Tobefree

**Name of the Vulnerable Software and Affected Versions** MediaWiki versions prior to 1.35.12 MediaWiki versions 1.36.x through 1.39.x before 1.39.5 MediaWiki versions 1.40.x before 1.40.1 **Description** An issue was discovered in DifferenceEngine.php, where the `diff-multi-sameuser` feature ignores username suppression, leading to an information leak. This allows a remote attacker to access confidential information. **Recommendations** For MediaWiki versions prior to 1.35.12, update to version 1.35.12 or later. For MediaWiki versions 1.36.x through 1.39.x, update to version 1.39.5 or later. For MediaWiki versions 1.40.x before 1.40.1, update to version 1.40.1 or later. As a temporary workaround, consider restricting access to the DifferenceEngine.php file until a patch is available.