= T178451: XSS when $wgShowExceptionDetails = false and browser sends non-standard url escaping =
== Flaw ==
Potential XSS when `$wgShowExceptionDetails = false;` is set and an exception is encountered depending on client used.
== Exploit ==
== Affects ==
MediaWiki versions
1.29.x prior to 1.29.2
1.28.x prior to 1.28.3
1.27.x prior to 1.27.4
and unsupported branches 1.20.x, 1.21.x, 1.22.x, 1.23.x 1.24.x, 1.25.x, 1.26.x
== Reference ==
https://phabricator.wikimedia.org/T178451
= T128209: Reflected File Download from api.php =
== Flaw ==
== Exploit ==
== Affects ==
MediaWiki versions
1.29.x prior to 1.29.2
1.28.x prior to 1.28.3
1.27.x prior to 1.27.4
and unsupported branches 1.21.x, 1.22.x, 1.23.x, 1.24.x, 1.25.x, 1.26.x
== Reference ==
https://phabricator.wikimedia.org/T128209
= T165846: BotPasswords doesn't throttle login attempts =
== Flaw ==
When logging in using a Bot Password, users login are not limited.
== Exploit ==
A malicious user can repeatedly try to login via the api using a Bot Password, ignoring any warnings without any restrictions, making guessing passwords a lot easier. With the throttle in place, users are limited in the number of login attempts in a period of time.
== Affects ==
MediaWiki versions
1.29.x prior to 1.29.2
1.28.x prior to 1.28.3
1.27.x prior to 1.27.4
== Reference ==
https://phabricator.wikimedia.org/T165846
= T134100: On private wikis, login form shouldn't distinguish between login failure due to bad username and bad password =
== Flaw ==
On a private wiki, the list of its users is also private. Error messages given upon login with an incorrect password make it possible to distinguish if a user has an account on the wiki or not.
This information should not be exposed to an anonymous user.
== Exploit ==
A malicious user can easily find out if the account they are trying to login in as exists on the wiki. This means they can distinguish that they know the account exists, and as such, just need to work out the password.
== Affects ==
MediaWiki versions
1.29.x prior to 1.29.2
1.28.x prior to 1.28.3
1.27.x prior to 1.27.4
and unsupported branches 1.21.x, 1.22.x, 1.23.x, 1.24.x, 1.25.x, 1.26.x
== Reference ==
https://phabricator.wikimedia.org/T134100
= T176247: It's possible to mangle HTML via raw message parameter expansion =
== Flaw ==
When $wgExperimentalHtmlIds is set to true (false by default), certain characters in section IDs don't get percent encoded, including $ which is used for parameter substitution.
== Exploit ==
It is possible to combine this with raw localization message parameter expansion to create malformed HTML. While escalation to full-blown XSS hasn't been demonstrated so far, it remains a possibility.
== Affects ==
MediaWiki versions
1.29.x prior to 1.29.2
1.28.x prior to 1.28.3
1.27.x prior to 1.27.4
and unsupported branches 1.21.x, 1.22.x, 1.23.x, 1.24.x, 1.25.x, 1.26.x
== Reference ==
https://phabricator.wikimedia.org/T176247
= T125163: id attribute on headlines allow raw > =
== Flaw ==
== Exploit ==
== Affects ==
MediaWiki versions
1.29.x prior to 1.29.2
1.28.x prior to 1.28.3
1.27.x prior to 1.27.4
and unsupported branches 1.21.x, 1.22.x, 1.23.x, 1.24.x, 1.25.x, 1.26.x
== Reference ==
https://phabricator.wikimedia.org/T125163
= T124404: language converter can be tricked into replacing text inside tags by adding a lot of junk after the rule definition =
== Flaw ==
== Exploit ==
== Affects ==
MediaWiki versions
1.29.x prior to 1.29.2
1.28.x prior to 1.28.3
1.27.x prior to 1.27.4
and unsupported branches 1.20.x, 1.21.x, 1.22.x, 1.23.x 1.24.x, 1.25.x, 1.26.x
== Reference ==
https://phabricator.wikimedia.org/T124404
= T119158: Language converter: unsafe attribute injection via glossary rules =
== Flaw ==
== Exploit ==
== Affects ==
MediaWiki versions
1.29.x prior to 1.29.2
1.28.x prior to 1.28.3
1.27.x prior to 1.27.4
and unsupported branches 1.20.x, 1.21.x, 1.22.x, 1.23.x 1.24.x, 1.25.x, 1.26.x
== Reference ==
https://phabricator.wikimedia.org/T119158