= T178451: XSS when $wgShowExceptionDetails = false and browser sends non-standard url escaping =
== Flaw ==
Potential XSS when `$wgShowExceptionDetails = false;` is set and an exception is encountered depending on client used.
== Exploit ==
== Affects ==
MediaWiki versions
1.29.x prior to 1.29.2
1.27.x prior to 1.27.4
and unsupported branches 1.20.x, 1.21.x, 1.22.x, 1.23.x 1.24.x, 1.25.x, 1.26.x, 1.28.x
== Reference ==
https://phabricator.wikimedia.org/T178451
= T128209: Reflected File Download from api.php =
== Flaw ==
== Exploit ==
== Affects ==
MediaWiki versions
1.29.x prior to 1.29.2
1.27.x prior to 1.27.4
and unsupported branches 1.21.x, 1.22.x, 1.23.x, 1.24.x, 1.25.x, 1.26.x, 1.28.x
== Reference ==
https://phabricator.wikimedia.org/T128209
= T165846: BotPasswords doesn't throttle login attempts =
== Flaw ==
When logging in using a Bot Password, users login are not limited.
== Exploit ==
A malicious user can repeatedly try to login via the api using a Bot Password, ignoring any warnings without any restrictions, making guessing passwords a lot easier. With the throttle in place, users are limited in the number of login attempts in a period of time.
== Affects ==
MediaWiki versions
1.29.x prior to 1.29.2
1.27.x prior to 1.27.4
and unsupported branch 1.28.x
== Reference ==
https://phabricator.wikimedia.org/T165846
= T134100: On private wikis, login form shouldn't distinguish between login failure due to bad username and bad password =
== Flaw ==
On a private wiki, the list of its users is also private. Error messages given upon login with an incorrect make it possible to distinguish if a user has an account on the wiki.
== Exploit ==
== Affects ==
MediaWiki versions
1.29.x prior to 1.29.2
1.27.x prior to 1.27.4
and unsupported branches 1.21.x, 1.22.x, 1.23.x, 1.24.x, 1.25.x, 1.26.x, 1.28.x
== Reference ==
https://phabricator.wikimedia.org/T134100
= T176247: It's possible to mangle HTML via raw message parameter expansion =
== Flaw ==
When $wgExperimentalHtmlIds is set to true (false by default), certain characters in section IDs don't get percent encoded, including $ which is used for parameter substitution.
== Exploit ==
It is possible to combine this with raw localization message parameter expansion to create malformed HTML. While escalation to full-blown XSS hasn't been demonstrated so far, it remains a possibility.
== Affects ==
MediaWiki versions
1.29.x prior to 1.29.2
1.27.x prior to 1.27.4
and unsupported branches 1.21.x, 1.22.x, 1.23.x, 1.24.x, 1.25.x, 1.26.x, 1.28.x
== Reference ==
https://phabricator.wikimedia.org/T176247
= T125163: id attribute on headlines allow raw > =
== Flaw ==
== Exploit ==
== Affects ==
MediaWiki versions
1.29.x prior to 1.29.2
1.27.x prior to 1.27.4
and unsupported branches 1.21.x, 1.22.x, 1.23.x, 1.24.x, 1.25.x, 1.26.x, 1.28.x
== Reference ==
https://phabricator.wikimedia.org/T125163