Timeline
Monthly
Code injection in the Wikimedia Foundation Timeline extension (EasyTimeline) allows authenticated wiki editors to execute arbitrary server-side code via crafted timeline syntax processed by the Perl-based EasyTimeline.Pl script and its PHP integration layer Timeline.Php. The vulnerability stems from CWE-94 improper code generation control, where user-supplied timeline markup is passed to the backend Perl interpreter without sufficient sanitization, enabling remote code execution on the MediaWiki server. No public exploit code has been identified at time of analysis, but the RCE tag and network-accessible attack vector make this a high-priority patching target for any publicly editable or semi-public MediaWiki instance.
Stored cross-site scripting in the Wikimedia Foundation Timeline extension exposes MediaWiki installations to session hijacking and credential theft. The flaw exists in Timeline.php and EasyTimeline.pl, where user-supplied timeline markup syntax is not properly neutralized before HTML output, allowing an authenticated wiki editor to inject arbitrary JavaScript executed in other users' browsers. No public exploit has been identified at time of analysis, and KEV listing is absent, but the network-accessible nature and low-privilege entry point make this a credible risk on publicly editable wikis.
Unrestricted file upload vulnerability in the Manage Project functionality in Livetecs Timelive before 6.5.1 allows remote authenticated users to execute arbitrary code by uploading a file with an. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Livetecs Timelive before 6.2.8 does not properly restrict access to systemsetting.aspx, which allows remote attackers to change configurations and obtain the database connection string and. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Unrestricted file upload vulnerability in the user profile page feature in the Timeline Plugin 4.2.5p9 for SocialEngine allows remote authenticated users to execute arbitrary code by uploading a file. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
Code injection in the Wikimedia Foundation Timeline extension (EasyTimeline) allows authenticated wiki editors to execute arbitrary server-side code via crafted timeline syntax processed by the Perl-based EasyTimeline.Pl script and its PHP integration layer Timeline.Php. The vulnerability stems from CWE-94 improper code generation control, where user-supplied timeline markup is passed to the backend Perl interpreter without sufficient sanitization, enabling remote code execution on the MediaWiki server. No public exploit code has been identified at time of analysis, but the RCE tag and network-accessible attack vector make this a high-priority patching target for any publicly editable or semi-public MediaWiki instance.
Stored cross-site scripting in the Wikimedia Foundation Timeline extension exposes MediaWiki installations to session hijacking and credential theft. The flaw exists in Timeline.php and EasyTimeline.pl, where user-supplied timeline markup syntax is not properly neutralized before HTML output, allowing an authenticated wiki editor to inject arbitrary JavaScript executed in other users' browsers. No public exploit has been identified at time of analysis, and KEV listing is absent, but the network-accessible nature and low-privilege entry point make this a credible risk on publicly editable wikis.
Unrestricted file upload vulnerability in the Manage Project functionality in Livetecs Timelive before 6.5.1 allows remote authenticated users to execute arbitrary code by uploading a file with an. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Livetecs Timelive before 6.2.8 does not properly restrict access to systemsetting.aspx, which allows remote attackers to change configurations and obtain the database connection string and. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Unrestricted file upload vulnerability in the user profile page feature in the Timeline Plugin 4.2.5p9 for SocialEngine allows remote authenticated users to execute arbitrary code by uploading a file. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.