Search for packages
| purl | pkg:deb/debian/mediawiki@1:1.31.16-1%2Bdeb10u2 |
| Next non-vulnerable version | 1:1.39.13-1~deb12u1 |
| Latest non-vulnerable version | 1:1.39.13-1~deb12u1 |
| Risk | 4.5 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-13vu-q5g8-43e3
Aliases: CVE-2021-41799 |
mediawiki: ApiQueryBacklinks can cause a full table scan and as a result DoS |
Affected by 14 other vulnerabilities. |
|
VCID-15pn-z816-zbb6
Aliases: CVE-2023-45363 GHSA-w5fx-cx7f-6vr9 |
MediaWiki Denial of Service vulnerability An issue was discovered in ApiPageSet.php in MediaWiki before 1.35.12, 1.36.x through 1.39.x before 1.39.5, and 1.40.x before 1.40.1. It allows attackers to cause a denial of service (unbounded loop and RequestTimeoutException) when querying pages redirected to other variants with redirects and converttitles set. |
Affected by 14 other vulnerabilities. |
|
VCID-1f2h-hvvd-g7dg
Aliases: CVE-2023-45362 |
mediawiki: diff-multi-sameuser ("X intermediate revisions by the same user not shown") ignores username suppression |
Affected by 14 other vulnerabilities. |
|
VCID-1kpb-6pyc-byb4
Aliases: CVE-2020-25828 GHSA-h8qx-mj6v-2934 |
MediaWiki Cross-site Scripting (XSS) vulnerability An issue was discovered in MediaWiki before 1.31.9 and 1.32.x through 1.34.x before 1.34.3. The non-jqueryMsg version of mw.message().parse() doesn't escape HTML. This affects both message contents (which are generally safe) and the parameters (which can be based on user input). (When jqueryMsg is loaded, it correctly accepts only whitelisted tags in message contents, and escapes all parameters. Situations with an unloaded jqueryMsg are rare in practice, but can for example occur for Special:SpecialPages on a wiki with no extensions installed.) |
Affected by 14 other vulnerabilities. |
|
VCID-2nan-sz96-1fhq
Aliases: CVE-2023-29141 GHSA-5vj8-g3qg-4qh6 |
X-Forwarded-For header allows brute-forcing autoblocked IP addresses An issue was discovered in MediaWiki before 1.35.10, 1.36.x through 1.38.x before 1.38.6, and 1.39.x before 1.39.3. An auto-block can occur for an untrusted X-Forwarded-For header. |
Affected by 14 other vulnerabilities. |
|
VCID-3tnx-tb4s-zyfk
Aliases: CVE-2021-44856 |
An issue was discovered in MediaWiki before 1.35.5, 1.36.x before 1.36.3, and 1.37.x before 1.37.1. A title blocked by AbuseFilter can be created via Special:ChangeContentModel due to the mishandling of the EditFilterMergedContent hook return value. |
Affected by 14 other vulnerabilities. |
|
VCID-3w12-rj24-uqds
Aliases: CVE-2025-6595 |
Affected by 1 other vulnerability. Affected by 0 other vulnerabilities. |
|
|
VCID-5buj-b91g-3fd8
Aliases: CVE-2020-36649 GHSA-qvjc-g5vr-mfgr GMS-2020-421 |
Regular Expression Denial of Service in papaparse Versions of `papaparse` prior to 5.2.0 are vulnerable to Regular Expression Denial of Service (ReDos). The `parse` function contains a malformed regular expression that takes exponentially longer to process non-numerical inputs. This allows attackers to stall systems and lead to Denial of Service. ## Recommendation Upgrade to version 5.2.0 or later. |
Affected by 14 other vulnerabilities. |
|
VCID-64zq-vmwp-hfge
Aliases: CVE-2020-35475 |
mediawiki: messages userrights-expiry-current and userrights-expiry-none can contain raw html |
Affected by 14 other vulnerabilities. |
|
VCID-6aqu-4zcv-jfdx
Aliases: CVE-2023-3550 |
Mediawiki v1.40.0 does not validate namespaces used in XML files. Therefore, if the instance administrator allows XML file uploads, a remote attacker with a low-privileged user account can use this exploit to become an administrator by sending a malicious link to the instance administrator. |
Affected by 14 other vulnerabilities. |
|
VCID-6mzr-p5f8-3qd1
Aliases: CVE-2025-32698 |
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/logging/LogPager.Php. This issue affects MediaWiki: before 1.39.12, 1.42.6, 1.43.1. |
Affected by 1 other vulnerability. Affected by 0 other vulnerabilities. |
|
VCID-7cfn-d6k8-43g5
Aliases: CVE-2021-30153 |
An issue was discovered in the VisualEditor extension in MediaWiki before 1.31.13, and 1.32.x through 1.35.x before 1.35.2. . When using VisualEditor to edit a MediaWiki user page belonging to an existing, but hidden, user, VisualEditor will disclose that the user exists. (It shouldn't because they are hidden.) This is related to ApiVisualEditor. |
Affected by 14 other vulnerabilities. |
|
VCID-7x1v-fbsz-jfbr
Aliases: CVE-2021-41800 GHSA-c8wv-qwwc-6j73 |
MediaWiki allows a denial of service MediaWiki before 1.36.2 allows a denial of service (resource consumption because of lengthy query processing time). Visiting Special:Contributions can sometimes result in a long running SQL query because PoolCounter protection is mishandled. |
Affected by 14 other vulnerabilities. |
|
VCID-855f-2pne-gycx
Aliases: CVE-2021-35197 |
mediawiki: blocked users are able to purge pages impacting Integrity |
Affected by 14 other vulnerabilities. |
|
VCID-93d7-4h9f-8fga
Aliases: CVE-2022-41765 |
An issue was discovered in MediaWiki before 1.35.8, 1.36.x and 1.37.x before 1.37.5, and 1.38.x before 1.38.3. HTMLUserTextField exposes the existence of hidden users. |
Affected by 14 other vulnerabilities. |
|
VCID-9ejm-72ax-skgw
Aliases: CVE-2023-45360 |
An issue was discovered in MediaWiki before 1.35.12, 1.36.x through 1.39.x before 1.39.5, and 1.40.x before 1.40.1. There is XSS in youhavenewmessagesmanyusers and youhavenewmessages i18n messages. This is related to MediaWiki:Youhavenewmessagesfromusers. |
Affected by 14 other vulnerabilities. |
|
VCID-ags3-2tv9-mqh8
Aliases: CVE-2021-41801 |
multiple issues |
Affected by 14 other vulnerabilities. |
|
VCID-b6d9-um1e-cbdv
Aliases: CVE-2023-36675 |
An issue was discovered in MediaWiki before 1.35.11, 1.36.x through 1.38.x before 1.38.7, and 1.39.x before 1.39.4. BlockLogFormatter.php in BlockLogFormatter allows XSS in the partial blocks feature. |
Affected by 14 other vulnerabilities. |
|
VCID-bewy-kfs2-6fc3
Aliases: CVE-2021-44858 |
mediawiki: information disclosure |
Affected by 14 other vulnerabilities. |
|
VCID-bh1q-uc3v-afgf
Aliases: CVE-2023-36674 |
An issue was discovered in MediaWiki before 1.35.11, 1.36.x through 1.38.x before 1.38.7, 1.39.x before 1.39.4, and 1.40.x before 1.40.1. It is possible to bypass the Bad image list (aka badFile) by using the thumb parameter (aka Manualthumb) of the File syntax. |
Affected by 14 other vulnerabilities. |
|
VCID-ch4p-fdd8-kkcf
Aliases: CVE-2021-44854 |
An issue was discovered in MediaWiki before 1.35.5, 1.36.x before 1.36.3, and 1.37.x before 1.37.1. The REST API publicly caches results from private wikis. |
Affected by 14 other vulnerabilities. |
|
VCID-d7vh-6t1f-6fcz
Aliases: CVE-2025-6590 |
Affected by 1 other vulnerability. Affected by 0 other vulnerabilities. |
|
|
VCID-e75u-66tu-kqcj
Aliases: CVE-2025-3469 |
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/htmlform/fields/HTMLMultiSelectField.Php. This issue affects MediaWiki: before 1.39.12, 1.42.6, 1.43.1. |
Affected by 1 other vulnerability. Affected by 0 other vulnerabilities. |
|
VCID-eabm-r6ua-nbcv
Aliases: CVE-2022-31090 GHSA-25mq-v84q-4j7r GMS-2022-2528 |
CURLOPT_HTTPAUTH option not cleared on change of origin ### Impact `Authorization` headers on requests are sensitive information. When using our Curl handler, it is possible to use the `CURLOPT_HTTPAUTH` option to specify an `Authorization` header. On making a request which responds with a redirect to a URI with a different origin, if we choose to follow it, we should remove the `CURLOPT_HTTPAUTH` and `CURLOPT_USERPWD` options before continuing, stopping curl from appending the `Authorization` header to the new request. Previously, we would only consider a change in host. Now, we consider any change in host, port or scheme to be a change in origin. ### Patches Affected Guzzle 7 users should upgrade to Guzzle 7.4.5 as soon as possible. Affected users using any earlier series of Guzzle should upgrade to Guzzle 6.5.8 or 7.4.5. Note that a partial fix was implemented in Guzzle 7.4.2, where a change in host would trigger removal of the curl-added Authorization header, however this earlier fix did not cover change in scheme or change in port. ### Workarounds If you do not require or expect redirects to be followed, one should simply disable redirects all together. Alternatively, one can specify to use the Guzzle stream handler backend, rather than curl. ### References * [RFC9110 Section 15.4](https://www.rfc-editor.org/rfc/rfc9110.html#name-redirection-3xx) * [CVE-2022-27776](https://curl.se/docs/CVE-2022-27776.html) ### For more information If you have any questions or comments about this advisory, please get in touch with us in `#guzzle` on the [PHP HTTP Slack](https://php-http.slack.com/). Do not report additional security advisories in that public channel, however - please follow our [vulnerability reporting process](https://github.com/guzzle/guzzle/security/policy). |
Affected by 14 other vulnerabilities. |
|
VCID-epav-z3qb-rbej
Aliases: CVE-2021-44857 |
mediawiki: information disclosure and manipulation possible under specific conditions |
Affected by 14 other vulnerabilities. |
|
VCID-ev4v-equp-q3c2
Aliases: CVE-2025-6594 |
Affected by 1 other vulnerability. Affected by 0 other vulnerabilities. |
|
|
VCID-f7sj-37hx-jufx
Aliases: CVE-2025-6591 |
Affected by 1 other vulnerability. Affected by 0 other vulnerabilities. |
|
|
VCID-gkzq-thjf-z7fa
Aliases: CVE-2021-20270 GHSA-9w8r-397f-prfh PYSEC-2021-140 |
An infinite loop in SMLLexer in Pygments versions 1.5 to 2.7.3 may lead to denial of service when performing syntax highlighting of a Standard ML (SML) source file, as demonstrated by input that only contains the "exception" keyword. |
Affected by 14 other vulnerabilities. |
|
VCID-h853-1syx-g7he
Aliases: CVE-2021-30458 GHSA-5pqx-77vf-85rw |
Wikimedia Parsoid vulnerable to Cross-site Scripting (XSS) An issue was discovered in Wikimedia Parsoid before 0.11.1 and 0.12.x before 0.12.2. An attacker can send crafted wikitext that Utils/WTUtils.php will transform by using a <meta> tag, bypassing sanitization steps, and potentially allowing for XSS. |
Affected by 14 other vulnerabilities. |
|
VCID-hghy-83ke-23eu
Aliases: CVE-2022-29248 GHSA-cwmx-hcrq-mhc3 |
Cross-domain cookie leakage in Guzzle ### Impact Previous version of Guzzle contain a vulnerability with the cookie middleware. The vulnerability is that it is not checked if the cookie domain equals the domain of the server which sets the cookie via the `Set-Cookie` header, allowing a malicious server to set cookies for unrelated domains. For example an attacker at `www.example.com` might set a session cookie for `api.example.net`, logging the Guzzle client into their account and retrieving private API requests from the security log of their account. Note that our cookie middleware is disabled by default, so most library consumers will not be affected by this issue. Only those who manually add the cookie middleware to the handler stack or construct the client with `['cookies' => true]` are affected. Moreover, those who do not use the same Guzzle client to call multiple domains and have disabled redirect forwarding are not affected by this vulnerability. ### Patches Affected Guzzle 7 users should upgrade to Guzzle 7.4.3 as soon as possible. Affected users using any earlier series of Guzzle should upgrade to Guzzle 6.5.6 or 7.4.3. ### Workarounds If you do not need support for cookies, turn off the cookie middleware. It is already off by default, but if you have turned it on and no longer need it, turn it off. ### References * [RFC6265 Section 5.3](https://datatracker.ietf.org/doc/html/rfc6265#section-5.3) * [RFC9110 Section 15.4](https://www.rfc-editor.org/rfc/rfc9110.html#name-redirection-3xx) ### For more information If you have any questions or comments about this advisory, please get in touch with us in `#guzzle` on the [PHP HTTP Slack](https://php-http.slack.com/). Do not report additional security advisories in that public channel, however - please follow our [vulnerability reporting process](https://github.com/guzzle/guzzle/security/policy). |
Affected by 14 other vulnerabilities. |
|
VCID-hp2f-gn21-gkce
Aliases: CVE-2022-28203 |
A denial-of-service issue was discovered in MediaWiki before 1.35.6, 1.36.x before 1.36.4, and 1.37.x before 1.37.2. When many files exist, requesting Special:NewFiles with actor as a condition can result in a very long running query. |
Affected by 14 other vulnerabilities. |
|
VCID-hxv2-v9z1-3qh8
Aliases: CVE-2022-31091 GHSA-q559-8m2m-g699 GMS-2022-2529 |
Change in port should be considered a change in origin ### Impact `Authorization` and `Cookie` headers on requests are sensitive information. On making a request which responds with a redirect to a URI with a different port, if we choose to follow it, we should remove the `Authorization` and `Cookie` headers from the request, before containing. Previously, we would only consider a change in host or scheme downgrade. Now, we consider any change in host, port or scheme to be a change in origin. ### Patches Affected Guzzle 7 users should upgrade to Guzzle 7.4.5 as soon as possible. Affected users using any earlier series of Guzzle should upgrade to Guzzle 6.5.8 or 7.4.5. ### Workarounds An alternative approach would be to use your own redirect middleware, rather than ours, if you are unable to upgrade. If you do not require or expect redirects to be followed, one should simply disable redirects all together. ### References * [RFC9110 Section 15.4](https://www.rfc-editor.org/rfc/rfc9110.html#name-redirection-3xx) * [CVE-2022-27776](https://curl.se/docs/CVE-2022-27776.html) ### For more information If you have any questions or comments about this advisory, please get in touch with us in `#guzzle` on the [PHP HTTP Slack](https://php-http.slack.com/). Do not report additional security advisories in that public channel, however please follow our [vulnerability reporting process](https://github.com/guzzle/guzzle/security/policy). |
Affected by 14 other vulnerabilities. |
|
VCID-j741-kstk-pqgn
Aliases: CVE-2020-25815 GHSA-2f58-vf6g-6p8x |
MediaWiki Cross-site Scripting (XSS) vulnerability An issue was discovered in MediaWiki 1.32.x through 1.34.x before 1.34.4. LogEventList::getFiltersDesc is insecurely using message text to build options names for an HTML multi-select field. The relevant code should use escaped() instead of text(). |
Affected by 14 other vulnerabilities. |
|
VCID-j919-vgae-yqew
Aliases: CVE-2021-30152 |
mediawiki: action=protect lets users with 'protect' permission protect to higher protection level |
Affected by 14 other vulnerabilities. |
|
VCID-krs8-9ssu-rye5
Aliases: CVE-2020-35478 |
mediawiki: potential XSS via MediaWiki:blanknamespace outputting Block Logs |
Affected by 14 other vulnerabilities. |
|
VCID-kx4b-gpc1-aqa8
Aliases: CVE-2025-6593 |
Affected by 1 other vulnerability. Affected by 0 other vulnerabilities. |
|
|
VCID-m44t-5z4c-juej
Aliases: CVE-2021-41798 |
mediawiki: Cross-site scripting (XSS) in Special:Search |
Affected by 14 other vulnerabilities. |
|
VCID-mz2m-vq2z-aygk
Aliases: CVE-2020-35480 |
mediawiki: divergent behavior for contributions and user pages of hidden users and missing users |
Affected by 14 other vulnerabilities. |
|
VCID-nu2f-76a5-nucp
Aliases: CVE-2025-32072 |
Improper Encoding or Escaping of Output vulnerability in The Wikimedia Foundation Mediawiki Core - Feed Utils allows WebView Injection.This issue affects Mediawiki Core - Feed Utils: from 1.39 through 1.43. |
Affected by 1 other vulnerability. Affected by 0 other vulnerabilities. |
|
VCID-nvmk-rsyq-43fn
Aliases: CVE-2021-30157 |
mediawiki: XSS due to unescaped messages used in HTML on ChangesList pages |
Affected by 14 other vulnerabilities. |
|
VCID-p8gc-bk7w-1khy
Aliases: CVE-2020-25814 GHSA-4vr7-m8p8-434h |
MediaWiki Cross-site Scripting (XSS) vulnerability In MediaWiki before 1.31.9 and 1.32.x through 1.34.x before 1.34.3, XSS related to jQuery can occur. The attacker creates a message with [javascript:payload xss] and turns it into a jQuery object with mw.message().parse(). The expected result is that the jQuery object does not contain an <a> tag (or it does not have a href attribute, or it's empty, etc.). The actual result is that the object contains an <a href ="javascript... that executes when clicked. |
Affected by 14 other vulnerabilities. |
|
VCID-p93c-damj-kbec
Aliases: CVE-2021-27291 GHSA-pq64-v7f5-gqh8 PYSEC-2021-141 |
In pygments 1.1+, fixed in 2.7.4, the lexers used to parse programming languages rely heavily on regular expressions. Some of the regular expressions have exponential or cubic worst-case complexity and are vulnerable to ReDoS. By crafting malicious input, an attacker can cause a denial of service. |
Affected by 14 other vulnerabilities. |
|
VCID-pe96-2tca-bqgu
Aliases: CVE-2020-35479 |
mediawiki: potential XSS via the month messages such as MediaWiki:january through MediaWiki:december outputting Block Logs |
Affected by 14 other vulnerabilities. |
|
VCID-pgv1-bdcx-2ug6
Aliases: CVE-2022-41767 |
An issue was discovered in MediaWiki before 1.35.8, 1.36.x and 1.37.x before 1.37.5, and 1.38.x before 1.38.3. When changes made by an IP address are reassigned to a user (using reassignEdits.php), the changes will still be attributed to the IP address on Special:Contributions when doing a range lookup. |
Affected by 14 other vulnerabilities. |
|
VCID-pj3h-4tp6-ykhk
Aliases: CVE-2020-25812 GHSA-rj9p-8jxj-2ch4 |
MediaWiki Cross-site Scripting (XSS) vulnerability An issue was discovered in MediaWiki 1.34.x before 1.34.3. On Special:Contributions, the NS filter uses unescaped messages as keys in the option key for an HTMLForm specifier. This is vulnerable to a mild XSS if one of those messages is changed to include raw HTML. |
Affected by 14 other vulnerabilities. |
|
VCID-qp7a-rnx9-muey
Aliases: CVE-2024-34506 |
An issue was discovered in includes/specials/SpecialMovePage.php in MediaWiki before 1.39.7, 1.40.x before 1.40.3, and 1.41.x before 1.41.1. If a user with the necessary rights to move the page opens Special:MovePage for a page with tens of thousands of subpages, then the page will exceed the maximum request time, leading to a denial of service. |
Affected by 14 other vulnerabilities. |
|
VCID-r952-dxkq-vbdy
Aliases: CVE-2025-6926 |
Improper Authentication vulnerability in Wikimedia Foundation Mediawiki - CentralAuth Extension allows : Bypass Authentication.This issue affects Mediawiki - CentralAuth Extension: from 1.39.X before 1.39.13, from 1.42.X before 1.42.7, from 1.43.X before 1.43.2. |
Affected by 1 other vulnerability. |
|
VCID-rd8y-cyj3-sqau
Aliases: CVE-2021-45038 |
mediawiki: information disclosure |
Affected by 14 other vulnerabilities. |
|
VCID-s3j4-6zrg-nbc4
Aliases: CVE-2022-31042 GHSA-f2wf-25xc-69c9 |
Failure to strip the Cookie header on change in host or HTTP downgrade ### Impact `Cookie` headers on requests are sensitive information. On making a request using the `https` scheme to a server which responds with a redirect to a URI with the `http` scheme, or on making a request to a server which responds with a redirect to a a URI to a different host, we should not forward the `Cookie` header on. Prior to this fix, only cookies that were managed by our cookie middleware would be safely removed, and any `Cookie` header manually added to the initial request would not be stripped. We now always strip it, and allow the cookie middleware to re-add any cookies that it deems should be there. ### Patches Affected Guzzle 7 users should upgrade to Guzzle 7.4.4 as soon as possible. Affected users using any earlier series of Guzzle should upgrade to Guzzle 6.5.7 or 7.4.4. ### Workarounds An alternative approach would be to use your own redirect middleware, rather than ours, if you are unable to upgrade. If you do not require or expect redirects to be followed, one should simply disable redirects all together. ### References * [RFC9110 Section 15.4](https://www.rfc-editor.org/rfc/rfc9110.html#name-redirection-3xx) ### For more information If you have any questions or comments about this advisory, please get in touch with us in `#guzzle` on the [PHP HTTP Slack](https://php-http.slack.com/). Do not report additional security advisories in that public channel, however - please follow our [vulnerability reporting process](https://github.com/guzzle/guzzle/security/policy). |
Affected by 14 other vulnerabilities. |
|
VCID-sfnb-39u7-cbap
Aliases: CVE-2020-25813 GHSA-c4rj-wrmq-52rj |
MediaWiki Special:UserRights exposes the existence of hidden users In MediaWiki before 1.31.9 and 1.32.x through 1.34.x before 1.34.3, Special:UserRights exposes the existence of hidden users. |
Affected by 14 other vulnerabilities. |
|
VCID-sh4s-g6hc-vbhf
Aliases: CVE-2021-30159 |
mediawiki: users can bypass intended restrictions on deleting pages in certain "fast double move" situations |
Affected by 14 other vulnerabilities. |
|
VCID-sk2r-zb1q-mygn
Aliases: CVE-2023-51704 |
mediawiki: group-.*-member messages are not properly escaped on Special:log/rights |
Affected by 1 other vulnerability. Affected by 0 other vulnerabilities. |
|
VCID-tbk5-k2e8-8kay
Aliases: CVE-2020-35477 |
mediawiki: unable to change visibility of log entries when MediaWiki:Mainpage uses Special:MyLanguage |
Affected by 14 other vulnerabilities. |
|
VCID-tgh8-se9x-53cv
Aliases: CVE-2022-34911 |
mediawiki: Cross-site Scripting |
Affected by 14 other vulnerabilities. |
|
VCID-tqsa-cpsf-gyee
Aliases: CVE-2022-31043 GHSA-w248-ffj2-4v5q |
Fix failure to strip Authorization header on HTTP downgrade ### Impact `Authorization` headers on requests are sensitive information. On making a request using the `https` scheme to a server which responds with a redirect to a URI with the `http` scheme, we should not forward the `Authorization` header on. This is much the same as to how we don't forward on the header if the host changes. Prior to this fix, `https` to `http` downgrades did not result in the `Authorization` header being removed, only changes to the host. ### Patches Affected Guzzle 7 users should upgrade to Guzzle 7.4.4 as soon as possible. Affected users using any earlier series of Guzzle should upgrade to Guzzle 6.5.7 or 7.4.4. ### Workarounds An alternative approach would be to use your own redirect middleware, rather than ours, if you are unable to upgrade. If you do not require or expect redirects to be followed, one should simply disable redirects all together. ### References * [RFC9110 Section 15.4](https://www.rfc-editor.org/rfc/rfc9110.html#name-redirection-3xx) ### For more information If you have any questions or comments about this advisory, please get in touch with us in `#guzzle` on the [PHP HTTP Slack](https://php-http.slack.com/). Do not report additional security advisories in that public channel, however - please follow our [vulnerability reporting process](https://github.com/guzzle/guzzle/security/policy). |
Affected by 14 other vulnerabilities. |
|
VCID-tt4v-8w1b-8bfy
Aliases: CVE-2022-28202 |
mediawiki: xss due to incorrect escaping |
Affected by 14 other vulnerabilities. |
|
VCID-txrx-5js8-eybm
Aliases: CVE-2021-30155 |
mediawiki: ContentModelChange does not check if a user has correct permissions to create and set the content model of a nonexistent page |
Affected by 14 other vulnerabilities. |
|
VCID-u3rd-a1y3-eygq
Aliases: CVE-2022-34912 |
mediawiki: Username not escaped in the contributions-title message |
Affected by 14 other vulnerabilities. |
|
VCID-ue85-5gy8-2bdw
Aliases: CVE-2025-6597 |
Affected by 1 other vulnerability. Affected by 0 other vulnerabilities. |
|
|
VCID-ux7m-sv8j-ybeq
Aliases: CVE-2020-25827 GHSA-rqvj-fc2x-99q6 |
OATHAuth extension in MediaWiki is not implementing rate limit An issue was discovered in the OATHAuth extension in MediaWiki before 1.31.9 and 1.32.x through 1.34.x before 1.34.3. For Wikis using OATHAuth on a farm/cluster (such as via CentralAuth), rate limiting of OATH tokens is only done on a single site level. Thus, multiple requests can be made across many wikis/sites concurrently. |
Affected by 14 other vulnerabilities. |
|
VCID-w8h5-th3q-yffz
Aliases: CVE-2021-30154 |
mediawiki: XSS due to unescaped messages used in HTML on Special:NewFiles |
Affected by 14 other vulnerabilities. |
|
VCID-whsr-x65a-qbfd
Aliases: CVE-2022-28201 |
An issue was discovered in MediaWiki before 1.35.6, 1.36.x before 1.36.4, and 1.37.x before 1.37.2. Users with the editinterface permission can trigger infinite recursion, because a bare local interwiki is mishandled for the mainpage message. |
Affected by 14 other vulnerabilities. |
|
VCID-x318-4ypf-cue6
Aliases: CVE-2020-35474 |
mediawiki: message recentchanges-legend-watchlistexpiry can contain raw html |
Affected by 14 other vulnerabilities. |
|
VCID-xcxk-97jc-dyer
Aliases: CVE-2021-30158 |
mediawiki: blocked users are unable to use Special:ResetTokens |
Affected by 14 other vulnerabilities. |
|
VCID-yjgw-hrsr-q3bz
Aliases: CVE-2025-32699 |
Vulnerability in Wikimedia Foundation MediaWiki, Wikimedia Foundation Parsoid.This issue affects MediaWiki: before 1.39.12, 1.42.6, 1.43.1; Parsoid: before 0.16.5, 0.19.2, 0.20.2. |
Affected by 1 other vulnerability. Affected by 0 other vulnerabilities. |
|
VCID-z4gr-zsn8-cfcz
Aliases: CVE-2021-44855 |
An issue was discovered in MediaWiki before 1.35.5, 1.36.x before 1.36.3, and 1.37.x before 1.37.1. There is Blind Stored XSS via a URL to the Upload Image feature. |
Affected by 14 other vulnerabilities. |
|
VCID-zccp-k413-2yhy
Aliases: CVE-2022-47927 |
An issue was discovered in MediaWiki before 1.35.9, 1.36.x through 1.38.x before 1.38.5, and 1.39.x before 1.39.1. When installing with a pre-existing data directory that has weak permissions, the SQLite files are created with file mode 0644, i.e., world readable to local users. These files include credentials data. |
Affected by 14 other vulnerabilities. |
|
VCID-zzg3-w43c-bybp
Aliases: CVE-2025-32696 |
Improper Preservation of Permissions vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/actions/RevertAction.Php, includes/api/ApiFileRevert.Php. This issue affects MediaWiki: before 1.39.12, 1.42.6, 1.43.1. |
Affected by 1 other vulnerability. Affected by 0 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| VCID-13vu-q5g8-43e3 | mediawiki: ApiQueryBacklinks can cause a full table scan and as a result DoS |
CVE-2021-41799
|
| VCID-1kpb-6pyc-byb4 | MediaWiki Cross-site Scripting (XSS) vulnerability An issue was discovered in MediaWiki before 1.31.9 and 1.32.x through 1.34.x before 1.34.3. The non-jqueryMsg version of mw.message().parse() doesn't escape HTML. This affects both message contents (which are generally safe) and the parameters (which can be based on user input). (When jqueryMsg is loaded, it correctly accepts only whitelisted tags in message contents, and escapes all parameters. Situations with an unloaded jqueryMsg are rare in practice, but can for example occur for Special:SpecialPages on a wiki with no extensions installed.) |
CVE-2020-25828
GHSA-h8qx-mj6v-2934 |
| VCID-3dae-ke7b-dkh4 | img_auth.php may leak private extension images into the public cache In MediaWiki before 1.31.8, 1.32.x and 1.33.x before 1.33.4, and 1.34.x before 1.34.2, private wikis behind a caching server using the img_auth.php image authorization security feature may have had their files cached publicly, so any unauthorized user could view them. This occurs because Cache-Control and Vary headers were mishandled. |
CVE-2020-15005
GHSA-xpv7-93cm-4mxv |
| VCID-5h3b-9bc1-e7bn | MediaWiki Incorrect Access Control vulnerability An Incorrect Access Control vulnerability was found in Wikimedia MediaWiki 1.18.0 through 1.32.1. It is possible to bypass the limits on IP range blocks ($wgBlockCIDRLimit) by using the API. Fixed in 1.32.2, 1.31.2, 1.30.2 and 1.27.6. |
CVE-2019-12472
GHSA-7mqg-5fgh-xh4r |
| VCID-5skd-1vkg-uuhh | MediaWiki Incorrect Access Control vulnerability MediaWiki through 1.32.1 has Incorrect Access Control (issue 1 of 3). A spammer can use Special:ChangeEmail to send out spam with no rate limiting or ability to block them. Fixed in 1.32.2, 1.31.2, 1.30.2 and 1.27.6. |
CVE-2019-12467
GHSA-6vfg-8ppv-h5hg |
| VCID-64zq-vmwp-hfge | mediawiki: messages userrights-expiry-current and userrights-expiry-none can contain raw html |
CVE-2020-35475
|
| VCID-7x1v-fbsz-jfbr | MediaWiki allows a denial of service MediaWiki before 1.36.2 allows a denial of service (resource consumption because of lengthy query processing time). Visiting Special:Contributions can sometimes result in a long running SQL query because PoolCounter protection is mishandled. |
CVE-2021-41800
GHSA-c8wv-qwwc-6j73 |
| VCID-855f-2pne-gycx | mediawiki: blocked users are able to purge pages impacting Integrity |
CVE-2021-35197
|
| VCID-a7ku-2v19-dkdf | MediaWiki Incorrect Access Control vulnerability MediaWiki through 1.32.1 has Incorrect Access Control. Suppressed username or log in Special:EditTags are exposed. Fixed in 1.32.2, 1.31.2, 1.30.2 and 1.27.6. |
CVE-2019-12469
GHSA-x3fr-w7r5-x7rg |
| VCID-ags3-2tv9-mqh8 | multiple issues |
CVE-2021-41801
|
| VCID-amhq-f69a-cqcp | Firejail through 0.9.62 mishandles shell metacharacters during use of the --output or --output-stderr option, which may lead to command injection. |
CVE-2020-17368
|
| VCID-bcea-x4a1-b7d9 | Mediawiki Improper Privilege Management Mediawiki 1.31 before 1.31.1, 1.30.1, 1.29.3 and 1.27.5 contains a flaw where contrary to the documentation, $wgRateLimits entry for 'user' overrides that for 'newbie'. |
CVE-2018-0503
GHSA-mhfv-9h99-jwg7 |
| VCID-ckvp-abay-jbbj | Possible to circumvent title-blacklist MediaWiki through 1.33.1 allows attackers to bypass the Title_blacklist protection mechanism by starting with an arbitrary title, establishing a non-resolvable redirect for the associated page, and using redirect=1 in the action API when editing that page. |
CVE-2019-19709
GHSA-pjv5-vv93-p648 |
| VCID-e3sx-rstd-dfhk | Wikimedia MediaWiki Incorrect Access Control vulnerability An Incorrect Access Control vulnerability was found in Wikimedia MediaWiki 1.27.0 through 1.32.1. Directly POSTing to Special:ChangeEmail would allow for bypassing re-authentication, allowing for potential account takeover. |
CVE-2019-12468
GHSA-wrhx-3pxr-6vgg |
| VCID-ehpz-k1zx-q7gg | Mediawiki BotPassword can bypass CentralAuth's account lock Mediawiki 1.31 before 1.31.1, 1.30.1, 1.29.3 and 1.27.5 contains a flaw where BotPasswords can bypass CentralAuth's account lock |
CVE-2018-0505
GHSA-5c6w-f4w2-2grp |
| VCID-fnqx-7yjs-93c4 | Wikimedia information leak vulnerability Wikimedia MediaWiki 1.23.0 through 1.32.1 has an information leak. Privileged API responses that include whether a recent change has been patrolled may be cached publicly. Fixed in 1.32.2, 1.31.2, 1.30.2 and 1.27.6. |
CVE-2019-12474
GHSA-2qrr-c2gh-pr35 |
| VCID-gkzq-thjf-z7fa | An infinite loop in SMLLexer in Pygments versions 1.5 to 2.7.3 may lead to denial of service when performing syntax highlighting of a Standard ML (SML) source file, as demonstrated by input that only contains the "exception" keyword. |
CVE-2021-20270
GHSA-9w8r-397f-prfh PYSEC-2021-140 |
| VCID-h3ne-af56-xfa1 | Mediawiki information disclosure vulnerability Mediawiki 1.31 before 1.31.1, 1.30.1, 1.29.3 and 1.27.5 contains an information disclosure flaw in the Special:Redirect/logid |
CVE-2018-0504
GHSA-hr8v-f4g2-p66f |
| VCID-j919-vgae-yqew | mediawiki: action=protect lets users with 'protect' permission protect to higher protection level |
CVE-2021-30152
|
| VCID-jxy5-a4h3-cbej | MediaWiki Cross-site Scripting (XSS) Wikimedia MediaWiki 1.30.0 through 1.32.1 has XSS. Loading user JavaScript from a non-existent account allows anyone to create the account, and perform XSS on users loading that script. Fixed in 1.32.2, 1.31.2, 1.30.2 and 1.27.6. |
CVE-2019-12471
GHSA-2rm7-xxx8-35jh |
| VCID-m44t-5z4c-juej | mediawiki: Cross-site scripting (XSS) in Special:Search |
CVE-2021-41798
|
| VCID-mq2b-kt76-yqes | MediaWiki makeCollapsible allows applying event handler to any CSS selector In MediaWiki before 1.34.1, users can add various Cascading Style Sheets (CSS) classes (which can affect what content is shown or hidden in the user interface) to arbitrary DOM nodes via HTML content within a MediaWiki page. This occurs because jquery.makeCollapsible allows applying an event handler to any Cascading Style Sheets (CSS) selector. There is no known way to exploit this for cross-site scripting (XSS). |
CVE-2020-10960
GHSA-pfm2-mqwj-ggm5 |
| VCID-mz2m-vq2z-aygk | mediawiki: divergent behavior for contributions and user pages of hidden users and missing users |
CVE-2020-35480
|
| VCID-neqa-12se-9uab | Modification of Assumed-Immutable Data (MAID) Prototype pollution attack through jQuery $.extend |
CVE-2019-11358
GHSA-6c3j-c64m-qhgq |
| VCID-nvmk-rsyq-43fn | mediawiki: XSS due to unescaped messages used in HTML on ChangesList pages |
CVE-2021-30157
|
| VCID-p8gc-bk7w-1khy | MediaWiki Cross-site Scripting (XSS) vulnerability In MediaWiki before 1.31.9 and 1.32.x through 1.34.x before 1.34.3, XSS related to jQuery can occur. The attacker creates a message with [javascript:payload xss] and turns it into a jQuery object with mw.message().parse(). The expected result is that the jQuery object does not contain an <a> tag (or it does not have a href attribute, or it's empty, etc.). The actual result is that the object contains an <a href ="javascript... that executes when clicked. |
CVE-2020-25814
GHSA-4vr7-m8p8-434h |
| VCID-p93c-damj-kbec | In pygments 1.1+, fixed in 2.7.4, the lexers used to parse programming languages rely heavily on regular expressions. Some of the regular expressions have exponential or cubic worst-case complexity and are vulnerable to ReDoS. By crafting malicious input, an attacker can cause a denial of service. |
CVE-2021-27291
GHSA-pq64-v7f5-gqh8 PYSEC-2021-141 |
| VCID-pe96-2tca-bqgu | mediawiki: potential XSS via the month messages such as MediaWiki:january through MediaWiki:december outputting Block Logs |
CVE-2020-35479
|
| VCID-pj3h-4tp6-ykhk | MediaWiki Cross-site Scripting (XSS) vulnerability An issue was discovered in MediaWiki 1.34.x before 1.34.3. On Special:Contributions, the NS filter uses unescaped messages as keys in the option key for an HTMLForm specifier. This is vulnerable to a mild XSS if one of those messages is changed to include raw HTML. |
CVE-2020-25812
GHSA-rj9p-8jxj-2ch4 |
| VCID-prsf-anz2-qkha | Wikimedia MediaWiki allows CSRF Wikimedia MediaWiki through 1.32.1 allows CSRF in logout feature. |
CVE-2019-12466
GHSA-27fw-r78j-h898 |
| VCID-q39u-5mhh-sfaj | Wikimedia Potential DOS due to slow WatchedItemStore::countVisitingWatchersMultiple Wikimedia MediaWiki 1.27.0 through 1.32.1 might allow DoS. Passing invalid titles to the API could cause a DoS by querying the entire watchlist table. Fixed in 1.32.2, 1.31.2, 1.30.2 and 1.27.6. |
CVE-2019-12473
GHSA-33xw-x3pr-rvqj |
| VCID-s7wy-djqx-zqb3 | MediaWiki information disclosure In MediaWiki through 1.33.0, Special:Redirect allows information disclosure of suppressed usernames via a User ID Lookup. |
CVE-2019-16738
GHSA-7hwr-f745-5rwq |
| VCID-sfnb-39u7-cbap | MediaWiki Special:UserRights exposes the existence of hidden users In MediaWiki before 1.31.9 and 1.32.x through 1.34.x before 1.34.3, Special:UserRights exposes the existence of hidden users. |
CVE-2020-25813
GHSA-c4rj-wrmq-52rj |
| VCID-sh4s-g6hc-vbhf | mediawiki: users can bypass intended restrictions on deleting pages in certain "fast double move" situations |
CVE-2021-30159
|
| VCID-tbk5-k2e8-8kay | mediawiki: unable to change visibility of log entries when MediaWiki:Mainpage uses Special:MyLanguage |
CVE-2020-35477
|
| VCID-txrx-5js8-eybm | mediawiki: ContentModelChange does not check if a user has correct permissions to create and set the content model of a nonexistent page |
CVE-2021-30155
|
| VCID-ux7m-sv8j-ybeq | OATHAuth extension in MediaWiki is not implementing rate limit An issue was discovered in the OATHAuth extension in MediaWiki before 1.31.9 and 1.32.x through 1.34.x before 1.34.3. For Wikis using OATHAuth on a farm/cluster (such as via CentralAuth), rate limiting of OATH tokens is only done on a single site level. Thus, multiple requests can be made across many wikis/sites concurrently. |
CVE-2020-25827
GHSA-rqvj-fc2x-99q6 |
| VCID-vr8g-6fet-q7ag | Firejail through 0.9.62 does not honor the -- end-of-options indicator after the --output option, which may lead to command injection. |
CVE-2020-17367
|
| VCID-w8h5-th3q-yffz | mediawiki: XSS due to unescaped messages used in HTML on Special:NewFiles |
CVE-2021-30154
|
| VCID-wsb2-mw64-q3e3 | Wikimedia MediaWik exposed suppressed log in RevisionDelete page Wikimedia MediaWiki through 1.32.1 has Incorrect Access Control. Suppressed log in RevisionDelete page is exposed. Fixed in 1.32.2, 1.31.2, 1.30.2 and 1.27.6. |
CVE-2019-12470
GHSA-733q-m38x-q7cc |
| VCID-xcxk-97jc-dyer | mediawiki: blocked users are unable to use Special:ResetTokens |
CVE-2021-30158
|