Arlolra

**Name of the Vulnerable Software and Affected Versions** MediaWiki versions prior to 1.35.11 MediaWiki versions 1.36.x through 1.38.x before 1.38.7 MediaWiki versions 1.39.x before 1.39.4 MediaWiki versions 1.40.x before 1.40.1 **Description** An issue was discovered in MediaWiki. It is possible to bypass the Bad image list (aka badFile) by using the `thumb` parameter (aka Manualthumb) of the File syntax. **Recommendations** For versions prior to 1.35.11, update to version 1.35.11 or later. For versions 1.36.x through 1.38.x before 1.38.7, update to version 1.38.7 or later. For versions 1.39.x before 1.39.4, update to version 1.39.4 or later. For versions 1.40.x before 1.40.1, update to version 1.40.1 or later. As a temporary workaround, consider restricting the use of the `thumb` parameter in the File syntax until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Wikimedia Parsoid versions prior to 0.11.1 Wikimedia Parsoid versions 0.12.x prior to 0.12.2 **Description** An issue allows an attacker to send crafted wikitext that will be transformed by Utils/WTUtils.php using a <meta> tag, bypassing sanitization steps, and potentially allowing for XSS. **Recommendations** For versions prior to 0.11.1, update to version 0.11.1 or later. For versions 0.12.x prior to 0.12.2, update to version 0.12.2 or later.