Taavi

**Name of the Vulnerable Software and Affected Versions** MediaWiki versions prior to 1.35.12 MediaWiki versions 1.36.x through 1.39.x before 1.39.5 MediaWiki versions 1.40.x before 1.40.1 **Description** The issue is related to cross-site scripting (XSS) in the `youhavenewmessagesmanyusers` and `youhavenewmessages` i18n messages, which is connected to the `MediaWiki:Youhavenewmessagesfromusers` message. This is due to improper neutralization of input during web page creation, allowing a remote attacker to perform cross-site scripting attacks. **Recommendations** For MediaWiki versions prior to 1.35.12, update to version 1.35.12 or later. For MediaWiki versions 1.36.x through 1.39.x, update to version 1.39.5 or later. For MediaWiki versions 1.40.x before 1.40.1, update to version 1.40.1 or later. As a temporary workaround, consider restricting access to the `youhavenewmessagesmanyusers` and `youhavenewmessages` i18n messages until a patch is available.

**Name of the Vulnerable Software and Affected Versions** MediaWiki versions prior to 1.31.12 MediaWiki versions 1.32.x through 1.35.1 **Description** An issue in MediaWiki allows Special:Contributions to leak the existence of a "hidden" user. **Recommendations** For MediaWiki versions prior to 1.31.12, update to version 1.31.12 or later. For MediaWiki versions 1.32.x through 1.35.1, update to version 1.35.2 or later.