Legoktm

Name of the Vulnerable Software and Affected Versions: Mediawiki - FeaturedFeeds Extension versions 1.39.X through 1.43.X Description: The issue is related to an Improper Input Validation vulnerability that allows Cross-Site Scripting (XSS) in the Mediawiki - FeaturedFeeds Extension. Recommendations: For versions 1.39.X through 1.43.X, consider disabling the FeaturedFeeds Extension until a patch is available to prevent potential Cross-Site Scripting (XSS) attacks.

**Name of the Vulnerable Software and Affected Versions** Freedom of the Press SecureDrop (affected versions not specified) **Description** A critical issue was found in Freedom of the Press SecureDrop, affecting some unknown functionality of the file gpg-agent.conf. The manipulation of this issue leads to symlink following and requires local access to approach the attack. **Recommendations** To fix this issue, it is recommended to apply a patch. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Mailman Core versions prior to 3.3.5 **Description** An issue was discovered that allows an attacker with access to the REST API to use timing attacks to determine the value of the configured REST API password and then make arbitrary REST API calls. The REST API is bound to localhost by default, limiting the ability for attackers to exploit this, but can optionally be made to listen on other interfaces. **Recommendations** For Mailman Core versions prior to 3.3.5, update to version 3.3.5 or later to resolve the issue. As a temporary workaround, consider restricting access to the REST API to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** MediaWiki versions prior to 1.35.6 MediaWiki versions 1.36.x prior to 1.36.4 MediaWiki versions 1.37.x prior to 1.37.2 **Description** An issue was discovered in MediaWiki where users with the `editinterface` permission can trigger infinite recursion. This occurs because a bare local interwiki is mishandled for the `mainpage` message. **Recommendations** For MediaWiki versions prior to 1.35.6, update to version 1.35.6 or later. For MediaWiki versions 1.36.x prior to 1.36.4, update to version 1.36.4 or later. For MediaWiki versions 1.37.x prior to 1.37.2, update to version 1.37.2 or later. As a temporary workaround, consider restricting the `editinterface` permission to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** MediaWiki versions 1.31.15 and earlier MediaWiki versions 1.32.x through 1.35.x before 1.35.3 MediaWiki versions 1.36.x before 1.36.1 **Description** The issue concerns unintended API access for bots in MediaWiki. When a bot account has a "sitewide block" applied, it can still "purge" pages through the MediaWiki Action API, which should have been prevented by the block. This could potentially allow a remote attacker to impact data integrity. **Recommendations** For MediaWiki versions 1.31.15 and earlier, update to version 1.31.15 or later. For MediaWiki versions 1.32.x through 1.35.x before 1.35.3, update to version 1.35.3 or later. For MediaWiki versions 1.36.x before 1.36.1, update to version 1.36.1 or later. As a temporary workaround, consider restricting access to the MediaWiki Action API for bot accounts with a "sitewide block" applied.

**Name of the Vulnerable Software and Affected Versions** MediaWiki version 1.31 **Description** The issue arises from missing .htaccess files in the provided tarball for MediaWiki, which are used to protect certain directories from being web accessible. **Recommendations** For MediaWiki version 1.31, update to version 1.31.1 to include the necessary .htaccess files and protect the directories as intended.

**Name of the Vulnerable Software and Affected Versions** Mediawiki versions prior to 1.28.1 Mediawiki versions prior to 1.27.2 Mediawiki versions prior to 1.23.16 **Description** The issue concerns a flaw in the "Mark all pages visited" feature on the watchlist, which does not require a CSRF token. **Recommendations** For versions prior to 1.28.1, update to version 1.28.1 or later. For versions prior to 1.27.2, update to version 1.27.2 or later. For versions prior to 1.23.16, update to version 1.23.16 or later.

**Name of the Vulnerable Software and Affected Versions** MediaWiki versions prior to 1.23.15 MediaWiki versions 1.26.x prior to 1.26.4 MediaWiki versions 1.27.x prior to 1.27.1 **Description** A cross-site scripting (XSS) issue exists due to the replacement of percent encoding in unclosed internal links, allowing remote attackers to inject arbitrary web script or HTML. **Recommendations** For versions prior to 1.23.15, update to version 1.23.15 or later. For versions 1.26.x prior to 1.26.4, update to version 1.26.4 or later. For versions 1.27.x prior to 1.27.1, update to version 1.27.1 or later.

**Name of the Vulnerable Software and Affected Versions** MediWiki Echo extension (affected versions not specified) **Description** The issue concerns the Echo extension for MediWiki, which fails to properly implement the hideuser functionality. This allows remote authenticated users to view hidden usernames in certain notifications, such as Thanks notifications, that are not based on revisions. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** MediaWiki versions prior to 1.19.20 MediaWiki versions 1.22.x prior to 1.22.12 MediaWiki versions 1.23.x prior to 1.23.5 **Description** The issue affects the Special:Preferences and Special:UserLogin pages in MediaWiki, allowing remote authenticated users to conduct cross-site scripting (XSS) attacks via crafted CSS. This can be demonstrated by modifying MediaWiki:Common.css, which can lead to unspecified other impact. **Recommendations** For MediaWiki versions prior to 1.19.20, update to version 1.19.20 or later. For MediaWiki versions 1.22.x prior to 1.22.12, update to version 1.22.12 or later. For MediaWiki versions 1.23.x prior to 1.23.5, update to version 1.23.5 or later.