CVE | Product/Component | Description | Links |
---|---|---|---|
CVE-2024-34507 | MediaWiki/MediaWiki | XSS vulnerability in edit summary parser | T355538 blog writeup |
CVE-2023-29134 | MediaWiki/Cargo | SQL injection in Cargo due to handling of apostrophes inside backticks | T331362 |
CVE-2023-29136 | MediaWiki/Cargo | SQL injection in Cargo handling of html entities | T331352 |
CVE-2023-35333 | Microsoft/MediaWiki-PandocUpload | Shell injection in PandocUpload mediawiki extension | git |
CVE-2023-37254 | MediaWiki/Cargo | XSS in Special:CargoQuery improper escaping | T331065 |
CVE-2023-37256 | MediaWiki/Cargo | XSS - javascript urls allowed in cargo links | T331311 |
CVE-2023-29133 | MediaWiki/Cargo | XSS in Searchtext formatter in Cargo extension | T331321 |
CVE-2023-29134 | MediaWiki/Cargo | SQL injection due to backtick handling in Cargo extension | T331362 |
CVE-2023-22912 | MediaWiki/CheckUser | Cryptography (AES-CTR) incorectly using repeated nonce | bug report |
CVE-2023-22911 | MediaWiki/Widgets | Widget extension XSS when used inside html attribute | bug report |
CVE-2022-47927 | MediaWiki | SQLite DB containing credentials created world-readable | bug report |
CVE-2022-29969 | MediaWiki/RSS extension | XSS in non-default config | bug report |
CVE-2022-23632 | Traefik | Mutual TLS requirements bypass using FQDN | blog write up Security advisory |
CVE-2020-9868 | MacOS/Security | If an administrator marks a custom self-signed leaf certificate (i.e. CA:false basic constraint) as trusted, the CA:false basic constraint is ignored, allowing the leaf certificate to be used to sign other leaf certificates as trusted | advisory |
GHSA-c27r-x354-4m68 | xml-crypto | Signature algorithm confusion in XMLSignature (SAML) support allowing signature verification bypass | advisory |
CVE-2021-21239 | pysaml2 | Unspecified xmlsec key preference allows insecure methods to be used allowing signature bypass | advisory |
n/a | MediaWiki/Cargo | SQL injection into CREATE TABLE statement in Cargo extension | T188474 |
n/a | Wikimedia/Mobileapps | XSS in mobile apps HTML generator | bug report |
n/a | MediaWiki/CentralNotice | XSS in error handling | bug report |
CVE-2017-8808 | MediaWiki | [low severity] XSS in non-default config and non-standard browser | bug report |
CVE-2017-8808 CVE-2017-8812 CVE-2017-8815 | MediaWiki | XSS in LanguageConverter | bug report,bug report 2 |
CVE-2017-0364 | MediaWiki | Open redirect in Special:Search | bug report |
CVE-2017-0365 | MediaWiki | XSS in non-default config in search highlighter | bug report |
CVE-2017-0368 | MediaWiki | Wikicode injection into error message allowing restriction bypass and XSS in some configurations | bug report |
CVE-2017-0367 | MediaWiki | Unsafe temporary file usage allowing privilege escalation on shared system | bug report |
n/a | MediaWiki/Katographer | XSS by bypassing html sanitization using keys named __proto__ | bug report |
CVE-2016-6334 | MediaWiki | XSS in link parsing code | bug report |
CVE-2016-6333 | MediaWiki | XSS in processing of CSS | bug report |
n/a | MediaWiki | Login attempt throttle bypass | bug report |
n/a | MediaWiki | XSS in MediaWiki parser due to strip marker handling | bug report |
CVE-2015-2933 | MediaWiki | XSS in language converter | bug report |
CVE-2015-2932 | MediaWiki | XSS via SVG sanitizer bypass | bug report |
n/a | MediaWiki/RelatedArticles | XSS in #related: parser function | bug report |
n/a | MediaWiki/TimedMediaHandler | XSS in TimedMediaHandler extension data-videopayload attribute | bug report |