Umherirrender

**Name of the Vulnerable Software and Affected Versions** MediaWiki versions prior to 1.35.8 MediaWiki versions 1.36.x through 1.37.4 MediaWiki versions 1.38.x through 1.38.2 **Description** An issue was discovered in MediaWiki where the alreadyrolled message can leak a user name upon an action=rollback operation, specifically when the user has been revision deleted or suppressed. **Recommendations** For MediaWiki versions prior to 1.35.8, update to version 1.35.8 or later. For MediaWiki versions 1.36.x through 1.37.4, update to version 1.37.5 or later. For MediaWiki versions 1.38.x through 1.38.2, update to version 1.38.3 or later.

**Name of the Vulnerable Software and Affected Versions** MediaWiki versions prior to 1.35.6 MediaWiki versions 1.36.x prior to 1.36.4 MediaWiki versions 1.37.x prior to 1.37.2 **Description** A cross-site scripting (XSS) issue was discovered. The `widthheight`, `widthheightpage`, and `nbytes` properties of messages are not properly escaped when used in galleries or the Special:RevisionDelete page. **Recommendations** For MediaWiki versions prior to 1.35.6, update to version 1.35.6 or later. For MediaWiki versions 1.36.x prior to 1.36.4, update to version 1.36.4 or later. For MediaWiki versions 1.37.x prior to 1.37.2, update to version 1.37.2 or later. As a temporary workaround, consider restricting the use of the `widthheight`, `widthheightpage`, and `nbytes` properties in galleries and the Special:RevisionDelete page until a patch is applied.

Name of the Vulnerable Software and Affected Versions: MediaWiki versions through 1.36 Description: An issue was discovered in the FileImporter extension. For certain relaxed configurations of the `$wgFileImporterRequiredRight` variable, it might not validate all appropriate user rights, thus allowing a user with insufficient rights to perform operations, specifically file uploads, that they should not be allowed to perform. Recommendations: For versions through 1.36, consider restricting the use of the FileImporter extension until a patch is available, or review and adjust the configuration of the `$wgFileImporterRequiredRight` variable to ensure proper validation of user rights.

**Name of the Vulnerable Software and Affected Versions** MediaWiki versions prior to 1.35.1 **Description** The issue exists due to the lack of protection for the web page structure in MediaWiki, specifically with the combination of `Html::rawElement` and `Message::text`. This can be exploited by a remote attacker to conduct a cross-site scripting (XSS) attack. The vulnerability arises because the definition of MediaWiki:recentchanges-legend-watchlistexpiry can be changed onwiki, allowing the output to be raw HTML. **Recommendations** For versions prior to 1.35.1, update to version 1.35.1 or later to resolve the issue. As a temporary workaround, consider restricting changes to the MediaWiki:recentchanges-legend-watchlistexpiry definition to prevent raw HTML output.

**Name of the Vulnerable Software and Affected Versions** MediaWiki versions 1.33.0 through 1.35.1 **Description** The issue allows for XSS via BlockLogFormatter.php, where MediaWiki:blanknamespace can potentially be output as raw HTML with SCRIPT tags via LogFormatter::makePageLink(). **Recommendations** For versions 1.33.0 through 1.35.1, update to version 1.35.1 or later to resolve the issue. As a temporary workaround, consider restricting access to the `LogFormatter::makePageLink()` function until a patch is available. Avoid using the `MediaWiki:blanknamespace` variable in the affected API endpoint until the issue is resolved.

Name of the Vulnerable Software and Affected Versions: MediaWiki versions 1.12.0 through 1.35.0 Description: The issue is related to insufficient protection measures in the BlockLogFormatter.php component of MediaWiki, allowing a remote attacker to compromise data integrity. The problem lies in the Language::translateBlockExpiry function not escaping in all code paths, making the return of Language::userTimeAndDate unsafe for HTML, particularly in month values. Recommendations: For MediaWiki versions 1.12.0 through 1.35.0, update to version 1.35.1 or later to resolve the issue. As a temporary workaround, consider disabling the `Language::translateBlockExpiry` function until a patch is available. Restrict access to the BlockLogFormatter.php component to minimize the risk of exploitation.

Name of the Vulnerable Software and Affected Versions: MediaWiki versions prior to 1.35.1 Description: The issue is related to the messages `userrights-expiry-current` and `userrights-expiry-none` containing raw HTML, which can lead to XSS when a user visits Special:UserRights without having the rights to change all userrights, and the table on the left side has unchangeable groups in it. The right column with the changeable groups is not affected and is escaped correctly. Recommendations: For MediaWiki versions prior to 1.35.1, update to version 1.35.1 or later to resolve the issue. As a temporary workaround, consider restricting access to the Special:UserRights page until the update is applied.

**Name of the Vulnerable Software and Affected Versions** MediaWiki CheckUser extension versions through 1.34 **Description** An issue in the CheckUser extension for MediaWiki potentially exposed sensitive information within oversighted edit summaries to users with various levels of access. This sensitive information was made available via the MediaWiki API, allowing unauthorized access to data that should have been restricted. **Recommendations** For MediaWiki CheckUser extension versions through 1.34, update to a version that fixes this issue to prevent unauthorized access to sensitive information.