CVE's applied for (request 962589):

• T255918: Unescaped message used in HTML on Special:Contributions (CVE-2020-25812)
• T256171: Unescaped message used in HTML within LogEventsList (CVE-2020-25815)
• T232568: Special:UserRights exposes the existence of hidden users (CVE-2020-25813)
• T86738: mw.message.parse() accepts javascript: protocol in wikilinks (CVE-2020-25814)

For T258763: Vulnerabilities in firejail due to --output (CVE-2020-17367, CVE-2020-17368) we can use CVE-2020-17367 CVE-2020-17368 (I think? As it's not a MW problem, we're just working around an Upstream one)

Need to do T115888: Non-jqueryMsg version of mw.message(…).parse() doesn't escape HTML (CVE-2020-25828) still (lost track when filling in the never ending scrolling forms)

Do we want to do them for T260485: CentralAuth uses wrong actor ID when locally suppressing the user (CVE-2020-25869) and T251661: TOTP throttle not enforced cross-wiki (CVE-2020-25827)? The former doesn't quite feel like a security issue that would be relevant. The latter could go either way

And obviously the ones under T256342: Write and send supplementary release announcement for extensions and skins with security patches (1.31.9/1.34.3/1.35.0) too

CVE's also requested for

• T115888: Non-jqueryMsg version of mw.message(…).parse() doesn't escape HTML (CVE-2020-25828)
• T251661: TOTP throttle not enforced cross-wiki (CVE-2020-25827)

I feel like T260485: CentralAuth uses wrong actor ID when locally suppressing the user (CVE-2020-25869) should probably get a CVE since it can lead to Vuln-Infoleak and I feel like we've requested CVEs for most suppression-related issues in the past, or at least I have. I was also tracking this under T256342.

For the supplemental ext/skins, I think that just leaves T262213: XSS on Pages viewed on Mobile (CVE-2020-26120) and T262628: FileImporter imports the file even when the target page is protected on Commons and the importer should not be able to create it (CVE-2020-26121). T262724: Push extension exposes login credentials (CVE-2020-29004, CVE-2020-29005) is still kind of wandering through the æther - I need to follow up on that one. If the patch doesn't get merged soon, it'll likely have to wait until the next supplemental announcement. And I think T263498: Logins to MW with at least one SSO client extension allows masquerading as another user (CVE-2020-35623) will for sure have to wait for the next supplemental announcement.

In T256341#6489530, @sbassett wrote:

I feel like T260485: CentralAuth uses wrong actor ID when locally suppressing the user (CVE-2020-25869) should probably get a CVE since it can lead to Vuln-Infoleak and I feel like we've requested CVEs for most suppression-related issues in the past, or at least I have. I was also tracking this under T256342.

I've requested a CVE for that too now

T262213: XSS on Pages viewed on Mobile (CVE-2020-26120) and T262628: FileImporter imports the file even when the target page is protected on Commons and the importer should not be able to create it (CVE-2020-26121) now both have CVEs requested. I'll plan to send out T256342 once I receive those.