Marlon Starkloff

**Name of the Vulnerable Software and Affected Versions** MediaWiki versions prior to 1.35.7 MediaWiki versions 1.36.x MediaWiki versions 1.37.x prior to 1.37.3 MediaWiki versions 1.38.x prior to 1.38.1 **Description** An issue can occur in configurations that allow a JavaScript payload in a username, leading to XSS. After account creation, the username is not escaped when setting the page title to "Welcome" followed by the username. This happens because `SpecialCreateAccount::successfulAction()` calls `::showSuccessPage()` with a message as the second parameter, and `OutputPage::setPageTitle()` uses `text()`. **Recommendations** For MediaWiki versions prior to 1.35.7, update to version 1.35.7 or later. For MediaWiki versions 1.36.x, update to version 1.37.3 or later. For MediaWiki versions 1.37.x prior to 1.37.3, update to version 1.37.3 or later. For MediaWiki versions 1.38.x prior to 1.38.1, update to version 1.38.1 or later. As a temporary workaround, consider restricting the use of JavaScript payloads in usernames to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Twig versions prior to the patched version **Description** The issue arises from the lack of proper enforcement of the constraint that the `arrow` parameter of the `sort` filter must be a closure when in sandbox mode. This could lead to code injection of arbitrary PHP code, allowing attackers to run arbitrary PHP functions. The patched versions now disallow calling non-closure in the `sort` filter. **Recommendations** For all affected versions of Twig, users are advised to upgrade to a patched version to resolve the issue. As a temporary workaround, consider disabling the `sort` filter until a patch is available. Restrict access to the `arrow` parameter of the `sort` filter to minimize the risk of exploitation. Avoid using the `arrow` parameter in the affected `sort` filter until the issue is resolved.