Krenair

**Name of the Vulnerable Software and Affected Versions** MediaWiki CheckUser extension versions prior to 2.3 **Description** A cross-site request forgery (CSRF) issue exists, allowing remote attackers to hijack the authentication of arbitrary users for requests that perform sensitive write actions via unspecified vectors. **Recommendations** For versions prior to 2.3, update to version 2.3 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** MediaWiki versions 1.19.x through 1.19.7 MediaWiki versions 1.20.x through 1.20.6 MediaWiki versions 1.21.x through 1.21.1 LiquidThreads (LQT) extension versions 2.x and possibly 3.x **Description** A cross-site scripting (XSS) issue allows remote attackers to inject arbitrary web script or HTML via a thread subject in the pages/TalkpageHistoryView.php file of the LiquidThreads (LQT) extension. **Recommendations** For MediaWiki versions 1.19.x through 1.19.7, update to version 1.19.8 or later. For MediaWiki versions 1.20.x through 1.20.6, update to version 1.20.7 or later. For MediaWiki versions 1.21.x through 1.21.1, update to version 1.21.2 or later. For LiquidThreads (LQT) extension versions 2.x and possibly 3.x, consider disabling the TalkpageHistoryView.php file until a patch is available.

**Name of the Vulnerable Software and Affected Versions** MediaWiki versions 1.17.x through 1.17.2 MediaWiki versions 1.18.x through 1.18.1 **Description** The issue allows remote attackers to hijack the authentication of users with the block permission for requests that block or unblock a user. This is achieved via requests to the Block module or the Unblock module. **Recommendations** For MediaWiki versions 1.17.x through 1.17.2, update to version 1.17.3 or later. For MediaWiki versions 1.18.x through 1.18.1, update to version 1.18.2 or later.