GCVE - cpe:2.3:a:mediawiki:mediawiki:1.17.1:*:*:*:*:*:*:*

Approved changes feed: RSS · Atom

cpe:2.3:a:mediawiki:mediawiki:1.17.1:*:*:*:*:*:*:*

part: a version: 1.17.1 update: *

Vendor	Mediawiki (`cdb1ca1d-4622-5407-a7d8-3e891579b8c5`)
Product	Mediawiki (`ab97168e-95e7-5d6e-a2ac-f8d27117dc4d`)
Edition	*
Language	*
Software edition	*
Target software	*
Target hardware	*
Other	*
Notes	Imported from NVD CPE 2.0 feed

PURL mappings

PURL	Source	Last updated
`pkg:github/wikimedia/mediawiki`	purl2cpe	2026-06-01 10:10:57.618091
`pkg:wikimedia/mediawiki`	purl2cpe	2026-06-01 10:10:57.618093

Vulnerability references

Identifier	cpeApplicability	Submitted	db.gcve.eu details	Rationale
`CVE:CVE-2014-2853`	vulnerable	2026-06-03 14:33:51.991506	Details available Cross-site scripting (XSS) vulnerability in includes/actions/InfoAction.php in MediaWiki before 1.21.9 and 1.22.x before 1.22.6 allows remote attackers to inject arbitrary web script or HTML via the sort key in an info action. Published: 2014-04-29T18:00:00.000Z Updated: 2024-08-06T10:28:46.374Z Open on db.gcve.eu Reference links http://www.securityfocus.com/bid/67068 http://www.securitytracker.com/id/1030161 http://secunia.com/advisories/58262 https://github.com/wikimedia/mediawiki-core/commit/0b695ae09aada343ab59be4a3c9963995a1143b6 http://lists.wikimedia.org/pipermail/mediawiki-announce/2014-April/000149.html	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2014-2244`	vulnerable	2026-06-03 14:33:50.161504	Details available Cross-site scripting (XSS) vulnerability in the formatHTML function in includes/api/ApiFormatBase.php in MediaWiki before 1.19.12, 1.20.x and 1.21.x before 1.21.6, and 1.22.x before 1.22.3 allows remote attackers to inject arbitrary web script or HTML via a crafted string located after http:// in the text parameter to api.php. Published: 2014-03-02T02:00:00.000Z Updated: 2024-08-06T10:06:00.222Z Open on db.gcve.eu Reference links http://openwall.com/lists/oss-security/2014/02/28/1 http://www.securityfocus.com/bid/65906 http://lists.wikimedia.org/pipermail/mediawiki-announce/2014-February/000141.html https://gerrit.wikimedia.org/r/#/q/Idf985e4e69c2f11778a8a90503914678441cb3fb%2Cn%2Cz https://bugzilla.wikimedia.org/show_bug.cgi?id=61362	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2014-2243`	vulnerable	2026-06-03 14:33:50.159136	Details available includes/User.php in MediaWiki before 1.19.12, 1.20.x and 1.21.x before 1.21.6, and 1.22.x before 1.22.3 terminates validation of a user token upon encountering the first incorrect character, which makes it easier for remote attackers to obtain access via a brute-force attack that relies on timing differences in responses to incorrect token guesses. Published: 2014-03-02T02:00:00.000Z Updated: 2024-08-06T10:06:00.267Z Open on db.gcve.eu Reference links http://openwall.com/lists/oss-security/2014/02/28/1 https://bugzilla.wikimedia.org/show_bug.cgi?id=61346 http://lists.wikimedia.org/pipermail/mediawiki-announce/2014-February/000141.html https://bugzilla.redhat.com/show_bug.cgi?id=1071136 http://openwall.com/lists/oss-security/2014/03/01/2	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2014-2242`	vulnerable	2026-06-03 14:33:50.142574	Details available includes/upload/UploadBase.php in MediaWiki before 1.19.12, 1.20.x and 1.21.x before 1.21.6, and 1.22.x before 1.22.3 does not prevent use of invalid namespaces in SVG files, which allows remote attackers to conduct cross-site scripting (XSS) attacks via an SVG upload, as demonstrated by use of a W3C XHTML namespace in conjunction with an IFRAME element. Published: 2014-03-02T02:00:00.000Z Updated: 2024-08-06T10:06:00.324Z Open on db.gcve.eu Reference links http://www.securityfocus.com/bid/65910 http://openwall.com/lists/oss-security/2014/02/28/1 https://gerrit.wikimedia.org/r/#/q/7d923a6b53f7fbcb0cbc3a19797d741bf6f440eb%2Cn%2Cz http://lists.wikimedia.org/pipermail/mediawiki-announce/2014-February/000141.html https://bugzilla.wikimedia.org/show_bug.cgi?id=60771	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2013-2032`	vulnerable	2026-06-03 14:32:53.315754	Details available MediaWiki before 1.19.6 and 1.20.x before 1.20.5 does not allow extensions to prevent password changes without using both Special:PasswordReset and Special:ChangePassword, which allows remote attackers to bypass the intended restrictions of an extension that only implements one of these blocks. Published: 2013-11-15T18:16:00.000Z Updated: 2024-08-06T15:20:37.400Z Open on db.gcve.eu Reference links http://lists.fedoraproject.org/pipermail/package-announce/2013-May/105825.html http://secunia.com/advisories/55433 http://lists.fedoraproject.org/pipermail/package-announce/2013-May/106293.html http://lists.fedoraproject.org/pipermail/package-announce/2013-May/105784.html http://security.gentoo.org/glsa/glsa-201310-21.xml	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2013-2031`	vulnerable	2026-06-03 14:32:53.303550	Details available MediaWiki before 1.19.6 and 1.20.x before 1.20.5 allows remote attackers to conduct cross-site scripting (XSS) attacks, as demonstrated by a CDATA section containing valid UTF-7 encoded sequences in a SVG file, which is then incorrectly interpreted as UTF-8 by Chrome and Firefox. Published: 2013-11-15T18:16:00.000Z Updated: 2024-08-06T15:20:37.509Z Open on db.gcve.eu Reference links http://lists.fedoraproject.org/pipermail/package-announce/2013-May/105825.html http://secunia.com/advisories/57472 https://bugzilla.wikimedia.org/show_bug.cgi?id=47304 http://secunia.com/advisories/55433 http://www.debian.org/security/2014/dsa-2891	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2012-4885`	vulnerable	2026-06-03 14:32:26.049096	Details available The wikitext parser in MediaWiki 1.17.x before 1.17.3 and 1.18.x before 1.18.2 allows remote attackers to cause a denial of service (infinite loop) via certain input, as demonstrated by the padleft function. Published: 2012-09-09T21:00:00.000Z Updated: 2024-09-16T23:51:59.586Z Open on db.gcve.eu Reference links http://www.openwall.com/lists/oss-security/2012/03/24/1 http://lists.wikimedia.org/pipermail/mediawiki-announce/2012-March/000110.html http://secunia.com/advisories/48504 https://bugzilla.wikimedia.org/show_bug.cgi?id=35315 https://bugzilla.wikimedia.org/show_bug.cgi?id=22555	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2012-2698`	vulnerable	2026-06-03 14:31:54.434369	Details available Cross-site scripting (XSS) vulnerability in the outputPage function in includes/SkinTemplate.php in MediaWiki before 1.17.5, 1.18.x before 1.18.4, and 1.19.x before 1.19.1 allows remote attackers to inject arbitrary web script or HTML via the uselang parameter to index.php/Main_page. Published: 2012-06-29T19:00:00.000Z Updated: 2024-08-06T19:42:31.984Z Open on db.gcve.eu Reference links http://lists.wikimedia.org/pipermail/mediawiki-announce/2012-June/000116.html https://www.mediawiki.org/wiki/Release_notes/1.18 http://www.osvdb.org/82983 http://lists.wikimedia.org/pipermail/mediawiki-announce/2012-June/000117.html http://secunia.com/advisories/49484	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2012-1582`	vulnerable	2026-06-03 14:31:43.377642	Details available Cross-site scripting (XSS) vulnerability in the wikitext parser in MediaWiki 1.17.x before 1.17.3 and 1.18.x before 1.18.2 allows remote attackers to inject arbitrary web script or HTML via a crafted page with "forged strip item markers," as demonstrated using the CharInsert extension. Published: 2012-09-09T21:00:00.000Z Updated: 2024-08-06T19:01:02.188Z Open on db.gcve.eu Reference links http://www.openwall.com/lists/oss-security/2012/03/24/1 http://lists.wikimedia.org/pipermail/mediawiki-announce/2012-March/000110.html http://secunia.com/advisories/48504 https://bugzilla.wikimedia.org/show_bug.cgi?id=35315 http://osvdb.org/80363	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2012-1581`	vulnerable	2026-06-03 14:31:43.377019	Details available MediaWiki 1.17.x before 1.17.3 and 1.18.x before 1.18.2 uses weak random numbers for password reset tokens, which makes it easier for remote attackers to change the passwords of arbitrary users. Published: 2012-09-09T21:00:00.000Z Updated: 2024-08-06T19:01:02.685Z Open on db.gcve.eu Reference links https://bugzilla.wikimedia.org/show_bug.cgi?id=35078 http://www.openwall.com/lists/oss-security/2012/03/24/1 http://lists.wikimedia.org/pipermail/mediawiki-announce/2012-March/000110.html http://secunia.com/advisories/48504 https://exchange.xforce.ibmcloud.com/vulnerabilities/78910	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2012-1580`	vulnerable	2026-06-03 14:31:43.376456	Details available Cross-site request forgery (CSRF) vulnerability in Special:Upload in MediaWiki 1.17.x before 1.17.3 and 1.18.x before 1.18.2 allows remote attackers to hijack the authentication of unspecified victims for requests that upload files. Published: 2012-09-09T21:00:00.000Z Updated: 2024-08-06T19:01:02.473Z Open on db.gcve.eu Reference links http://www.openwall.com/lists/oss-security/2012/03/24/1 http://osvdb.org/80364 http://lists.wikimedia.org/pipermail/mediawiki-announce/2012-March/000110.html https://bugzilla.wikimedia.org/show_bug.cgi?id=35317 http://secunia.com/advisories/48504	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2012-1579`	vulnerable	2026-06-03 14:31:43.375854	Details available The resource loader in MediaWiki 1.17.x before 1.17.3 and 1.18.x before 1.18.2 includes private data such as CSRF tokens in a JavaScript file, which allows remote attackers to obtain sensitive information. Published: 2012-09-09T21:00:00.000Z Updated: 2024-08-06T19:01:02.555Z Open on db.gcve.eu Reference links http://www.openwall.com/lists/oss-security/2012/03/24/1 https://bugzilla.wikimedia.org/show_bug.cgi?id=34907 http://lists.wikimedia.org/pipermail/mediawiki-announce/2012-March/000110.html http://secunia.com/advisories/48504 http://lists.wikimedia.org/pipermail/mediawiki-announce/2012-March/000109.html	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2012-1578`	vulnerable	2026-06-03 14:31:43.372366	Details available Multiple cross-site request forgery (CSRF) vulnerabilities in MediaWiki 1.17.x before 1.17.3 and 1.18.x before 1.18.2 allow remote attackers to hijack the authentication of users with the block permission for requests that (1) block a user via a request to the Block module or (2) unblock a user via a request to the Unblock module. Published: 2012-09-09T21:00:00.000Z Updated: 2024-08-06T19:01:02.739Z Open on db.gcve.eu Reference links https://exchange.xforce.ibmcloud.com/vulnerabilities/78911 http://www.openwall.com/lists/oss-security/2012/03/24/1 http://lists.wikimedia.org/pipermail/mediawiki-announce/2012-March/000110.html http://secunia.com/advisories/48504 https://bugzilla.wikimedia.org/show_bug.cgi?id=34212	Imported from gcve-enriched-dumps CVE data

Contribute

You can submit an edit proposal for this CPE entry or suggest a related product/vendor addition using the action button above.