Universal-Omega

**Name of the Vulnerable Software and Affected Versions** TSPortal versions prior to 34 **Description** TSPortal, the WikiTide Foundation’s in-house platform used by the Trust and Safety team, was found to have a flaw that allowed attackers to create arbitrary user records in the database. This was possible due to abusing validation logic. While the validation process correctly rejected invalid usernames, a side effect within a validation rule caused user records to be created regardless of whether the request was successful. This could be exploited to cause uncontrolled database growth, potentially leading to a denial of service (DoS). The issue stemmed from performing state-changing operations (`User::findOrCreate()`) inside validation logic and validation rules executing regardless of overall validation success. Specifically, when submitting a Data Processing Agreement (DPA) request, the `DPAAlreadyLive` validation rule called `User::findOrCreate()`, which created a user record if one did not already exist. This occurred even when the username validation (`MirahezeUsernameRule`) failed. An attacker could automate requests with invalid usernames, resulting in mass creation of arbitrary user records, unbounded database growth, increased storage and indexing overhead, and potential degradation of application performance. **Recommendations** Versions prior to 34 should be updated to version 34 or later.

**Name of the Vulnerable Software and Affected Versions** ManageWiki versions prior to commit 2f177dc **Description** The issue concerns a reflected or stored XSS vulnerability in the review dialog of ManageWiki, a MediaWiki extension. An attacker with a logged-in session can exploit this by modifying a form field to include malicious payload. When the "Review Changes" dialog is opened, the payload is rendered and executed within the attacker's own session context. **Recommendations** For versions prior to commit 2f177dc, update to a version that includes the patch from commit 2f177dc to resolve the issue. As a temporary workaround, consider restricting access to the review dialog until the patch is applied. Avoid using the review dialog with untrusted input until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** ManageWiki (affected versions not specified) **Description** The issue concerns the ManageWiki MediaWiki extension, which allows users to manage wikis. Prior to a specific commit (00bebea), when a conflicting extension was enabled, a restricted extension would be automatically disabled, even if the user did not have the necessary ManageWiki-restricted right. **Recommendations** For versions prior to commit 00bebea, ensure that any extensions requiring specific permissions in `$wgManageWikiExtensions` also require the same permissions for managing any conflicting extensions. At the moment, there is no information about a newer version that contains a fix for this vulnerability, but it has been patched in commit 00bebea.

**Name of the Vulnerable Software and Affected Versions** ImportDump extension for mediawiki (affected versions not specified) **Description** The issue allows anyone who can edit the interface strings of a wiki, typically administrators and interface admins, to embed XSS payloads in the messages for dates. This can lead to XSS attacks on users who view Special:RequestImportQueue. The problem has been patched in commit `d054b95`. **Recommendations** Apply the commit `d054b95` to your branch to patch the issue. If unable to upgrade, prevent access to Special:RequestImportQueue on all wikis, except for the global wiki, and protect the affected messages up to the interface administrator level on the global wiki, if available. Alternatively, prevent access to Special:RequestImportQueue altogether.

**Name of the Vulnerable Software and Affected Versions** IncidentReporting versions prior to the version containing commit 43896a4 **Description** The IncidentReporting MediaWiki extension has multiple Cross-site Scripting issues that require elevated permissions to exploit. These issues affect users with the `editincidents` right, those who can edit interface messages (typically administrators and interface admins), and those who can edit LocalSettings.php. **Recommendations** For versions prior to the version containing commit 43896a4, upgrade to a version that includes commit 43896a4 to resolve the issue. As a temporary workaround for users unable to upgrade, prevent access to the Special:IncidentReports page.

**Name of the Vulnerable Software and Affected Versions** WikiDiscover (affected versions not specified) **Description** The issue concerns WikiDiscover, an extension for displaying wikis on a CreateWiki managed farm. A special page, Special:WikiDiscover, lists all wikis but fails to escape wiki names and descriptions, allowing for XSS payload execution when a wiki with such a payload is shown. The estimated number of potentially affected devices is not provided, and there is no information about real-world incidents where this issue was exploited. Technical details include the lack of escaping for wiki names and descriptions, enabling XSS attacks through `Special:WikiDiscover`. **Recommendations** For all versions of WikiDiscover, apply the patch with commit `2ce846dd93` to resolve the issue. As a temporary workaround for users unable to upgrade, block access to `Special:WikiDiscover` to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** ManageWiki (affected versions not specified) **Description** ManageWiki is a MediaWiki extension that allows users to manage wikis. The issue arises because Special:ManageWiki does not properly escape interface messages on the `columns` and `help` keys on the form descriptor. This oversight can be exploited by an attacker to launch a cross-site scripting attack. To exploit this vulnerability on-wiki, the attacker would need to have the `(editinterface)` right. **Recommendations** To resolve this vulnerability, users should apply the code changes in commits `886cc6b94`, `2ef0f50880`, and `6942e8b2c`. As a temporary workaround, consider restricting access to the Special:ManageWiki page until the code changes are applied. Avoid using the `columns` and `help` keys on the form descriptor in the affected ManageWiki extension until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** WikiDiscover (affected versions not specified) **Description** The issue arises from the use of the `Language::date` function on Special:WikiDiscover, which utilizes unescaped interface messages to translate month and day names. This results in an XSS vulnerability when the unescaped interface message is included in the output. Exploiting this vulnerability on-wiki requires the `(editinterface)` right. **Recommendations** Update the WikiDiscover extension to a version that includes the fix committed in `267e763a0`. As a temporary workaround, consider restricting the `(editinterface)` right to minimize the risk of exploitation. Avoid using the `Language::date` function until the issue is resolved.

Name of the Vulnerable Software and Affected Versions: ManageWiki (affected versions not specified) Description: The issue concerns the ManageWiki extension to the MediaWiki project, where the 'wikiconfig' API endpoint leaked private configuration variables set through the ManageWiki variable to all users. Recommendations: For all affected versions, consider setting `$wgAPIListModules['wikiconfig'] = 'ApiQueryDisabled';` or remove private config as a workaround until a patch is applied. Apply the patch available at https://github.com/miraheze/ManageWiki/compare/99f3b2c8af18...befb83c66f5b.patch to resolve the issue.