Tgr

**Name of the Vulnerable Software and Affected Versions** GrowthExperiments extension for MediaWiki versions through 1.39.3 **Description** An issue in the GrowthExperiments extension for MediaWiki allows attackers to see edits for which the username has been hidden, due to a lack of check for `rev deleted`. **Recommendations** For GrowthExperiments extension for MediaWiki versions through 1.39.3, consider updating to a version that includes a fix for this issue, as no specific workaround is provided in the available information. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** MediaWiki versions prior to 1.28.1 MediaWiki versions prior to 1.27.2 MediaWiki versions prior to 1.23.16 **Description** The issue is an information disclosure flaw. The api.log might contain passwords in plaintext. **Recommendations** For versions prior to 1.28.1, update to version 1.28.1 or later. For versions prior to 1.27.2, update to version 1.27.2 or later. For versions prior to 1.23.16, update to version 1.23.16 or later.

**Name of the Vulnerable Software and Affected Versions** MediaWiki versions prior to 1.23.12 MediaWiki versions 1.24.x prior to 1.24.5 **Description** The issue allows remote attackers to bypass CSRF protection via a timing attack. This is due to the `User::matchEditToken` function not performing token comparison in constant time before returning. **Recommendations** For MediaWiki versions prior to 1.23.12, update to version 1.23.12 or later. For MediaWiki versions 1.24.x prior to 1.24.5, update to version 1.24.5 or later.

**Name of the Vulnerable Software and Affected Versions** MediaWiki versions prior to 1.23.12 MediaWiki versions 1.24.x prior to 1.24.5 MediaWiki versions 1.25.x prior to 1.25.4 MediaWiki versions 1.26.x prior to 1.26.1 **Description** The issue allows remote attackers to guess the edit token and bypass CSRF protection via a timing attack. This is due to the `User::matchEditToken` function not performing token comparison in constant time before determining if a debugging message should be logged. **Recommendations** For MediaWiki versions prior to 1.23.12, update to version 1.23.12 or later. For MediaWiki versions 1.24.x prior to 1.24.5, update to version 1.24.5 or later. For MediaWiki versions 1.25.x prior to 1.25.4, update to version 1.25.4 or later. For MediaWiki versions 1.26.x prior to 1.26.1, update to version 1.26.1 or later.