Liangent

**Name of the Vulnerable Software and Affected Versions** MediaWiki versions through 1.32.1 **Description** The issue is related to a component of the MediaWiki CMS for collaborative websites, which is vulnerable to cross-site request forgery (CSRF). This could allow a remote attacker to access confidential data, compromise its integrity, and cause a denial of service. The vulnerability is specifically noted in the logout feature. **Recommendations** For MediaWiki versions through 1.32.1, update to a version that includes a fix for this issue to prevent CSRF attacks. As a temporary workaround, consider restricting access to the logout feature until a patch is available.

**Name of the Vulnerable Software and Affected Versions** MediaWiki versions prior to 1.22.0 **Description** The issue allows remote attackers to determine if an IP is autoblocked via the "Change block" text on the Special:Contributions page. **Recommendations** For versions prior to 1.22.0, update to version 1.22.0 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** MediaWiki versions 1.19.x through 1.19.7 MediaWiki versions 1.20.x through 1.20.6 MediaWiki versions 1.21.x through 1.21.1 **Description** The issue allows remote attackers to inject arbitrary web script or HTML via a label in the "In other languages" section. Additionally, remote administrators can inject arbitrary web script or HTML via a description. This is due to multiple cross-site scripting (XSS) vulnerabilities in the Wikibase extension. **Recommendations** For MediaWiki versions 1.19.x through 1.19.7, update to version 1.19.8 or later. For MediaWiki versions 1.20.x through 1.20.6, update to version 1.20.7 or later. For MediaWiki versions 1.21.x through 1.21.1, update to version 1.21.2 or later.

**Name of the Vulnerable Software and Affected Versions** MediaWiki versions prior to 1.16.5 **Description** The issue allows remote attackers to bypass authentication by creating crafted `wikiUserID` and `wikiUserName` cookies, or by leveraging an unattended workstation, due to the failure to clear certain cached data after verification of an auth token fails when `wgBlockDisablesLogin` is enabled. **Recommendations** For versions prior to 1.16.5, update to version 1.16.5 or later to resolve the issue. As a temporary workaround, consider disabling the `wgBlockDisablesLogin` feature until a patch is available. Restrict access to sensitive areas of the wiki to minimize the risk of exploitation. Avoid leaving workstations unattended while logged in to the wiki.