Schnark

**Name of the Vulnerable Software and Affected Versions** MediaWiki versions 1.23.x through 1.23.15 MediaWiki versions 1.24.x through 1.27.x before 1.27.2 MediaWiki versions 1.28.x before 1.28.1 **Description** The issue allows remote attackers to discover the IP addresses of Wiki visitors via a style="background-image: attr(title url);" attack within a DIV element that has an attacker-controlled URL in the `title` attribute. This attack enables the disclosure of visitor IP addresses. **Recommendations** For MediaWiki versions 1.23.x through 1.23.15, update to version 1.23.16 or later. For MediaWiki versions 1.24.x through 1.27.x before 1.27.2, update to version 1.27.2 or later. For MediaWiki versions 1.28.x before 1.28.1, update to version 1.28.1 or later.

**Name of the Vulnerable Software and Affected Versions** MediaWiki versions prior to 1.23.15 MediaWiki versions 1.26.x prior to 1.26.4 MediaWiki versions 1.27.x prior to 1.27.1 **Description** The issue allows remote attackers to obtain sensitive information via a parse action to "api.php". This is due to the software not generating head items in the context of a given title. **Recommendations** For versions prior to 1.23.15, update to version 1.23.15 or later. For versions 1.26.x prior to 1.26.4, update to version 1.26.4 or later. For versions 1.27.x prior to 1.27.1, update to version 1.27.1 or later.

**Name of the Vulnerable Software and Affected Versions** MediaWiki TemplateSandbox extension (affected versions not specified) **Description** A cross-site scripting (XSS) issue exists in the preview feature of the TemplateSandbox extension for MediaWiki. This allows remote attackers to inject arbitrary web script or HTML via the `text` parameter to the "Special:TemplateSandbox" endpoint. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** MediaWiki versions 1.22.x through 1.22.8 MediaWiki versions 1.23.x through 1.23.1 **Description** A cross-site scripting issue exists, allowing remote attackers to inject arbitrary web script or HTML. This is achieved through vectors involving the multipageimagenavbox class in conjunction with an action=raw value. **Recommendations** For MediaWiki versions 1.22.x through 1.22.8, update to version 1.22.9 or later. For MediaWiki versions 1.23.x through 1.23.1, update to version 1.23.2 or later.