Jacob-G

**Name of the Vulnerable Software and Affected Versions** ScratchSig extension for MediaWiki versions prior to 1.0.1 **Description** The issue allows stored Cross-Site Scripting, enabling attackers with edit permission to execute scripts on visitors' browsers by using a <script> tag inside a <scratchsig> tag. This could potentially lead to privilege escalation and/or account takeover using the MediaWiki JavaScript API. **Recommendations** For ScratchSig extension for MediaWiki versions prior to 1.0.1, update to version 1.0.1 to resolve the issue. As a temporary workaround, consider disabling the ScratchSig extension completely until the patch is applied.

**Name of the Vulnerable Software and Affected Versions** Scratch Login (MediaWiki extension) versions prior to 1.1 **Description** The issue allows any account to be logged into by using the same username with leading, trailing, or repeated underscore(s), as these are treated as whitespace and trimmed by MediaWiki. This affects all users on any wiki using the Scratch Login extension. **Recommendations** For versions prior to 1.1, update to version 1.1 or later to resolve the issue.