Page MenuHomePhabricator
People Jly

Jly (Jimmy Ly)
Disabled

Projects (3)
View All

User Details

User Since
Nov 19 2024, 4:00 PM (63 w, 3 d)
Roles
Disabled
LDAP User
Jly
MediaWiki User
JLy-WMF [ Global Accounts ]

Recent Activity
View All

Aug 20 2025

Jly added a comment to T401179: Security Issue Access Request for Sadiya.Mohammed_WMDE.

@EMill-WMF Can you confirm if this is sufficient and I will proceed with granting access.

Aug 20 2025, 3:44 PM · SecTeam-Processed

Aug 14 2025

Jly closed T365525: Application Security Review Request : CommunityRequests Extension, a subtask of T366194: Migrate Community Wishlist to CommunityRequests extension, as Resolved.
Aug 14 2025, 10:30 AM · Community-Tech (Sea Lion Squad), MW-1.44-notes (1.44.0-wmf.2; 2024-11-05), Patch-For-Review, MW-1.43-notes (1.43.0-wmf.24; 2024-09-24), Epic, MediaWiki-extensions-CommunityRequests, Wishlist intake gadget
Jly closed T365525: Application Security Review Request : CommunityRequests Extension as Resolved.

Thanks, I'll go ahead and put this into the risk register as it's something we still want to keep track of in the future.

Aug 14 2025, 10:30 AM · MediaWiki-extensions-CommunityRequests, Community-Tech, secscrum, Security, Application Security Reviews

Aug 12 2025

Jly added a comment to T365525: Application Security Review Request : CommunityRequests Extension.

@MusikAnimal @dmaza It does look to be unmaintained. We would need your manager/director's approval to accept these risks and to be entered in the risk registry.

Aug 12 2025, 4:02 PM · MediaWiki-extensions-CommunityRequests, Community-Tech, secscrum, Security, Application Security Reviews
Jly closed T401262: Security Issue Access Request for MMoss_WMF as Resolved.

Thanks all. @MMoss_WMF, access has been granted.

Aug 12 2025, 12:21 PM · SecTeam-Processed, Security-Team, Security
Jly added a member for Security: MMoss_WMF.
Aug 12 2025, 12:20 PM
Jly added a member for acl*security_legal: MMoss_WMF.
Aug 12 2025, 12:20 PM
Jly closed T401132: Security Issue Access Request for Samwalton9-WMF as Resolved.

Thanks all. @Samwalton9-WMF, access has been granted.

Aug 12 2025, 12:18 PM · SecTeam-Processed, Security-Team, Security
Jly added a member for Security: Samwalton9-WMF.
Aug 12 2025, 12:16 PM
Jly added a member for acl*security_product_manager: Samwalton9-WMF.
Aug 12 2025, 12:16 PM

Aug 11 2025

Jly added a comment to T401099: CVE-2025-61638: Sanitizer::validateAttributes data-XSS.

Thank you everyone for this, this was a huge effort. We will track this with the next quarterly releases and prepare the HOF when it's completed.

Aug 11 2025, 9:32 PM · MW-1.44-release, MW-1.43-release, MW-1.39-release, Content-Transform-Team (Work In Progress), SecTeam-Processed, Vuln-XSS, MediaWiki-Parser, Security, Security-Team

Aug 6 2025

Jly added a comment to T365525: Application Security Review Request : CommunityRequests Extension.

Since we did not introduce any new packages in this extension, the only issues that need addressing on our side are those listed in P80545. Is that correct?

Aug 6 2025, 3:07 PM · MediaWiki-extensions-CommunityRequests, Community-Tech, secscrum, Security, Application Security Reviews

Aug 4 2025

Jly added a project to T400892: CVE-2025-62669: UserInfoCard: activeLocalBlocksAllWikis does not do permissions checks: Vuln-Infoleak.
Aug 4 2025, 11:17 AM · Trust and Safety Product Sprint (Sprint Dadar Gulung (September 8 - September 26)), MediaWiki-Platform-Team (Radar), Security-Team, MediaWiki-extensions-CentralAuth, OKR-Work, Vuln-Infoleak, SecTeam-Processed, CheckUser-UserInfoCard, Trust and Safety Product Team, Security
Jly added a project to T400892: CVE-2025-62669: UserInfoCard: activeLocalBlocksAllWikis does not do permissions checks: SecTeam-Processed.
Aug 4 2025, 11:15 AM · Trust and Safety Product Sprint (Sprint Dadar Gulung (September 8 - September 26)), MediaWiki-Platform-Team (Radar), Security-Team, MediaWiki-extensions-CentralAuth, OKR-Work, Vuln-Infoleak, SecTeam-Processed, CheckUser-UserInfoCard, Trust and Safety Product Team, Security
Jly closed T401046: CVE-2025-62665: Stored XSS through system messages in Skin:BlueSky as Resolved.

Thanks for sorting this one out. I will resolve it since there are no more actionable items.

Aug 4 2025, 11:09 AM · SecTeam-Processed, Vuln-XSS, affects-Miraheze, BlueSky, Security

Aug 3 2025

Jly closed T400864: Security Issue Access Request for mszwarc as Resolved.

Thank you, Andre!

Aug 3 2025, 11:49 AM · SecTeam-Processed, Security-Team, Security
Jly changed the status of T400864: Security Issue Access Request for mszwarc from Open to In Progress.
Aug 3 2025, 11:47 AM · SecTeam-Processed, Security-Team, Security
Jly added a member for Security: mszwarc.
Aug 3 2025, 11:44 AM
Jly added a member for acl*security_developer: mszwarc.
Aug 3 2025, 11:44 AM
Jly removed a member for acl*security_secteam: MHedlund-WMF.
Aug 3 2025, 11:34 AM
Jly updated subscribers of T400864: Security Issue Access Request for mszwarc.

Can a Phab admin (@Aklapper) confirm 2FA has been enabled for @mszwarc, as I lack the privileges? If not, @sbassett, can you check when you're back on leave?

Aug 3 2025, 10:29 AM · SecTeam-Processed, Security-Team, Security

Aug 2 2025

Jly added a comment to T365525: Application Security Review Request : CommunityRequests Extension.

Security Review Summary - T365525 - 2025-08-02
Last commit reviewed: 72b33ae

Aug 2 2025, 9:45 PM · MediaWiki-extensions-CommunityRequests, Community-Tech, secscrum, Security, Application Security Reviews

Jul 31 2025

Jly added a comment to T365525: Application Security Review Request : CommunityRequests Extension.

@JWheeler-WMF No worries, I can aim for the end of next week.

Jul 31 2025, 9:52 PM · MediaWiki-extensions-CommunityRequests, Community-Tech, secscrum, Security, Application Security Reviews
Jly added a comment to T365525: Application Security Review Request : CommunityRequests Extension.

Hey all, yes, exactly, just like Scott mentioned. I've been reviewing it on and off, and I should have something by the end of next week or the week after at the latest. I will keep you posted on any delays.

Jul 31 2025, 8:44 PM · MediaWiki-extensions-CommunityRequests, Community-Tech, secscrum, Security, Application Security Reviews
Jly closed T399132: Add security reports from 1.39.13/1.42.7/1.43.2/1.44.0 (+ extension supplement) to security hall of fame as Resolved.

The HOF has been updated in production now.

Jul 31 2025, 4:40 PM · SecTeam-Processed, affects-Miraheze, Security-Team
Jly updated subscribers of T399132: Add security reports from 1.39.13/1.42.7/1.43.2/1.44.0 (+ extension supplement) to security hall of fame.
Jul 31 2025, 3:57 PM · SecTeam-Processed, affects-Miraheze, Security-Team

Jul 28 2025

Jly added a comment to T400526: CVE-2025-62702: Stored XSS through system messages in PageTriage.

+1 CR, we will look to get it deployed today

Jul 28 2025, 4:46 PM · SecTeam-Processed, Moderator-Tools-Team, affects-Miraheze, PageTriage, Vuln-XSS, Security, Security-Team
Jly added a comment to T400545: CVE-2025-62701: Stored XSS through system messages in Wikistories.

+1 CR, we will look to get it deployed today

Jul 28 2025, 4:46 PM · SecTeam-Processed, Wikistories, Vuln-XSS, Security, Security-Team

Jul 9 2025

Jly added a comment to T365525: Application Security Review Request : CommunityRequests Extension.

No worries, no rush! Please give me a ping when it's ready

Jul 9 2025, 4:32 PM · MediaWiki-extensions-CommunityRequests, Community-Tech, secscrum, Security, Application Security Reviews

Jul 8 2025

Jly closed T396946: CVE-2025-53496: Stored XSS through a system message in MediaSearch as Resolved.
Jul 8 2025, 7:13 PM · SecTeam-Processed, Structured-Data-Backlog, Vuln-XSS, MediaSearch, Security, Security-Team
Jly removed a project from T395622: CVE-2025-53490: Multiple XSS-via-i18n in Special:EnableEventRegistration and Special:EditEventRegistration due to validation-callback: Patch-For-Review.
Jul 8 2025, 3:43 PM · SecTeam-Processed, Essential-Work, Vuln-XSS, Connection-Team (Connection-Current-Sprint), CampaignEvents, Security, Security-Team
Jly added a comment to T365525: Application Security Review Request : CommunityRequests Extension.

@JWheeler-WMF Can I check if the codebase is ready to be reviewed? We'd like to ensure it's as close to production-ready as possible, so there aren't any major features or changes introduced after the review.

Jul 8 2025, 3:30 PM · MediaWiki-extensions-CommunityRequests, Community-Tech, secscrum, Security, Application Security Reviews

Jul 7 2025

Jly updated the task description for T389312: Write and send supplementary release announcement for extensions and skins with security patches (1.39.13/1.42.7/1.43.2).
Jul 7 2025, 7:11 PM · affects-Miraheze, user-sbassett, MediaWiki-Releasing, Security
Jly changed the visibility for T394938: CVE-2025-53494: Stored XSS through a system message in TwoColConflict.
Jul 7 2025, 6:52 PM · SecTeam-Processed, WMDE-TechWish-Sprint-2025-05-14, Two-Column-Edit-Conflict-Merge, affects-Miraheze, Vuln-XSS, Security, Security-Team
Jly changed the visibility for T395622: CVE-2025-53490: Multiple XSS-via-i18n in Special:EnableEventRegistration and Special:EditEventRegistration due to validation-callback.
Jul 7 2025, 6:50 PM · SecTeam-Processed, Essential-Work, Vuln-XSS, Connection-Team (Connection-Current-Sprint), CampaignEvents, Security, Security-Team
Jly changed the visibility for T392279: CVE-2025-53502: HTML injection in FeaturedFeeds output from i18n message.
Jul 7 2025, 6:48 PM · SecTeam-Processed, MW-1.45-notes (1.45.0-wmf.6; 2025-06-17), Vuln-XSS, MediaWiki-extensions-FeaturedFeeds, Security, Security-Team
Jly removed a project from T397524: CVE-2025-53501: Scribunto title.getContent() doesn't respect $wgNonincludableNamespaces: Patch-For-Review.
Jul 7 2025, 6:47 PM · Vuln-Infoleak, MediaWiki-extensions-Lockdown, Scribunto, Security, Security-Team
Jly removed a project from T397334: CVE-2025-53500: Stored XSS through system messages in MassEditRegex: Patch-For-Review.
Jul 7 2025, 6:46 PM · SecTeam-Processed, affects-Miraheze, Vuln-XSS, MediaWiki-extensions-MassEditRegex, Security
Jly changed the visibility for T394612: CVE-2025-7057: Stored XSS through a system message in Extension:Quiz.
Jul 7 2025, 6:42 PM · Security-Team, SecTeam-Processed, MediaWiki-extensions-Quiz, Vuln-XSS, affects-Miraheze, Security
Jly updated the task description for T389312: Write and send supplementary release announcement for extensions and skins with security patches (1.39.13/1.42.7/1.43.2).
Jul 7 2025, 6:39 PM · affects-Miraheze, user-sbassett, MediaWiki-Releasing, Security
Jly closed T396524: CVE-2025-53488: Stored XSS through system messages in WikiHiero as Resolved.
Jul 7 2025, 6:38 PM · Patch-For-Review, MW-1.45-notes (1.45.0-wmf.9; 2025-07-08), SecTeam-Processed, WikiHiero, Vuln-XSS, affects-Miraheze, Security, Security-Team
Jly updated the task description for T389312: Write and send supplementary release announcement for extensions and skins with security patches (1.39.13/1.42.7/1.43.2).
Jul 7 2025, 6:19 PM · affects-Miraheze, user-sbassett, MediaWiki-Releasing, Security
Jly added a comment to T398840: Modify security-related Phabricator projects related to incidents and audits.

Those are all good ideas, and I'm happy to support them.

Jul 7 2025, 4:48 PM · SecTeam-Processed, Project-Admins, Security, Security-Team
Jly updated the task description for T389312: Write and send supplementary release announcement for extensions and skins with security patches (1.39.13/1.42.7/1.43.2).
Jul 7 2025, 4:22 PM · affects-Miraheze, user-sbassett, MediaWiki-Releasing, Security
Jly closed T396413: CVE-2025-53497: Stored XSS in RelatedArticles as Resolved.
Jul 7 2025, 4:21 PM · Web-Team, RelatedArticles, affects-Miraheze, Vuln-XSS, Security, Security-Team
Jly updated the task description for T389312: Write and send supplementary release announcement for extensions and skins with security patches (1.39.13/1.42.7/1.43.2).
Jul 7 2025, 4:14 PM · affects-Miraheze, user-sbassett, MediaWiki-Releasing, Security
Jly removed a project from T394397: CVE-2025-53491: Special:PendingChanges vulnerable to i18n XSS: Patch-For-Review.
Jul 7 2025, 4:13 PM · SecTeam-Processed, FlaggedRevs, Vuln-XSS, Security, Security-Team
Jly closed T394397: CVE-2025-53491: Special:PendingChanges vulnerable to i18n XSS as Resolved.
Jul 7 2025, 4:12 PM · SecTeam-Processed, FlaggedRevs, Vuln-XSS, Security, Security-Team
Jly updated the task description for T389312: Write and send supplementary release announcement for extensions and skins with security patches (1.39.13/1.42.7/1.43.2).
Jul 7 2025, 3:10 PM · affects-Miraheze, user-sbassett, MediaWiki-Releasing, Security
Jly renamed T394612: CVE-2025-7057: Stored XSS through a system message in Extension:Quiz from Stored XSS through a system message in Extension:Quiz to CVE-2025-7057: Stored XSS through a system message in Extension:Quiz.
Jul 7 2025, 3:08 PM · Security-Team, SecTeam-Processed, MediaWiki-extensions-Quiz, Vuln-XSS, affects-Miraheze, Security
Jly updated the task description for T389312: Write and send supplementary release announcement for extensions and skins with security patches (1.39.13/1.42.7/1.43.2).
Jul 7 2025, 1:55 PM · affects-Miraheze, user-sbassett, MediaWiki-Releasing, Security
Jly renamed T394869: CVE-2025-7056: Stored XSS through a system message in UrlShortener from Stored XSS through a system message in UrlShortener to CVE-2025-7056: Stored XSS through a system message in UrlShortener.
Jul 7 2025, 1:52 PM · Vuln-XSS, SecTeam-Processed, MediaWiki-extensions-UrlShortener, affects-Miraheze, Security, Security-Team
Jly added a comment to T394869: CVE-2025-7056: Stored XSS through a system message in UrlShortener.

@SomeRandomDeveloper Apologies, this was a mistake and has been corrected on all the uploaded patches where possible. I have some error permission with the Quiz extension and have asked a team member to correct the author/attribution.

Jul 7 2025, 1:51 PM · Vuln-XSS, SecTeam-Processed, MediaWiki-extensions-UrlShortener, affects-Miraheze, Security, Security-Team

Jul 3 2025

Jly updated subscribers of T394869: CVE-2025-7056: Stored XSS through a system message in UrlShortener.
Jul 3 2025, 10:18 PM · Vuln-XSS, SecTeam-Processed, MediaWiki-extensions-UrlShortener, affects-Miraheze, Security, Security-Team
Jly added a comment to T389312: Write and send supplementary release announcement for extensions and skins with security patches (1.39.13/1.42.7/1.43.2).
In T389312#10972306, @RhinosF1 wrote:

T394869: CVE-2025-7056: Stored XSS through a system message in UrlShortener and T394612: CVE-2025-7057: Stored XSS through a system message in Extension:Quiz are WMF tracked and missing off the list too

Jul 3 2025, 10:15 PM · affects-Miraheze, user-sbassett, MediaWiki-Releasing, Security
Jly updated the task description for T389312: Write and send supplementary release announcement for extensions and skins with security patches (1.39.13/1.42.7/1.43.2).
Jul 3 2025, 10:13 PM · affects-Miraheze, user-sbassett, MediaWiki-Releasing, Security
Jly closed T397524: CVE-2025-53501: Scribunto title.getContent() doesn't respect $wgNonincludableNamespaces as Resolved.
Jul 3 2025, 4:11 PM · Vuln-Infoleak, MediaWiki-extensions-Lockdown, Scribunto, Security, Security-Team
Jly closed T392279: CVE-2025-53502: HTML injection in FeaturedFeeds output from i18n message as Resolved.
Jul 3 2025, 4:08 PM · SecTeam-Processed, MW-1.45-notes (1.45.0-wmf.6; 2025-06-17), Vuln-XSS, MediaWiki-extensions-FeaturedFeeds, Security, Security-Team
Jly closed T395622: CVE-2025-53490: Multiple XSS-via-i18n in Special:EnableEventRegistration and Special:EditEventRegistration due to validation-callback as Resolved.
Jul 3 2025, 3:59 PM · SecTeam-Processed, Essential-Work, Vuln-XSS, Connection-Team (Connection-Current-Sprint), CampaignEvents, Security, Security-Team
Jly updated the task description for T389312: Write and send supplementary release announcement for extensions and skins with security patches (1.39.13/1.42.7/1.43.2).
Jul 3 2025, 11:17 AM · affects-Miraheze, user-sbassett, MediaWiki-Releasing, Security

Jul 2 2025

Jly updated subscribers of T397221: CVE-2025-53498: AbuseFilter batch testing tool do not log when protected variables are in the test pattern.
Jul 2 2025, 11:58 PM · Trust and Safety Product Sprint (Sprint Baklava (June 16 - July 4)), SecTeam-Processed, Trust and Safety Product Team, AbuseFilter, Security, Security-Team
Jly updated subscribers of T397196: CVE-2025-53499: AbuseFilter 'abusefiltercheckmatch' API does not check protected variable access restrictions.
Jul 2 2025, 11:54 PM · OKR-Work, SecTeam-Processed, Vuln-MissingAuthz, Vuln-Infoleak, Trust and Safety Product Sprint (Sprint Baklava (June 16 - July 4)), Trust and Safety Product Team, AbuseFilter, Security, Security-Team
Jly updated subscribers of T396750: CVE-2025-53495: Do not show IP Reputation AbuseFilter variables to those without permission in Special:AbuseFilter/examine/<rc id>.
Jul 2 2025, 11:48 PM · OKR-Work, SecTeam-Processed, Trust and Safety Product Sprint (Sprint Baklava (June 16 - July 4)), Vuln-MissingAuthz, Vuln-Infoleak, MediaWiki-extensions-IPReputation, AbuseFilter, Trust and Safety Product Team, Security, Security-Team
Jly updated subscribers of T396946: CVE-2025-53496: Stored XSS through a system message in MediaSearch.
Jul 2 2025, 11:45 PM · SecTeam-Processed, Structured-Data-Backlog, Vuln-XSS, MediaSearch, Security, Security-Team
Jly updated subscribers of T396413: CVE-2025-53497: Stored XSS in RelatedArticles.
Jul 2 2025, 11:39 PM · Web-Team, RelatedArticles, affects-Miraheze, Vuln-XSS, Security, Security-Team
Jly updated subscribers of T396524: CVE-2025-53488: Stored XSS through system messages in WikiHiero.
Jul 2 2025, 11:24 PM · Patch-For-Review, MW-1.45-notes (1.45.0-wmf.9; 2025-07-08), SecTeam-Processed, WikiHiero, Vuln-XSS, affects-Miraheze, Security, Security-Team
Jly updated subscribers of T395622: CVE-2025-53490: Multiple XSS-via-i18n in Special:EnableEventRegistration and Special:EditEventRegistration due to validation-callback.
Jul 2 2025, 5:11 PM · SecTeam-Processed, Essential-Work, Vuln-XSS, Connection-Team (Connection-Current-Sprint), CampaignEvents, Security, Security-Team
Jly reopened T394397: CVE-2025-53491: Special:PendingChanges vulnerable to i18n XSS as "Open".
Jul 2 2025, 4:03 PM · SecTeam-Processed, FlaggedRevs, Vuln-XSS, Security, Security-Team
Jly closed T394397: CVE-2025-53491: Special:PendingChanges vulnerable to i18n XSS as Resolved.
Jul 2 2025, 2:42 PM · SecTeam-Processed, FlaggedRevs, Vuln-XSS, Security, Security-Team
Jly closed T394938: CVE-2025-53494: Stored XSS through a system message in TwoColConflict as Resolved.
Jul 2 2025, 2:28 PM · SecTeam-Processed, WMDE-TechWish-Sprint-2025-05-14, Two-Column-Edit-Conflict-Merge, affects-Miraheze, Vuln-XSS, Security, Security-Team

Jul 1 2025

Jly closed T397521: CVE-2025-12004: The compare API module breaks Extension:Lockdown as Resolved.

This has been merged to master, I will resolve.

Jul 1 2025, 3:44 PM · MW-1.45-notes (1.45.0-wmf.8; 2025-07-01), SecTeam-Processed, MediaWiki-Action-API, MW-Interfaces-Team, Vuln-Infoleak, Security, Security-Team
Jly updated the task description for T389312: Write and send supplementary release announcement for extensions and skins with security patches (1.39.13/1.42.7/1.43.2).
Jul 1 2025, 3:42 PM · affects-Miraheze, user-sbassett, MediaWiki-Releasing, Security

Jun 30 2025

Jly updated the task description for T389312: Write and send supplementary release announcement for extensions and skins with security patches (1.39.13/1.42.7/1.43.2).
Jun 30 2025, 10:52 PM · affects-Miraheze, user-sbassett, MediaWiki-Releasing, Security
Jly updated the task description for T389312: Write and send supplementary release announcement for extensions and skins with security patches (1.39.13/1.42.7/1.43.2).
Jun 30 2025, 7:37 PM · affects-Miraheze, user-sbassett, MediaWiki-Releasing, Security
Jly renamed T397334: CVE-2025-53500: Stored XSS through system messages in MassEditRegex from Stored XSS through system messages in MassEditRegex to CVE-2025-53500: Stored XSS through system messages in MassEditRegex.
Jun 30 2025, 7:27 PM · SecTeam-Processed, affects-Miraheze, Vuln-XSS, MediaWiki-extensions-MassEditRegex, Security
Jly renamed T397524: CVE-2025-53501: Scribunto title.getContent() doesn't respect $wgNonincludableNamespaces from Scribunto title.getContent() doesn't respect $wgNonincludableNamespaces to CVE-2025-53501: Scribunto title.getContent() doesn't respect $wgNonincludableNamespaces.
Jun 30 2025, 7:27 PM · Vuln-Infoleak, MediaWiki-extensions-Lockdown, Scribunto, Security, Security-Team
Jly renamed T392279: CVE-2025-53502: HTML injection in FeaturedFeeds output from i18n message from CVE-2025-53482: HTML injection in FeaturedFeeds output from i18n message to CVE-2025-53502: HTML injection in FeaturedFeeds output from i18n message.
Jun 30 2025, 7:26 PM · SecTeam-Processed, MW-1.45-notes (1.45.0-wmf.6; 2025-06-17), Vuln-XSS, MediaWiki-extensions-FeaturedFeeds, Security, Security-Team
Jly renamed T397221: CVE-2025-53498: AbuseFilter batch testing tool do not log when protected variables are in the test pattern from CVE-2025-53483: AbuseFilter batch testing tool do not log when protected variables are in the test pattern to CVE-2025-53498: AbuseFilter batch testing tool do not log when protected variables are in the test pattern.
Jun 30 2025, 7:26 PM · Trust and Safety Product Sprint (Sprint Baklava (June 16 - July 4)), SecTeam-Processed, Trust and Safety Product Team, AbuseFilter, Security, Security-Team
Jly renamed T397196: CVE-2025-53499: AbuseFilter 'abusefiltercheckmatch' API does not check protected variable access restrictions from CVE-2025-53484: AbuseFilter 'abusefiltercheckmatch' API does not check protected variable access restrictions to CVE-2025-53499: AbuseFilter 'abusefiltercheckmatch' API does not check protected variable access restrictions.
Jun 30 2025, 7:26 PM · OKR-Work, SecTeam-Processed, Vuln-MissingAuthz, Vuln-Infoleak, Trust and Safety Product Sprint (Sprint Baklava (June 16 - July 4)), Trust and Safety Product Team, AbuseFilter, Security, Security-Team
Jly renamed T396750: CVE-2025-53495: Do not show IP Reputation AbuseFilter variables to those without permission in Special:AbuseFilter/examine/<rc id> from CVE-2025-53485: Do not show IP Reputation AbuseFilter variables to those without permission in Special:AbuseFilter/examine/<rc id> to CVE-2025-53495: Do not show IP Reputation AbuseFilter variables to those without permission in Special:AbuseFilter/examine/<rc id>.
Jun 30 2025, 7:26 PM · OKR-Work, SecTeam-Processed, Trust and Safety Product Sprint (Sprint Baklava (June 16 - July 4)), Vuln-MissingAuthz, Vuln-Infoleak, MediaWiki-extensions-IPReputation, AbuseFilter, Trust and Safety Product Team, Security, Security-Team
Jly renamed T396946: CVE-2025-53496: Stored XSS through a system message in MediaSearch from CVE-2025-53486: Stored XSS through a system message in MediaSearch to CVE-2025-53496: Stored XSS through a system message in MediaSearch.
Jun 30 2025, 7:26 PM · SecTeam-Processed, Structured-Data-Backlog, Vuln-XSS, MediaSearch, Security, Security-Team
Jly renamed T396413: CVE-2025-53497: Stored XSS in RelatedArticles from CVE-2025-53487: Stored XSS in RelatedArticles to CVE-2025-53497: Stored XSS in RelatedArticles.
Jun 30 2025, 7:25 PM · Web-Team, RelatedArticles, affects-Miraheze, Vuln-XSS, Security, Security-Team
Jly renamed T392279: CVE-2025-53502: HTML injection in FeaturedFeeds output from i18n message from HTML injection in FeaturedFeeds output from i18n message to CVE-2025-53482: HTML injection in FeaturedFeeds output from i18n message.
Jun 30 2025, 7:24 PM · SecTeam-Processed, MW-1.45-notes (1.45.0-wmf.6; 2025-06-17), Vuln-XSS, MediaWiki-extensions-FeaturedFeeds, Security, Security-Team
Jly renamed T397221: CVE-2025-53498: AbuseFilter batch testing tool do not log when protected variables are in the test pattern from AbuseFilter batch testing tool do not log when protected variables are in the test pattern to CVE-2025-53483: AbuseFilter batch testing tool do not log when protected variables are in the test pattern.
Jun 30 2025, 7:24 PM · Trust and Safety Product Sprint (Sprint Baklava (June 16 - July 4)), SecTeam-Processed, Trust and Safety Product Team, AbuseFilter, Security, Security-Team
Jly renamed T397196: CVE-2025-53499: AbuseFilter 'abusefiltercheckmatch' API does not check protected variable access restrictions from AbuseFilter 'abusefiltercheckmatch' API does not check protected variable access restrictions to CVE-2025-53484: AbuseFilter 'abusefiltercheckmatch' API does not check protected variable access restrictions.
Jun 30 2025, 7:23 PM · OKR-Work, SecTeam-Processed, Vuln-MissingAuthz, Vuln-Infoleak, Trust and Safety Product Sprint (Sprint Baklava (June 16 - July 4)), Trust and Safety Product Team, AbuseFilter, Security, Security-Team
Jly renamed T396750: CVE-2025-53495: Do not show IP Reputation AbuseFilter variables to those without permission in Special:AbuseFilter/examine/<rc id> from Do not show IP Reputation AbuseFilter variables to those without permission in Special:AbuseFilter/examine/<rc id> to CVE-2025-53485: Do not show IP Reputation AbuseFilter variables to those without permission in Special:AbuseFilter/examine/<rc id>.
Jun 30 2025, 7:23 PM · OKR-Work, SecTeam-Processed, Trust and Safety Product Sprint (Sprint Baklava (June 16 - July 4)), Vuln-MissingAuthz, Vuln-Infoleak, MediaWiki-extensions-IPReputation, AbuseFilter, Trust and Safety Product Team, Security, Security-Team
Jly renamed T396946: CVE-2025-53496: Stored XSS through a system message in MediaSearch from Stored XSS through a system message in MediaSearch to CVE-2025-53486: Stored XSS through a system message in MediaSearch.
Jun 30 2025, 7:22 PM · SecTeam-Processed, Structured-Data-Backlog, Vuln-XSS, MediaSearch, Security, Security-Team
Jly renamed T396413: CVE-2025-53497: Stored XSS in RelatedArticles from Stored XSS in RelatedArticles to CVE-2025-53487: Stored XSS in RelatedArticles.
Jun 30 2025, 7:22 PM · Web-Team, RelatedArticles, affects-Miraheze, Vuln-XSS, Security, Security-Team
Jly renamed T396524: CVE-2025-53488: Stored XSS through system messages in WikiHiero from Stored XSS through system messages in WikiHiero to CVE-2025-53488: Stored XSS through system messages in WikiHiero.
Jun 30 2025, 7:21 PM · Patch-For-Review, MW-1.45-notes (1.45.0-wmf.9; 2025-07-08), SecTeam-Processed, WikiHiero, Vuln-XSS, affects-Miraheze, Security, Security-Team
Jly renamed T395949: CVE-2025-53489: Improperly sanitized style parameter in GoogleDocs4MW from Improperly sanitized style parameter in GoogleDocs4MW to CVE-2025-53489: Improperly sanitized style parameter in GoogleDocs4MW.
Jun 30 2025, 7:21 PM · Vuln-Infoleak, SecTeam-Processed, affects-Miraheze, MediaWiki-extensions-GoogleDocs4MW, Security
Jly renamed T395622: CVE-2025-53490: Multiple XSS-via-i18n in Special:EnableEventRegistration and Special:EditEventRegistration due to validation-callback from Multiple XSS-via-i18n in Special:EnableEventRegistration and Special:EditEventRegistration due to validation-callback to CVE-2025-53490: Multiple XSS-via-i18n in Special:EnableEventRegistration and Special:EditEventRegistration due to validation-callback.
Jun 30 2025, 7:20 PM · SecTeam-Processed, Essential-Work, Vuln-XSS, Connection-Team (Connection-Current-Sprint), CampaignEvents, Security, Security-Team
Jly renamed T394397: CVE-2025-53491: Special:PendingChanges vulnerable to i18n XSS from Special:PendingChanges vulnerable to i18n XSS to CVE-2025-53491: Special:PendingChanges vulnerable to i18n XSS.
Jun 30 2025, 7:20 PM · SecTeam-Processed, FlaggedRevs, Vuln-XSS, Security, Security-Team
Jly renamed T395737: CVE-2025-53492: Stored XSS in Extension:MintyDocs still reproducible from Stored XSS in Extension:MintyDocs still reproducible to CVE-2025-53492: Stored XSS in Extension:MintyDocs still reproducible.
Jun 30 2025, 7:19 PM · SecTeam-Processed, Vuln-XSS, MediaWiki-extensions-MintyDocs, Security, Security-Team
Jly renamed T395376: CVE-2025-53493: Stored XSS in Extension:MintyDocs from Stored XSS in Extension:MintyDocs to CVE-2025-53493: Stored XSS in Extension:MintyDocs.
Jun 30 2025, 7:19 PM · SecTeam-Processed, Vuln-XSS, MediaWiki-extensions-MintyDocs, affects-Miraheze, Security, Security-Team
Jly renamed T394938: CVE-2025-53494: Stored XSS through a system message in TwoColConflict from Stored XSS through a system message in TwoColConflict to CVE-2025-53494: Stored XSS through a system message in TwoColConflict.
Jun 30 2025, 3:52 PM · SecTeam-Processed, WMDE-TechWish-Sprint-2025-05-14, Two-Column-Edit-Conflict-Merge, affects-Miraheze, Vuln-XSS, Security, Security-Team

Jun 24 2025

Jly closed T368224: Audit members of acl*security for more than 12 months of no activity (May 2025) as Resolved.

My apologies. T397734 has been opened and I will proceed to close this one now. Thanks all.

Jun 24 2025, 4:00 PM · SecTeam-Processed, Security, Security-Team, Phabricator
Jly closed T368224: Audit members of acl*security for more than 12 months of no activity (May 2025), a subtask of T391150: Audit Phabricator security policies and groups membership, as Resolved.
Jun 24 2025, 4:00 PM · SecTeam-Processed, Phabricator, Security-Team
Jly set Due Date to May 29 2026, 11:00 PM on T397734: Audit members of acl*security for more than 12 months of no activity (May 2026).
Jun 24 2025, 3:59 PM · Security-Audits, SecTeam-Processed, Security-Team, Security
Jly triaged T397734: Audit members of acl*security for more than 12 months of no activity (May 2026) as Low priority.
Jun 24 2025, 3:58 PM · Security-Audits, SecTeam-Processed, Security-Team, Security
Jly created T397734: Audit members of acl*security for more than 12 months of no activity (May 2026).
Jun 24 2025, 3:58 PM · Security-Audits, SecTeam-Processed, Security-Team, Security
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits