| Max CVSS | 6.8 | Min CVSS | 3.5 | Total Count | 2 |
| ID | CVSS | Summary | Last (major) update | Published | |
| CVE-2015-8008 | 5.0 |
The OAuth extension for MediaWiki improperly negotiates a new client token only over Special:OAuth/initiate, which allows attackers to bypass intended IP address access restrictions by making an API request with an existing token.
|
11-01-2018 - 16:03 | 29-12-2017 - 22:29 | |
| CVE-2015-8009 | 5.0 |
The MWOAuthDataStore::lookup_token function in Extension:OAuth for MediaWiki 1.25.x before 1.25.3, 1.24.x before 1.24.4, and before 1.23.11 does not properly validate the signature when checking the authorization signature, which allows remote regist
|
15-09-2017 - 01:29 | 25-07-2017 - 14:29 | |
| CVE-2015-8007 | 4.0 |
The Echo extension for MediWiki does not properly implement the hideuser functionality, which allows remote authenticated users to see hidden usernames in "non-revision based" notifications, as demonstrated by viewing a hidden username in a Thanks no
|
10-11-2015 - 18:52 | 09-11-2015 - 18:59 | |
| CVE-2015-8006 | 4.3 |
Cross-site scripting (XSS) vulnerability in the PageTriage toolbar in the PageTriage extension for MediWiki allows remote attackers to inject arbitrary web script or HTML via the page title.
|
10-11-2015 - 18:27 | 09-11-2015 - 18:59 | |
| CVE-2015-8002 | 6.8 |
The chunked upload API (ApiUpload) in MediaWiki before 1.23.11, 1.24.x before 1.24.4, and 1.25.x before 1.25.3 allows remote authenticated users to cause a denial of service (disk consumption) via a file upload using one byte chunks.
|
10-11-2015 - 18:26 | 09-11-2015 - 18:59 | |
| CVE-2015-8004 | 4.0 |
MediaWiki before 1.23.11, 1.24.x before 1.24.4, and 1.25.x before 1.25.3 does not properly restrict access to revisions, which allows remote authenticated users with the viewsuppressed user right to remove revision suppressions via a crafted revision
|
10-11-2015 - 17:54 | 09-11-2015 - 18:59 | |
| CVE-2015-8003 | 6.8 |
MediaWiki before 1.23.11, 1.24.x before 1.24.4, and 1.25.x before 1.25.3 does not throttle file uploads, which allows remote authenticated users to have unspecified impact via multiple file uploads.
|
10-11-2015 - 17:53 | 09-11-2015 - 18:59 | |
| CVE-2015-8001 | 3.5 |
The chunked upload API (ApiUpload) in MediaWiki before 1.23.11, 1.24.x before 1.24.4, and 1.25.x before 1.25.3 does not restrict the uploaded data to the claimed file size, which allows remote authenticated users to cause a denial of service via a ch
|
10-11-2015 - 17:50 | 09-11-2015 - 18:59 | |
| CVE-2015-8005 | 5.0 |
MediaWiki before 1.23.11, 1.24.x before 1.24.4, and 1.25.x before 1.25.3 uses the thumbnail ImageMagick command line argument, which allows remote attackers to obtain the installation path by reading the metadata of a PNG thumbnail file.
|
10-11-2015 - 14:19 | 09-11-2015 - 18:59 |