Mediawiki
Monthly
Exposure of sensitive information in Wikimedia Foundation MediaWiki allows remote unauthenticated attackers to access unauthorized data via network requests against affected versions before 1.43.7, 1.44.4, and 1.45.2. The vulnerability has low confidentiality impact with CVSS 5.5 and evidence of proof-of-concept code, though no active exploitation in CISA KEV has been confirmed at time of analysis.
MediaWiki before versions 1.43.7, 1.44.4, and 1.45.2 exposes sensitive information to unauthorized actors through a vulnerability requiring user interaction. The flaw allows information disclosure via network access without authentication, though impact is limited (CVSS 1.3) and requires user participation to trigger. Vendor-released patches are available across all affected major versions.
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files resources/src/mediawiki.Page.Preview.Js.
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files resources/src/mediawiki.JqueryMsg/mediawiki.JqueryMsg.Js.
Vulnerability in Wikimedia Foundation MediaWiki, Wikimedia Foundation Cite. This vulnerability is associated with program files includes/Parser/CoreParserFunctions.Php, includes/Parser/Sanitizer.Php.
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files resources/src/mediawiki.Special.Apisandbox/ApiSandboxLayout.Js.
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/pager/CodexTablePager.Php. [CVSS 6.1 MEDIUM]
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files resources/src/mediawiki.Language/mediawiki.Language.Js.
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files resources/src/mediawiki.Rcfilters/ui/WatchlistTopSectionWidget.Js.
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files resources/src/mediawiki.Rcfilters/ui/RclToOrFromWidget.Js.
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/logging/ManualLogEntry.Php, includes/recentchanges/RecentChangeFactory.Php, includes/recentchanges/RecentChangeStore.Php.
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki, Wikimedia Foundation Parsoid. This vulnerability is associated with program files includes/parser/Sanitizer.Php, src/Core/Sanitizer.Php.
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files resources/src/mediawiki.Action/mediawiki.Action.Edit.Preview.Js, resources/src/mediawiki.Page.Preview.Js.
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/htmlform/fields/HTMLButtonField.Php.
Vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/specials/pagers/BlockListPager.Php, includes/api/ApiQueryBlocks.Php.
Vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/auth/AuthManager.Php.
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files resources/src/mediawiki.Special.Apisandbox/ApiSandbox.Js. [CVSS 4.7 MEDIUM]
Vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/user/User.Php.
Vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/api/ApiFeedContributions.Php.
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/htmlform/fields/HTMLUserTextField.Php.
Vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/specials/pagers/BlockListPager.Php.
Wikimedia Foundation Mediawiki - DiscussionTools Extension is affected by improper neutralization of special elements used in an expression language statement.
Insufficient access controls in the MediaWiki CampaignEvents extension (versions 1.39, 1.43, 1.44, 1.45) permit unauthenticated attackers to perform unauthorized actions by bypassing privilege checks. An attacker could exploit this vulnerability to gain elevated privileges within the extension without proper authorization. A patch is available to remediate this low-impact authorization flaw.
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in The Wikimedia Foundation Mediawiki - Monaco Skin allows Cross-Site Scripting (XSS).This issue affects Mediawiki - Monaco Skin: 1.45, 1.44, 1.43, 1.39.
Cross-site scripting (XSS) in MediaWiki's GrowthExperiments extension (versions 1.39, 1.43, 1.44, 1.45) allows authenticated attackers to inject malicious scripts through improper input validation, with public exploit code available. An attacker with user privileges can exploit this vulnerability to perform actions on behalf of other users or steal sensitive information due to the low complexity attack vector and user interaction requirement. A patch is available for affected installations.
Improper output encoding in MediaWiki's Approved Revs extension through magic word replacement allows unauthenticated attackers to manipulate input data and conduct content injection attacks. Affected versions 1.39, 1.43, 1.44, and 1.45 are vulnerable to this network-accessible flaw that requires user interaction, and public exploit code exists. A patch is available to remediate the vulnerability.
Cross-site scripting (XSS) in MediaWiki's Wikibase extension allows authenticated attackers to inject malicious scripts through improper input handling during page generation, affecting versions 1.39, 1.43, 1.44, and 1.45. Exploitation requires user interaction and results in limited confidentiality and integrity impact within the affected application context. A patch is available and public exploit code exists for this vulnerability.
Mediawiki-Extensions-Uploadwizard versions up to 1.39 is affected by cross-site scripting (xss) (CVSS 6.1).
Cross-site scripting (XSS) in MediaWiki's ProofreadPage extension (versions 1.39, 1.43, 1.44, 1.45) allows attackers to inject malicious scripts through improper input sanitization during web page generation. Public exploit code exists for this vulnerability, which requires user interaction to trigger. A patch is available to remediate the issue.
The MediaWiki CSS extension in versions 1.39, 1.43, and 1.44 contains a path traversal vulnerability that allows unauthenticated remote attackers to read arbitrary files from the server. Public exploit code exists for this vulnerability, enabling attackers to access sensitive information outside the intended directory restrictions. A patch is available and should be applied immediately to affected installations.
Visualdata versions up to - is affected by inefficient regular expression complexity (redos) (CVSS 5.3).
A security vulnerability in DynamicPageList3 extension (CVSS 8.7). High severity vulnerability requiring prompt remediation.
A denial of service vulnerability in DiscordNotifications (CVSS 9.1) that allows sending requests. Critical severity with potential for significant impact on affected systems.
An issue was discovered in the GlobalBlocking extension in MediaWiki before 1.40.2. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
An issue was discovered in the Phonos extension in MediaWiki before 1.40.2. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
An issue was discovered in the WatchAnalytics extension in MediaWiki before 1.40.2. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
An issue was discovered in the PageTriage extension in MediaWiki before 1.35.14, 1.36.x through 1.39.x before 1.39.6, and 1.40.x before 1.40.2. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.
An issue was discovered in the Cargo extension in MediaWiki before 1.35.14, 1.36.x through 1.39.x before 1.39.6, and 1.40.x before 1.40.2. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
An issue was discovered in the CheckUser extension in MediaWiki before 1.35.14, 1.36.x through 1.39.x before 1.39.6, and 1.40.x before 1.40.2. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.
An issue was discovered in the CampaignEvents extension in MediaWiki before 1.35.14, 1.36.x through 1.39.x before 1.39.6, and 1.40.x before 1.40.2. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.
Exposure of sensitive information in Wikimedia Foundation MediaWiki allows remote unauthenticated attackers to access unauthorized data via network requests against affected versions before 1.43.7, 1.44.4, and 1.45.2. The vulnerability has low confidentiality impact with CVSS 5.5 and evidence of proof-of-concept code, though no active exploitation in CISA KEV has been confirmed at time of analysis.
MediaWiki before versions 1.43.7, 1.44.4, and 1.45.2 exposes sensitive information to unauthorized actors through a vulnerability requiring user interaction. The flaw allows information disclosure via network access without authentication, though impact is limited (CVSS 1.3) and requires user participation to trigger. Vendor-released patches are available across all affected major versions.
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files resources/src/mediawiki.Page.Preview.Js.
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files resources/src/mediawiki.JqueryMsg/mediawiki.JqueryMsg.Js.
Vulnerability in Wikimedia Foundation MediaWiki, Wikimedia Foundation Cite. This vulnerability is associated with program files includes/Parser/CoreParserFunctions.Php, includes/Parser/Sanitizer.Php.
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files resources/src/mediawiki.Special.Apisandbox/ApiSandboxLayout.Js.
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/pager/CodexTablePager.Php. [CVSS 6.1 MEDIUM]
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files resources/src/mediawiki.Language/mediawiki.Language.Js.
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files resources/src/mediawiki.Rcfilters/ui/WatchlistTopSectionWidget.Js.
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files resources/src/mediawiki.Rcfilters/ui/RclToOrFromWidget.Js.
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/logging/ManualLogEntry.Php, includes/recentchanges/RecentChangeFactory.Php, includes/recentchanges/RecentChangeStore.Php.
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki, Wikimedia Foundation Parsoid. This vulnerability is associated with program files includes/parser/Sanitizer.Php, src/Core/Sanitizer.Php.
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files resources/src/mediawiki.Action/mediawiki.Action.Edit.Preview.Js, resources/src/mediawiki.Page.Preview.Js.
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/htmlform/fields/HTMLButtonField.Php.
Vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/specials/pagers/BlockListPager.Php, includes/api/ApiQueryBlocks.Php.
Vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/auth/AuthManager.Php.
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files resources/src/mediawiki.Special.Apisandbox/ApiSandbox.Js. [CVSS 4.7 MEDIUM]
Vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/user/User.Php.
Vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/api/ApiFeedContributions.Php.
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/htmlform/fields/HTMLUserTextField.Php.
Vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/specials/pagers/BlockListPager.Php.
Wikimedia Foundation Mediawiki - DiscussionTools Extension is affected by improper neutralization of special elements used in an expression language statement.
Insufficient access controls in the MediaWiki CampaignEvents extension (versions 1.39, 1.43, 1.44, 1.45) permit unauthenticated attackers to perform unauthorized actions by bypassing privilege checks. An attacker could exploit this vulnerability to gain elevated privileges within the extension without proper authorization. A patch is available to remediate this low-impact authorization flaw.
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in The Wikimedia Foundation Mediawiki - Monaco Skin allows Cross-Site Scripting (XSS).This issue affects Mediawiki - Monaco Skin: 1.45, 1.44, 1.43, 1.39.
Cross-site scripting (XSS) in MediaWiki's GrowthExperiments extension (versions 1.39, 1.43, 1.44, 1.45) allows authenticated attackers to inject malicious scripts through improper input validation, with public exploit code available. An attacker with user privileges can exploit this vulnerability to perform actions on behalf of other users or steal sensitive information due to the low complexity attack vector and user interaction requirement. A patch is available for affected installations.
Improper output encoding in MediaWiki's Approved Revs extension through magic word replacement allows unauthenticated attackers to manipulate input data and conduct content injection attacks. Affected versions 1.39, 1.43, 1.44, and 1.45 are vulnerable to this network-accessible flaw that requires user interaction, and public exploit code exists. A patch is available to remediate the vulnerability.
Cross-site scripting (XSS) in MediaWiki's Wikibase extension allows authenticated attackers to inject malicious scripts through improper input handling during page generation, affecting versions 1.39, 1.43, 1.44, and 1.45. Exploitation requires user interaction and results in limited confidentiality and integrity impact within the affected application context. A patch is available and public exploit code exists for this vulnerability.
Mediawiki-Extensions-Uploadwizard versions up to 1.39 is affected by cross-site scripting (xss) (CVSS 6.1).
Cross-site scripting (XSS) in MediaWiki's ProofreadPage extension (versions 1.39, 1.43, 1.44, 1.45) allows attackers to inject malicious scripts through improper input sanitization during web page generation. Public exploit code exists for this vulnerability, which requires user interaction to trigger. A patch is available to remediate the issue.
The MediaWiki CSS extension in versions 1.39, 1.43, and 1.44 contains a path traversal vulnerability that allows unauthenticated remote attackers to read arbitrary files from the server. Public exploit code exists for this vulnerability, enabling attackers to access sensitive information outside the intended directory restrictions. A patch is available and should be applied immediately to affected installations.
Visualdata versions up to - is affected by inefficient regular expression complexity (redos) (CVSS 5.3).
A security vulnerability in DynamicPageList3 extension (CVSS 8.7). High severity vulnerability requiring prompt remediation.
A denial of service vulnerability in DiscordNotifications (CVSS 9.1) that allows sending requests. Critical severity with potential for significant impact on affected systems.
An issue was discovered in the GlobalBlocking extension in MediaWiki before 1.40.2. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
An issue was discovered in the Phonos extension in MediaWiki before 1.40.2. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
An issue was discovered in the WatchAnalytics extension in MediaWiki before 1.40.2. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
An issue was discovered in the PageTriage extension in MediaWiki before 1.35.14, 1.36.x through 1.39.x before 1.39.6, and 1.40.x before 1.40.2. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.
An issue was discovered in the Cargo extension in MediaWiki before 1.35.14, 1.36.x through 1.39.x before 1.39.6, and 1.40.x before 1.40.2. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
An issue was discovered in the CheckUser extension in MediaWiki before 1.35.14, 1.36.x through 1.39.x before 1.39.6, and 1.40.x before 1.40.2. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.
An issue was discovered in the CampaignEvents extension in MediaWiki before 1.35.14, 1.36.x through 1.39.x before 1.39.6, and 1.40.x before 1.40.2. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.