Schnark

**Nome do software vulnerável e versões afetadas** Versões do MediaWiki 1.23.x a 1.23.15 Versões do MediaWiki 1.24.x a 1.27.x anteriores à 1.27.2 Versões do MediaWiki 1.28.x anteriores à 1.28.1 **Descrição** A vulnerabilidade permite que invasores remotos descubram os endereços IP dos visitantes do Wiki por meio de um ataque do tipo style="background-image: attr(title url);" dentro de um elemento DIV que possua uma URL controlada pelo invasor no atributo `title`. Esse ataque possibilita a divulgação dos endereços IP dos visitantes. **Recomendações** Para as versões do MediaWiki 1.23.x a 1.23.15, atualize para a versão 1.23.16 ou posterior. Para as versões do MediaWiki 1.24.x a 1.27.x anteriores à 1.27.2, atualize para a versão 1.27.2 ou posterior. Para as versões 1.28.x do MediaWiki anteriores à 1.28.1, atualize para a versão 1.28.1 ou posterior.

**Name of the Vulnerable Software and Affected Versions** MediaWiki versions prior to 1.23.15 MediaWiki versions 1.26.x prior to 1.26.4 MediaWiki versions 1.27.x prior to 1.27.1 **Description** The issue allows remote attackers to obtain sensitive information via a parse action to "api.php". This is due to the software not generating head items in the context of a given title. **Recommendations** For versions prior to 1.23.15, update to version 1.23.15 or later. For versions 1.26.x prior to 1.26.4, update to version 1.26.4 or later. For versions 1.27.x prior to 1.27.1, update to version 1.27.1 or later.

**Name of the Vulnerable Software and Affected Versions** MediaWiki TemplateSandbox extension (affected versions not specified) **Description** A cross-site scripting (XSS) issue exists in the preview feature of the TemplateSandbox extension for MediaWiki. This allows remote attackers to inject arbitrary web script or HTML via the `text` parameter to the "Special:TemplateSandbox" endpoint. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** MediaWiki versions 1.22.x through 1.22.8 MediaWiki versions 1.23.x through 1.23.1 **Description** A cross-site scripting issue exists, allowing remote attackers to inject arbitrary web script or HTML. This is achieved through vectors involving the multipageimagenavbox class in conjunction with an action=raw value. **Recommendations** For MediaWiki versions 1.22.x through 1.22.8, update to version 1.22.9 or later. For MediaWiki versions 1.23.x through 1.23.1, update to version 1.23.2 or later.