Bawolff

**Name of the Vulnerable Software and Affected Versions** Leafkit versions prior to 1.4.1 **Description** Leafkit’s `htmlEscaped` function inadequately escapes HTML special characters when dealing with extended grapheme clusters. This occurs because the function only escapes characters if the extended grapheme clusters match. By utilizing an extended grapheme cluster containing both a special HTML character and additional characters, the escaping mechanism can be bypassed. Specifically, within HTML attributes, this can lead to Cross-Site Scripting (XSS) if a leaf variable in the attribute is controlled by a user. The issue stems from the way Swift handles strings based on extended grapheme clusters, differing from HTML’s character-based approach. The function `replacingOccurrences(of:with:)` or `replacing` may be affected, depending on the Swift version. The vulnerability can be exploited by crafting a malicious payload within an attribute, such as the `title` attribute, to inject arbitrary HTML or JavaScript code. **Recommendations** Versions prior to 1.4.1 should be updated to version 1.4.1 or later.

Name of the Vulnerable Software and Affected Versions: Mediawiki - Mobile Frontend Extension versions 1.39 through 1.43 Description: The issue affects the Mediawiki - Mobile Frontend Extension, allowing exposure of sensitive information to an unauthorized actor. This enables shared resource manipulation. Recommendations: For versions 1.39 through 1.43, update to a version that contains a fix for this issue. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: Mediawiki - Visual Data Extension versions 1.39 through 1.43 Description: The issue is related to an Improper Input Validation vulnerability that allows HTTP DoS. This vulnerability affects the Mediawiki - Visual Data Extension. Recommendations: For versions 1.39 through 1.43, update to a version that contains a fix for this issue. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Mediawiki - CSS Extension versions 1.39.X through 1.39.8 Mediawiki - CSS Extension versions 1.41.X through 1.41.2 Mediawiki - CSS Extension versions 1.42.X through 1.42.1 **Description** The issue is related to improper encoding or escaping of output, which allows code injection. This is a Code Injection Vulnerability in the Mediawiki CSS Extension. **Recommendations** For versions 1.39.X through 1.39.8, update to version 1.39.9 or later. For versions 1.41.X through 1.41.2, update to version 1.41.3 or later. For versions 1.42.X through 1.42.1, update to version 1.42.2 or later.

**Name of the Vulnerable Software and Affected Versions** MediaWiki versions prior to 1.39.7 MediaWiki versions 1.40.x prior to 1.40.3 MediaWiki versions 1.41.x prior to 1.41.1 **Description** The issue is related to the incorrect neutralization of input during web page creation in the includes/CommentFormatter/CommentParser.php file of MediaWiki. This can allow a remote attacker to perform cross-site scripting (XSS) attacks. The vulnerability is caused by the mishandling of the 0x1b character. An example of the exploitation is demonstrated by the `Special:RecentChanges#%1b0000000` endpoint. **Recommendations** For MediaWiki versions prior to 1.39.7, update to version 1.39.7 or later. For MediaWiki versions 1.40.x prior to 1.40.3, update to version 1.40.3 or later. For MediaWiki versions 1.41.x prior to 1.41.1, update to version 1.41.1 or later. As a temporary workaround, consider restricting access to the `includes/CommentFormatter/CommentParser.php` file until a patch is available. Avoid using the `0x1b` character in user input until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** MediaWiki PandocUpload Extension (affected versions not specified) **Description** The issue is related to insufficient input validation when processing shell arguments in the MediaWiki PandocUpload extension. This can be exploited by a remote attacker to execute arbitrary code by uploading a specially crafted file. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** GoogleAnalyticsMetrics extension for MediaWiki versions through 1.39.3 **Description** An issue was discovered in the googleanalyticstrackurl parser function, which does not properly escape JavaScript in the onclick handler and does not prevent use of javascript: URLs. **Recommendations** For versions through 1.39.3, update to a version that fixes the issue with the googleanalyticstrackurl parser function to prevent JavaScript injection through the onclick handler. As a temporary workaround, consider disabling the googleanalyticstrackurl parser function until a patch is available.

**Name of the Vulnerable Software and Affected Versions** MediaWiki Cargo extension versions through 1.39.3 **Description** An issue was discovered in the Cargo extension for MediaWiki that allows storing javascript: URLs in URL fields, and these URLs are automatically linked. **Recommendations** For MediaWiki Cargo extension versions through 1.39.3, update to a version later than 1.39.3 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** MediaWiki Cargo extension versions through 1.39.3 **Description** An issue in the Cargo extension for MediaWiki allows XSS to occur in Special:CargoQuery via a crafted page item when using the default format. The estimated number of potentially affected devices worldwide is not available. There is no information about real-world incidents where this issue was exploited. Technical details about exploitation include the use of a crafted page item in the `Special:CargoQuery` endpoint. **Recommendations** For MediaWiki Cargo extension versions through 1.39.3, update to a version later than 1.39.3 to resolve the issue. As a temporary workaround, consider restricting access to the `Special:CargoQuery` endpoint until a patch is available. Avoid using the default format in `Special:CargoQuery` until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** MediaWiki versions prior to 1.35.9 MediaWiki versions 1.36.x through 1.38.x before 1.38.5 MediaWiki versions 1.39.x before 1.39.1 **Description** An issue was discovered in MediaWiki where the CheckUser TokenManager insecurely uses AES-CTR encryption with a repeated nonce, allowing an adversary to decrypt. **Recommendations** For versions prior to 1.35.9, update to version 1.35.9 or later. For versions 1.36.x through 1.38.x before 1.38.5, update to version 1.38.5 or later. For versions 1.39.x before 1.39.1, update to version 1.39.1 or later.

**Name of the Vulnerable Software and Affected Versions** MediaWiki versions prior to 1.35.9 MediaWiki versions 1.36.x through 1.38.x before 1.38.5 MediaWiki versions 1.39.x before 1.39.1 **Description** An issue was discovered in MediaWiki when installing with a pre-existing data directory that has weak permissions. The SQLite files are created with file mode 0644, making them world-readable to local users. These files include credentials data. **Recommendations** For MediaWiki versions prior to 1.35.9, update to version 1.35.9 or later. For MediaWiki versions 1.36.x through 1.38.x before 1.38.5, update to version 1.38.5 or later. For MediaWiki versions 1.39.x before 1.39.1, update to version 1.39.1 or later. As a temporary workaround, consider restricting access to the SQLite files to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** MediaWiki versions prior to 1.35.9 MediaWiki versions 1.36.x through 1.38.x before 1.38.5 MediaWiki versions 1.39.x before 1.39.1 **Description** An issue in MediaWiki allows for XSS due to E-Widgets performing widget replacement in HTML attributes. This can lead to security issues because widget authors often do not expect their widgets to be executed in an HTML attribute context. **Recommendations** For MediaWiki versions prior to 1.35.9, update to version 1.35.9 or later. For MediaWiki versions 1.36.x through 1.38.x before 1.38.5, update to version 1.38.5 or later. For MediaWiki versions 1.39.x before 1.39.1, update to version 1.39.1 or later.

**Name of the Vulnerable Software and Affected Versions** MediaWiki RSS extension versions prior to 2022-04-29 **Description** The issue allows XSS via an rss element if the feed is in $wgRSSUrlWhitelist and $wgRSSAllowLinkTag is true. **Recommendations** For versions prior to 2022-04-29, update to a version released after 2022-04-29 to resolve the issue. As a temporary workaround, consider setting $wgRSSAllowLinkTag to false to minimize the risk of exploitation. Restrict access to feeds not in $wgRSSUrlWhitelist to further reduce the risk.

**Name of the Vulnerable Software and Affected Versions** MediaWiki versions 1.30.0 through 1.32.1 **Description** The issue is related to the possibility of loading user JavaScript from a non-existent account, which allows anyone to create the account and perform cross-site scripting (XSS) on users loading that script. This can be exploited by a remote attacker to compromise data integrity. **Recommendations** For MediaWiki versions 1.30.0 through 1.32.1, update to version 1.32.2, 1.31.2, 1.30.2, or 1.27.6 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** MediaWiki versions 1.27.0 through 1.32.1 **Description** The issue is related to an Incorrect Access Control vulnerability that allows for bypassing re-authentication. This can be exploited by directly POSTing to the "Special:ChangeEmail" endpoint, potentially leading to account takeover, unauthorized access to protected information, and impact on data integrity. **Recommendations** For MediaWiki versions 1.27.0 through 1.32.1, consider restricting access to the "Special:ChangeEmail" endpoint until a patch is available. As a temporary workaround, disabling the re-authentication bypass functionality may help minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** MediaWiki versions prior to 1.28.1 MediaWiki versions prior to 1.27.2 **Description** The issue is related to an unsafe use of a temporary directory. By default, the LocalisationCache directory is set to the system's temporary directory, which is insecure. **Recommendations** For versions prior to 1.28.1, update to version 1.28.1 or later. For versions prior to 1.27.2, update to version 1.27.2 or later.

**Name of the Vulnerable Software and Affected Versions** MediaWiki versions 1.27.x before 1.27.1 **Description** The issue might allow remote attackers to bypass intended session access restrictions. This is achieved by leveraging a call to the `UserGetRights` function after `Session::getAllowedUserRights`. **Recommendations** For MediaWiki versions 1.27.x before 1.27.1, update to version 1.27.1 or later to resolve the issue. As a temporary workaround, consider restricting access to sensitive areas of the application that rely on session access restrictions until the update can be applied.

**Name of the Vulnerable Software and Affected Versions** Mediawiki versions prior to 1.28.1 Mediawiki versions prior to 1.27.2 Mediawiki versions prior to 1.23.16 **Description** The issue concerns a flaw in the Special:Search feature, which allows redirects to any interwiki link. **Recommendations** For versions prior to 1.28.1, update to version 1.28.1 or later. For versions prior to 1.27.2, update to version 1.27.2 or later. For versions prior to 1.23.16, update to version 1.23.16 or later.

**Name of the Vulnerable Software and Affected Versions** MediaWiki versions prior to 1.28.1 MediaWiki versions prior to 1.27.2 MediaWiki versions prior to 1.23.16 **Description** The issue is related to a XSS vulnerability in the `highlightText()` function of the SearchHighlighter class, which occurs with non-default configurations. **Recommendations** For versions prior to 1.28.1, update to version 1.28.1 or later. For versions prior to 1.27.2, update to version 1.27.2 or later. For versions prior to 1.23.16, update to version 1.23.16 or later.

**Name of the Vulnerable Software and Affected Versions** Mediawiki versions prior to 1.28.1 Mediawiki versions prior to 1.27.2 Mediawiki versions prior to 1.23.16 **Description** The issue is related to a flaw in Mediawiki that affects the rawHTML mode, causing it to apply to system messages. **Recommendations** For versions prior to 1.28.1, update to version 1.28.1 or later. For versions prior to 1.27.2, update to version 1.27.2 or later. For versions prior to 1.23.16, update to version 1.23.16 or later.