CVE-2025-62508

Citizen is a MediaWiki skin that makes extensions part of the cohesive experience. Citizen from 3.3.0 to 3.9.0 are vulnerable to stored cross-site scripting in the sticky header button message handling. In stickyHeader.js the copyButtonAttributes function assigns innerHTML from a source element’s...

CVE-2025-62508 Citizen vulnerable to stored XSS in sticky header button messages

Citizen is a MediaWiki skin that makes extensions part of the cohesive experience. Citizen from 3.3.0 to 3.9.0 are vulnerable to stored cross-site scripting in the sticky header button message handling. In stickyHeader.js the copyButtonAttributes function assigns innerHTML from a source element’s...

EUVD-2024-42545

Malicious code in bioql PyPI...

Cross-site Scripting (XSS)

Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS via the userDate function. An attacker can inject arbitrary HTML into the DOM by editing interface messages that are rendered as raw HTML. This is only exploitable if a user has the editinterface right but not t...

CVE-2024-47612

DataDump is a MediaWiki extension that provides dumps of wikis. Several interface messages are unescaped more specifically, datadump-table-column-queued, datadump-table-column-in-progress, datadump-table-column-completed, datadump-table-column-failed. If these messages are edited which requires t...

CVE-2024-25107

WikiDiscover is an extension designed for use with a CreateWiki managed farm to display wikis. On Special:WikiDiscover, the Language::date function is used when making the human-readable timestamp for inclusion on the wikicreation column. This function uses interface messages to translate the nam...

CVE-2024-47812

ImportDump is an extension for mediawiki designed to automate user import requests. Anyone who can edit the interface strings of a wiki typically administrators and interface admins can embed XSS payloads in the messages for dates, and thus XSS anyone who views Special:RequestImportQueue. This...

CVE-2024-47815 Cross-site Scripting in IncidentReporting

IncidentReporting is a MediaWiki extension for moving incident reports from wikitext to database tables. There are a variety of Cross-site Scripting issues, though all of them require elevated permissions. Some are available to anyone who has the editincidents right, some are available to those w...

CVE-2024-47612 XSS in Special:DataDump when displaying dump status

DataDump is a MediaWiki extension that provides dumps of wikis. Several interface messages are unescaped more specifically, datadump-table-column-queued, datadump-table-column-in-progress, datadump-table-column-completed, datadump-table-column-failed. If these messages are edited which requires t...

CVE-2024-47612 XSS in Special:DataDump when displaying dump status

DataDump is a MediaWiki extension that provides dumps of wikis. Several interface messages are unescaped more specifically, datadump-table-column-queued, datadump-table-column-in-progress, datadump-table-column-completed, datadump-table-column-failed. If these messages are edited which requires t...

Cross-site Scripting (XSS)

Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS due to improperly sanitized interface messages in the getError function. An attacker can inject malicious scripts. Note: Fixed versions: 1.39.6, 1.40.2, 1.41.1 are not in Packagist. Details Cross-site scripting ...

PT-2024-3267 · Mediawiki +1 · Mediawiki +1

Name of the Vulnerable Software and Affected Versions: MediaWiki versions prior to 1.39.6 MediaWiki versions 1.40.x prior to 1.40.2 MediaWiki versions 1.41.x prior to 1.41.1 Description: The issue is related to the UnlinkedWikibase extension in MediaWiki, where improper neutralization of input...

Cross site scripting

ManageWiki is a MediaWiki extension allowing users to manage wikis. Special:ManageWiki does not escape escape interface messages on the columns and help keys on the form descriptor. An attacker may exploit this and would have a cross site scripting attack vector. Exploiting this on-wiki requires...

CVE-2024-25109 Cross-Site Scripting in the extensions, settings, permissions and namespaces subpages of ManageWiki

ManageWiki is a MediaWiki extension allowing users to manage wikis. Special:ManageWiki does not escape escape interface messages on the columns and help keys on the form descriptor. An attacker may exploit this and would have a cross site scripting attack vector. Exploiting this on-wiki requires...

PT-2024-20753 · Mediawiki · Managewiki

Name of the Vulnerable Software and Affected Versions: ManageWiki affected versions not specified Description: ManageWiki is a MediaWiki extension that allows users to manage wikis. The issue arises because Special:ManageWiki does not properly escape interface messages on the columns and help key...

Design/Logic Flaw

WikiDiscover is an extension designed for use with a CreateWiki managed farm to display wikis. On Special:WikiDiscover, the Language::date function is used when making the human-readable timestamp for inclusion on the wikicreation column. This function uses interface messages to translate the nam...

CVE-2024-25107 Cross-Site Scripting in WikiDiscover

WikiDiscover is an extension designed for use with a CreateWiki managed farm to display wikis. On Special:WikiDiscover, the Language::date function is used when making the human-readable timestamp for inclusion on the wikicreation column. This function uses interface messages to translate the nam...

CVE-2024-25107

WikiDiscover, an extension for CreateWiki, contains an XSS vulnerability in Special:WikiDiscover where Language::date uses unescaped interface messages from MONTH/DAY translations, yielding unescaped output. Exploitation requires the (editinterface) right. The issue is addressed in commit 267e763...

ARC Informatique PcVue Remote Code Execution Vulnerability

Pcvue is a multi-functional HMI-SCADA software from ARC Informatique, an all-in-one solution that monitors all aspects of a customer's assets.PcVue is used in a wide range of applications including industrial control, building management, energy management, smart grid, energy distribution,...

CVE-2017-8198

FusionSphere V100R006C00SPC102NFV has an SQL injection vulnerability. An authenticated, remote attacker could craft interface messages carrying malicious SQL statements and send them to a target device. Successful exploit could allow the attacker to launch an SQL injection attack and execute SQL...