T169545 - $wgRateLimits (rate limit / ping limiter) entry for 'user' overrides that for 'newbie'
'newbie' (newly created accounts) are supposed to have more stringent rate limits applied, except the defaults for all users, 'user' were taking precedence.
Affects all MediaWiki versions since 1.13.0 (Aug 2008).
T187638 - When a log event is (partially) hidden Special:Redirect/logid can link to the incorrect log and reveal hidden information
Allows users to see private information if they construct a URL manually.
Affects all MediaWiki versions since 1.27.0 (Jun 2016)
T194605 - BotPassword can bypass CentralAuth's account lock
Creating a BotPassword would allow users to bypass an account lock (supposed to prevent the user from logging in at all/taking any actions) and continue to make edits, etc.
Affects all MediaWiki versions since 1.27.0 (Jun 2016)
T194237 - Creating a new botpassword allows you to take control of an account in much the same way as changing the password does as it essentially creates a new password.
Hardening measure to ensure that BotPasswords can't be used to fully take over an account by changing the real password, email, etc.
Affects all MediaWiki versions since 1.27.0 (Jun 2016)
Fixes for all 4 issues will be released in 1.27.5/1.29.3/1.30.1/1.31.1.