The ScratchSig extension for MediaWiki before version 1.0.1 allows stored Cross-Site Scripting. Using tag inside <scratchsig> tag, attackers with edit permission can execute scripts on visitors' browser. With MediaWiki JavaScript API, this can potentially lead to privilege escalation and/or.....
9CVSS
9.2AI Score
0.001EPSS
in Scratch Login (MediaWiki extension) before version 1.1, any account can be logged into by using the same username with leading, trailing, or repeated underscore(s), since those are treated as whitespace and trimmed by MediaWiki. This affects all users on any wiki using this extension. Since...
10CVSS
9.4AI Score
0.001EPSS