Xiplus

**Name of the Vulnerable Software and Affected Versions** MediaWiki versions prior to 1.35.12 MediaWiki versions 1.36.x through 1.39.x before 1.39.5 MediaWiki versions 1.40.x before 1.40.1 **Description** The issue in ApiPageSet.php allows attackers to cause a denial of service (unbounded loop and RequestTimeoutException) when querying pages redirected to other variants with redirects and converttitles set. This can be exploited by remote attackers. **Recommendations** For MediaWiki versions prior to 1.35.12, update to version 1.35.12 or later. For MediaWiki versions 1.36.x through 1.39.x, update to version 1.39.5 or later. For MediaWiki versions 1.40.x before 1.40.1, update to version 1.40.1 or later. As a temporary workaround, consider restricting access to the ApiPageSet.php file until a patch is available. Avoid querying pages with redirects and converttitles set until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** MediaWiki MobileFrontend extension versions 1.31 through 1.33 **Description** The issue is related to a lack of protection measures for the web page structure in the MobileFrontend extension for MediaWiki, specifically within the includes/specials/MobileSpecialPageFeed.php component. This allows for cross-site scripting (XSS) attacks, which can be exploited by a remote attacker to perform malicious actions. The XSS exists within the edit summary field. **Recommendations** For MediaWiki MobileFrontend extension versions 1.31 through 1.33, consider disabling the edit summary field in the includes/specials/MobileSpecialPageFeed.php component until a patch is available. Restrict access to this component to minimize the risk of exploitation. Avoid using the edit summary field in the affected version until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.