Tosfos

Name of the Vulnerable Software and Affected Versions: MediaWiki Push extension versions through 1.35 Description: The issue concerns a lack of required edit token in the API of the Push extension for MediaWiki, specifically in ApiPushBase.php. This omission facilitates a CSRF attack. Recommendations: For MediaWiki Push extension versions through 1.35, consider implementing proper validation and requirement of edit tokens in the API to prevent CSRF attacks. As a temporary workaround, consider restricting access to the ApiPushBase.php file until a proper fix is applied.

Name of the Vulnerable Software and Affected Versions: MediaWiki versions through 1.35 Description: The issue concerns the API in the Push extension for MediaWiki, which used cleartext for ApiPush credentials. This could potentially lead to information disclosure. Recommendations: For MediaWiki versions through 1.35, consider disabling the Push extension until a secure version is available to prevent potential information disclosure. Restrict access to the API endpoints related to the Push extension to minimize the risk of exploitation. Avoid using cleartext credentials in the ApiPush configuration until the issue is resolved.