2015-8001 |
The chunked upload API (ApiUpload) in MediaWiki before 1.23.11, 1.24.x before 1.24.4, and 1.25.x before 1.25.3 does not restrict the uploaded data to the claimed file size, which allows remote authenticated users to cause a denial of service via a chunk that exceeds the file size. |
Affected by 113 other vulnerabilities. |
|
VCID-rjz9-twh9-wkaa
Aliases: CVE-2012-4380 |
MediaWiki before 1.18.5, and 1.19.x before 1.19.2 allows remote attackers to bypass GlobalBlocking extension IP address blocking and create an account via unspecified vectors. |
Affected by 162 other vulnerabilities. |
|
VCID-ruur-4cvx-cqct
Aliases: CVE-2023-36675 |
mediawiki: cross site scripting |
Affected by 39 other vulnerabilities. |
|
VCID-rwtk-hep1-xfaw
Aliases: CVE-2021-30152 |
Multiple vulnerabilities have been found in MediaWiki, the worst of which could result in a Denial of Service condition. |
Affected by 87 other vulnerabilities. Affected by 39 other vulnerabilities. |
|
VCID-rz65-w7x5-57hu
Aliases: CVE-2022-34911 |
Multiple vulnerabilities have been found in MediaWiki, the worst of which could result in denial of service. |
Affected by 39 other vulnerabilities. |
|
VCID-s5j8-5sjt-cfeu
Aliases: CVE-2014-7295 |
security update |
Affected by 162 other vulnerabilities. Affected by 147 other vulnerabilities. |
|
VCID-sbq7-1cwg-bkhg
Aliases: CVE-2015-2931 |
Multiple vulnerabilities have been found in MediaWiki, the worst of which may allow remote attackers to cause a Denial of Service. |
Affected by 147 other vulnerabilities. |
|
VCID-sc5s-s7vg-dygq
Aliases: CVE-2024-34506 |
mediawiki: denial of service |
Affected by 39 other vulnerabilities. |
|
VCID-sca5-n7rz-rffq
Aliases: CVE-2021-44856 |
Multiple vulnerabilities have been found in MediaWiki, the worst of which could result in denial of service. |
Affected by 39 other vulnerabilities. |
|
VCID-sf61-byhw-17gv
Aliases: CVE-2018-0503 GHSA-mhfv-9h99-jwg7 |
Mediawiki Improper Privilege Management Mediawiki 1.31 before 1.31.1, 1.30.1, 1.29.3 and 1.27.5 contains a flaw where contrary to the documentation, $wgRateLimits entry for 'user' overrides that for 'newbie'. |
Affected by 106 other vulnerabilities. Affected by 87 other vulnerabilities. |
|
VCID-sfp5-ygxn-nufe
Aliases: CVE-2015-2942 |
Multiple vulnerabilities have been found in MediaWiki, the worst of which may allow remote attackers to cause a Denial of Service. |
Affected by 147 other vulnerabilities. |
|
VCID-sh6q-pur2-gkag
Aliases: CVE-2017-0366 |
mediawiki: SVG filter evasion using default attribute values in DTD declaration |
Affected by 113 other vulnerabilities. |
|
VCID-sr9a-a6vt-1qgt
Aliases: CVE-2025-61638 |
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki, Wikimedia Foundation Parsoid. This vulnerability is associated with program files includes/parser/Sanitizer.Php, src/Core/Sanitizer.Php. This issue affects MediaWiki: from * before 1.39.14, 1.43.4, 1.44.1; Parsoid: from * before 0.16.6, 0.20.4, 0.21.1. |
Affected by 7 other vulnerabilities. |
|
VCID-sz6n-4pbk-d7ay
Aliases: CVE-2017-0361 |
mediawiki: information disclosure in the api.log |
Affected by 113 other vulnerabilities. |
|
VCID-t6w8-cgct-gbgz
Aliases: CVE-2019-16738 GHSA-7hwr-f745-5rwq |
MediaWiki information disclosure In MediaWiki through 1.33.0, Special:Redirect allows information disclosure of suppressed usernames via a User ID Lookup. |
Affected by 106 other vulnerabilities. Affected by 87 other vulnerabilities. |
|
VCID-tewa-wqk4-5bhy
Aliases: CVE-2010-1189 |
MediaWiki: Two security fixes in v1.15.2 |
Affected by 206 other vulnerabilities. |
|
VCID-tq2e-c9ym-a3hj
Aliases: CVE-2019-12474 GHSA-2qrr-c2gh-pr35 |
Wikimedia information leak vulnerability Wikimedia MediaWiki 1.23.0 through 1.32.1 has an information leak. Privileged API responses that include whether a recent change has been patrolled may be cached publicly. Fixed in 1.32.2, 1.31.2, 1.30.2 and 1.27.6. |
Affected by 106 other vulnerabilities. Affected by 87 other vulnerabilities. |
|
VCID-tutk-y8jg-n7dh
Aliases: CVE-2025-67478 |
Vulnerability in Wikimedia Foundation CheckUser. This vulnerability is associated with program files includes/Mail/UserMailer.Php. This issue affects CheckUser: from * before 1.39.14, 1.43.4, 1.44.1. |
Affected by 7 other vulnerabilities. |
|
VCID-u2xc-ztge-p3bv
Aliases: CVE-2019-12472 GHSA-7mqg-5fgh-xh4r |
MediaWiki Incorrect Access Control vulnerability An Incorrect Access Control vulnerability was found in Wikimedia MediaWiki 1.18.0 through 1.32.1. It is possible to bypass the limits on IP range blocks ($wgBlockCIDRLimit) by using the API. Fixed in 1.32.2, 1.31.2, 1.30.2 and 1.27.6. |
Affected by 106 other vulnerabilities. Affected by 87 other vulnerabilities. |
|
VCID-ubbe-qu8g-5fa1
Aliases: CVE-2017-0367 |
mediawiki: unsafe use of temporary directory |
Affected by 113 other vulnerabilities. |
|
VCID-ujdn-y48t-pbch
Aliases: CVE-2020-25813 GHSA-c4rj-wrmq-52rj |
MediaWiki Special:UserRights exposes the existence of hidden users In MediaWiki before 1.31.9 and 1.32.x through 1.34.x before 1.34.3, Special:UserRights exposes the existence of hidden users. |
Affected by 87 other vulnerabilities. Affected by 39 other vulnerabilities. |
|
VCID-us2t-3nsp-53af
Aliases: CVE-2011-1580 |
Multiple vulnerabilities have been found in MediaWiki, the worst of which leading to remote execution of arbitrary code. |
Affected by 162 other vulnerabilities. |
|
VCID-uzv4-9xtx-ryhr
Aliases: CVE-2020-17367 |
Multiple vulnerabilities have been found in Firejail, the worst of which could result in the arbitrary execution of code. |
Affected by 87 other vulnerabilities. |
|
VCID-v27j-4pnt-n7h9
Aliases: CVE-2018-0505 GHSA-5c6w-f4w2-2grp |
Mediawiki BotPassword can bypass CentralAuth's account lock Mediawiki 1.31 before 1.31.1, 1.30.1, 1.29.3 and 1.27.5 contains a flaw where BotPasswords can bypass CentralAuth's account lock |
Affected by 106 other vulnerabilities. Affected by 87 other vulnerabilities. |
|
VCID-v3dp-7stt-tygf
Aliases: CVE-2025-67475 |
MediaWiki: MediaWiki: Cross-site Scripting vulnerability due to improper input neutralization |
Affected by 7 other vulnerabilities. |
|
VCID-v7k4-r4nw-rud8
Aliases: CVE-2010-1647 |
Cross-site scripting (XSS) vulnerability in MediaWiki 1.15 before 1.15.4 and 1.16 before 1.16 beta 3 allows remote attackers to inject arbitrary web script or HTML via crafted Cascading Style Sheets (CSS) strings that are processed as script by Internet Explorer. |
Affected by 206 other vulnerabilities. |
|
VCID-va68-tzme-t3dq
Aliases: CVE-2013-2114 |
Multiple vulnerabilities have been found in MediaWiki, the worst of which could lead to Denial of Service. |
Affected by 162 other vulnerabilities. |
|
VCID-va7m-2x57-m7cg
Aliases: CVE-2008-5252 |
Cross-site request forgery (CSRF) vulnerability in the Special:Import feature in MediaWiki 1.3.0 through 1.6.10, 1.12.x before 1.12.2, and 1.13.x before 1.13.3 allows remote attackers to perform unspecified actions as authenticated users via unknown vectors. |
Affected by 206 other vulnerabilities. |
|
VCID-vfh6-parb-rqbn
Aliases: CVE-2008-5250 |
Cross-site scripting (XSS) vulnerability in MediaWiki before 1.6.11, 1.12.x before 1.12.2, and 1.13.x before 1.13.3, when Internet Explorer is used and uploads are enabled, or an SVG scripting browser is used and SVG uploads are enabled, allows remote authenticated users to inject arbitrary web script or HTML by editing a wiki page. |
Affected by 206 other vulnerabilities. |
|
VCID-vjd5-jv5h-yfhw
Aliases: CVE-2025-61655 |
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation VisualEditor. This vulnerability is associated with program files includes/ApiVisualEditorEdit.Php, modules/ve-mw/init/targets/ve.Init.Mw.DesktopArticleTarget.Js, modules/ve-mw/ui/dialogs/ve.Ui.MWSaveDialog.Js. This issue affects VisualEditor: from * before 1.39.14, 1.43.4, 1.44.1. |
Affected by 7 other vulnerabilities. |
|
VCID-vnmh-kbjt-h3bz
Aliases: CVE-2009-4589 |
Cross-site scripting (XSS) vulnerability in the Special:Block implementation in the getContribsLink function in SpecialBlockip.php in MediaWiki 1.14.0 and 1.15.0 allows remote attackers to inject arbitrary web script or HTML via the ip parameter. |
Affected by 206 other vulnerabilities. |
|
VCID-vz1t-x9se-tbcg
Aliases: CVE-2010-2788 |
Multiple vulnerabilities have been found in MediaWiki, the worst of which leading to remote execution of arbitrary code. |
Affected by 206 other vulnerabilities. |
|
VCID-w3f8-nrqd-p7gq
Aliases: CVE-2018-0504 GHSA-hr8v-f4g2-p66f |
Mediawiki information disclosure vulnerability Mediawiki 1.31 before 1.31.1, 1.30.1, 1.29.3 and 1.27.5 contains an information disclosure flaw in the Special:Redirect/logid |
Affected by 106 other vulnerabilities. Affected by 87 other vulnerabilities. |
|
VCID-w51y-hprj-buap
Aliases: CVE-2025-32696 |
Improper Preservation of Permissions vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/actions/RevertAction.Php, includes/api/ApiFileRevert.Php. This issue affects MediaWiki: before 1.39.12, 1.42.6, 1.43.1. |
Affected by 7 other vulnerabilities. |
|
VCID-wcvz-jgjs-budx
Aliases: CVE-2008-4408 |
mediawiki: XSS via the useskin parameter |
Affected by 206 other vulnerabilities. |
|
VCID-weh4-ev3r-jyep
Aliases: CVE-2017-8812 |
security update |
Affected by 106 other vulnerabilities. |
|
VCID-wh8d-7n6u-57au
Aliases: CVE-2007-0894 |
MediaWiki before 1.9.2 allows remote attackers to obtain sensitive information via a direct request to (1) Simple.deps.php, (2) MonoBook.deps.php, (3) MySkin.deps.php, or (4) Chick.deps.php in wiki/skins, which shows the installation path in the resulting error message. |
Affected by 222 other vulnerabilities. |
|
VCID-wjx4-aawn-23f6
Aliases: CVE-2017-8810 |
security update |
Affected by 106 other vulnerabilities. |
|
VCID-wraf-59ce-u3br
Aliases: CVE-2025-67479 |
MediaWiki: MediaWiki: Vulnerability in parsing and sanitization |
Affected by 7 other vulnerabilities. |
|
VCID-wzqf-k99e-vbeu
Aliases: CVE-2022-31091 GHSA-q559-8m2m-g699 GMS-2022-2529 |
Multiple vulnerabilities have been found in MediaWiki, the worst of which could result in denial of service. |
Affected by 39 other vulnerabilities. |
|
VCID-xj9q-7kq3-x7b4
Aliases: CVE-2015-6728 |
Multiple vulnerabilities have been found in MediaWiki, the worst of which may allow remote attackers to cause a Denial of Service. |
Affected by 113 other vulnerabilities. |
|
VCID-xjz8-ebps-ckb1
Aliases: CVE-2016-6335 |
MediaWiki before 1.23.15, 1.26.x before 1.26.4, and 1.27.x before 1.27.1 does not generate head items in the context of a given title, which allows remote attackers to obtain sensitive information via a parse action to api.php. |
Affected by 113 other vulnerabilities. |
|
VCID-xqkp-986n-m7f3
Aliases: CVE-2017-0369 |
mediawiki: Improper Access Control to protected pages |
Affected by 113 other vulnerabilities. |
|
VCID-xs54-b62e-sbbz
Aliases: CVE-2012-1581 |
Multiple vulnerabilities have been found in MediaWiki, the worst of which leading to remote execution of arbitrary code. |
Affected by 162 other vulnerabilities. |
|
VCID-xtd9-wbd9-67ew
Aliases: CVE-2025-6593 |
Vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/user/User.Php. This issue affects MediaWiki: from 1.27.0 before 1.39.13, 1.42.7 1.43.2, 1.44.0. |
Affected by 7 other vulnerabilities. |
|
VCID-y2nw-1x3v-73em
Aliases: CVE-2015-2938 |
Multiple vulnerabilities have been found in MediaWiki, the worst of which may allow remote attackers to cause a Denial of Service. |
Affected by 147 other vulnerabilities. |
|
VCID-y9bw-g8dr-tkap
Aliases: CVE-2008-5687 |
MediaWiki 1.11, and other versions before 1.13.3, does not properly protect against the download of backups of deleted images, which might allow remote attackers to obtain sensitive information via requests for files in images/deleted/. |
Affected by 206 other vulnerabilities. |
|
VCID-yakw-r8bh-5bde
Aliases: CVE-2022-28203 |
security update |
Affected by 39 other vulnerabilities. |
|
VCID-yc9s-xn4z-jbde
Aliases: CVE-2015-8623 |
The User::matchEditToken function in includes/User.php in MediaWiki before 1.23.12 and 1.24.x before 1.24.5 does not perform token comparison in constant time before returning, which allows remote attackers to guess the edit token and bypass CSRF protection via a timing attack, a different vulnerability than CVE-2015-8624. |
Affected by 113 other vulnerabilities. |
|
VCID-yfq4-qg4d-4ubg
Aliases: CVE-2013-6451 |
Multiple vulnerabilities have been found in MediaWiki, the worst of which may allow remote attackers to execute arbitrary code. |
Affected by 162 other vulnerabilities. |
|
VCID-yp61-wsxj-fbdf
Aliases: CVE-2010-1190 |
MediaWiki: Two security fixes in v1.15.2 |
Affected by 206 other vulnerabilities. |
|
VCID-yr8d-347g-pugg
Aliases: CVE-2019-12470 GHSA-733q-m38x-q7cc |
Wikimedia MediaWik exposed suppressed log in RevisionDelete page Wikimedia MediaWiki through 1.32.1 has Incorrect Access Control. Suppressed log in RevisionDelete page is exposed. Fixed in 1.32.2, 1.31.2, 1.30.2 and 1.27.6. |
Affected by 106 other vulnerabilities. Affected by 87 other vulnerabilities. |
|
VCID-z1we-4qg8-bbcr
Aliases: CVE-2010-1648 |
Cross-site request forgery (CSRF) vulnerability in the login interface in MediaWiki 1.15 before 1.15.4 and 1.16 before 1.16 beta 3 allows remote attackers to hijack the authentication of users for requests that (1) create accounts or (2) reset passwords, related to the Special:Userlogin form. |
Affected by 206 other vulnerabilities. |
|
VCID-z3qw-4ejj-uffj
Aliases: CVE-2025-3469 |
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/htmlform/fields/HTMLMultiSelectField.Php. This issue affects MediaWiki: before 1.39.12, 1.42.6, 1.43.1. |
Affected by 7 other vulnerabilities. |
|
VCID-z7qu-jq6m-7kgp
Aliases: CVE-2015-2941 |
Multiple vulnerabilities have been found in MediaWiki, the worst of which may allow remote attackers to cause a Denial of Service. |
Affected by 147 other vulnerabilities. |
|
VCID-z8qp-v64u-tuh8
Aliases: CVE-2025-67484 |
MediaWiki: MediaWiki: Vulnerability in ApiFormatXml.Php requiring high privileges |
Affected by 7 other vulnerabilities. |
|
VCID-z9au-wxbn-aqct
Aliases: CVE-2011-0047 |
Multiple vulnerabilities have been found in MediaWiki, the worst of which leading to remote execution of arbitrary code. |
Affected by 162 other vulnerabilities. |
|
VCID-z9d9-aer5-gfa9
Aliases: CVE-2021-41800 GHSA-c8wv-qwwc-6j73 |
Multiple vulnerabilities have been found in MediaWiki, the worst of which could result in denial of service. |
Affected by 87 other vulnerabilities. Affected by 39 other vulnerabilities. |
|
VCID-z9h6-w12c-xqe1
Aliases: CVE-2013-4567 |
security update |
Affected by 162 other vulnerabilities. |
|
VCID-zcz5-fq86-mkhw
Aliases: CVE-2008-5249 |
Cross-site scripting (XSS) vulnerability in MediaWiki 1.13.0 through 1.13.2 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. |
Affected by 206 other vulnerabilities. |
|
VCID-zgdf-mxfn-gbea
Aliases: CVE-2020-15005 GHSA-xpv7-93cm-4mxv |
img_auth.php may leak private extension images into the public cache In MediaWiki before 1.31.8, 1.32.x and 1.33.x before 1.33.4, and 1.34.x before 1.34.2, private wikis behind a caching server using the img_auth.php image authorization security feature may have had their files cached publicly, so any unauthorized user could view them. This occurs because Cache-Control and Vary headers were mishandled. |
Affected by 87 other vulnerabilities. |
|
VCID-zh21-963v-ekhg
Aliases: CVE-2014-9475 |
Multiple vulnerabilities have been found in MediaWiki, the worst of which may allow remote attackers to execute arbitrary code. |
Affected by 162 other vulnerabilities. Affected by 147 other vulnerabilities. |
|
VCID-zhp6-af71-57gk
Aliases: CVE-2015-8626 |
The User::randomPassword function in MediaWiki before 1.23.12, 1.24.x before 1.24.5, 1.25.x before 1.25.4, and 1.26.x before 1.26.1 generates passwords smaller than $wgMinimalPasswordLength, which makes it easier for remote attackers to obtain access via a brute-force attack. |
Affected by 113 other vulnerabilities. |
|
VCID-zj5a-p9u4-ducw
Aliases: CVE-2023-45360 |
mediawiki: XSS in youhavenewmessagesmanyusers and youhavenewmessages i18n messages |
Affected by 39 other vulnerabilities. |
|
VCID-zmzk-jv3z-tub4
Aliases: CVE-2017-0363 |
mediawiki: open redirect to external sites |
Affected by 113 other vulnerabilities. |
|
VCID-ztxx-cc2c-87at
Aliases: CVE-2025-61643 |
Vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/recentchanges/RecentChangeRCFeedNotifier.Php. This issue affects MediaWiki: from * before 1.39.14, 1.43.4, 1.44.1. |
Affected by 7 other vulnerabilities. |
|
VCID-zz68-pwk2-abew
Aliases: CVE-2017-0365 |
mediawiki: XSS in SearchHighlighter::highlightText() |
Affected by 113 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||