John Menerick

**Name of the Vulnerable Software and Affected Versions** MediaWiki versions prior to 1.23.10 MediaWiki versions 1.24.x prior to 1.24.3 MediaWiki versions 1.25.x prior to 1.25.2 **Description** The issue allows remote attackers to determine if an IP is autoblocked via the "Change block" text on the Special:DeletedContributions page. **Recommendations** For MediaWiki versions prior to 1.23.10, update to version 1.23.10 or later. For MediaWiki versions 1.24.x prior to 1.24.3, update to version 1.24.3 or later. For MediaWiki versions 1.25.x prior to 1.25.2, update to version 1.25.2 or later.

**Name of the Vulnerable Software and Affected Versions** MediaWiki versions prior to 1.23.10 MediaWiki versions 1.24.x prior to 1.24.3 MediaWiki versions 1.25.x prior to 1.25.2 **Description** A cross-site scripting (XSS) issue allows remote attackers to inject arbitrary web script or HTML via the `rel404` parameter, which is not properly handled in an error page. **Recommendations** For MediaWiki versions prior to 1.23.10, update to version 1.23.10 or later. For MediaWiki versions 1.24.x prior to 1.24.3, update to version 1.24.3 or later. For MediaWiki versions 1.25.x prior to 1.25.2, update to version 1.25.2 or later.

**Name of the Vulnerable Software and Affected Versions** MediaWiki versions prior to 1.23.10 MediaWiki versions 1.24.x prior to 1.24.3 MediaWiki versions 1.25.x prior to 1.25.2 **Description** The issue allows remote attackers to inject arbitrary web script or HTML via the `f` parameter, which is not properly handled in an error page, related to "ForeignAPI images." This is a cross-site scripting (XSS) vulnerability in the thumb.php file. **Recommendations** For MediaWiki versions prior to 1.23.10, update to version 1.23.10 or later. For MediaWiki versions 1.24.x prior to 1.24.3, update to version 1.24.3 or later. For MediaWiki versions 1.25.x prior to 1.25.2, update to version 1.25.2 or later. As a temporary workaround, consider restricting access to the thumb.php file until a patch is available. Avoid using the `f` parameter in the affected API endpoint until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** MediaWiki Quiz extension (affected versions not specified) **Description** The issue allows remote attackers to cause a denial of service by using regex metacharacters in a regular expression. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** MediaWiki Widgets extension (affected versions not specified) **Description** A cross-site scripting (XSS) issue in the Widgets extension for MediaWiki allows remote attackers to inject arbitrary web script or HTML via vectors involving base64 encoded content. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.