Orangestar

**Name of the Vulnerable Software and Affected Versions** CreateWiki (affected versions not specified) **Description** The issue allows users to be considered as the requester of a specific wiki request if their local user ID on any wiki in a wiki farm matches the local ID of the requester at the wiki where the wiki request was made. This enables them to take actions allowed to the wiki requester on Special:RequestWikiQueue. The problem has been fixed by disabling access to the REST API and special pages outside of the wiki configured as the "global wiki" in $wgCreateWikiGlobalWiki. **Recommendations** As a temporary workaround, consider disabling the special pages outside of one's own global wiki by adapting the changes similar to miraheze/mw-config commit e5664995fbb8644f9a80b450b4326194f20f9ddc to one's own setup. Disable the REST API outside of the global wiki by using $wgCreateWikiDisableRESTAPI and $wgConf in the configuration for one's own wiki farm. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** CreateWiki versions prior to 23415c17ffb4832667c06abcf1eadadefd4c8937 **Description** The issue affects CreateWiki, a MediaWiki extension used for requesting and creating wikis on Miraheze. Users with specific rights, such as `delete` or `suppressrevision`, on any wiki in the farm can access suppressed wiki requests by visiting the request's entry on Special:RequestWikiQueue on the wiki where they have these rights. The vulnerability was briefly present in the REST API but was quickly corrected. **Recommendations** For versions prior to 23415c17ffb4832667c06abcf1eadadefd4c8937, update to a version that includes the fix to resolve the issue. As a temporary workaround, consider restricting access to the Special:RequestWikiQueue page for users with `delete` or `suppressrevision` rights until the update is applied.

**Name of the Vulnerable Software and Affected Versions** CreateWiki (affected versions not specified) **Description** The issue affects CreateWiki, Miraheze's MediaWiki extension for requesting and creating wikis. Suppression of wiki requests does not work as intended, always restricting visibility to those with the `(createwiki)` user right regardless of the settings one sets on a given wiki request. This may expose information to users who are not supposed to be able to access it. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.