Phabricator Link
|
Wiki Link
|
Status
|
Priority
|
Author
|
Assignee
|
Projects
|
Subtasks
|
Parent Tasks
|
T121240
|
T121240: Network isolation for production and semi-production services
|
open
|
Medium (orange)
|
|
|
|
|
|
T140813
|
T140813: Protect sensitive user-related information with a UserData / auth / session service
|
open
|
Medium (orange)
|
|
|
|
|
|
T144467
|
T144467: Security review for Google MT for Content Translation
|
resolved
|
Medium (orange)
|
|
|
|
|
|
T152972
|
T152972: Accessing private information through SecurePoll should be logged
|
open
|
Needs Triage (violet)
|
|
|
|
|
|
T161647
|
T161647: RFC: Deprecate using php serialization inside MediaWiki
|
resolved
|
Medium (orange)
|
|
|
|
|
|
T169328
|
T169328: Protect against PHP code execution via memcached/unserialize
|
open
|
Medium (orange)
|
|
|
|
|
|
T179901
|
T179901: Create a tmp directory just for MediaWiki
|
declined
|
Medium (orange)
|
|
|
|
|
|
T184458
|
T184458: Floats are badly interpreted in SQL when locale is not English
|
declined
|
Low (yellow)
|
|
|
|
|
|
T189641
|
T189641: Service for checking the Pwned Passwords database
|
open
|
Low (yellow)
|
|
|
|
|
|
T199540
|
T199540: Forbid blocking IP ranges as big as /1 and /2, as done on ruwikiquote using the API
|
resolved
|
Needs Triage (violet)
|
|
|
|
|
|
T205810
|
T205810: Slow query in ApiQueryBacklinksprop when using an empty xxnamespace parameter
|
resolved
|
Needs Triage (violet)
|
|
|
|
|
|
T207297
|
T207297: Phan SecurityCheck-XSS and SecurityCheck-SQLInjection errors in SecurePoll extension
|
resolved
|
High (red)
|
|
|
|
|
|
T208188
|
T208188: RFC: Partial opt-out method for Content security policy
|
open
|
Medium (orange)
|
|
|
|
|
|
T213362
|
T213362: Limit what URLs Proton can access
|
resolved
|
High (red)
|
|
|
|
|
|
T232568
|
T232568: Special:UserRights exposes the existence of hidden users (CVE-2020-25813)
|
resolved
|
High (red)
|
|
|
|
|
|
T232789
|
T232789: List active MediaWiki sessions for your account
|
duplicate
|
Medium (orange)
|
|
|
|
|
|
T234450
|
T234450: Special:Contributions requests with a high &limit= caused excessive database load
|
resolved
|
Low (yellow)
|
|
|
|
|
|
T234862
|
T234862: Do not show oversighted edit summaries in CheckUser API (CVE-2019-18611)
|
resolved
|
Medium (orange)
|
|
|
|
|
|
T236701
|
T236701: Consider enforcing read permissions at the storage layer
|
open
|
Medium (orange)
|
|
|
|
|
|
T239466
|
T239466: Possible to circumvent title-blacklist (CVE-2019-19709)
|
resolved
|
Medium (orange)
|
|
|
|
|
|
T241039
|
T241039: Create an API for sending yourself an arbitrary HTML email
|
open
|
Medium (orange)
|
|
|
|
|
|
T248483
|
T248483: Security Readiness Review For MediaModeration
|
resolved
|
Medium (orange)
|
|
|
|
|
|
T251661
|
T251661: TOTP throttle not enforced cross-wiki (CVE-2020-25827)
|
resolved
|
High (red)
|
|
|
|
|
|
T253067
|
T253067: API Portal: Document security best practices
|
resolved
|
Medium (orange)
|
|
|
|
|
|
T255370
|
T255370: Document best practices for user login if user is using 2FA
|
open
|
Low (yellow)
|
|
|
|
|
|
T256395
|
T256395: Logged in with an account that doesn't belong to me
|
resolved
|
High (red)
|
|
|
|
|
|
T256427
|
T256427: Normal admin cannot delete site-wide javascript page
|
invalid
|
Medium (orange)
|
|
|
|
|
|
T256535
|
T256535: Same-Origin policy prevents reading HTML pages cross-origin
|
open
|
Medium (orange)
|
|
|
|
|
|
T257930
|
T257930: Security Readiness Review For OAuthRateLimiter
|
resolved
|
High (red)
|
|
|
|
|
|
T258322
|
T258322: Open redirect in wikis that use http://domain.tld/index.php format
|
open
|
Low (yellow)
|
|
|
|
|
|
T259140
|
T259140: Decide if $wgRawHtml is needed, and if so, necessary mitigations
|
resolved
|
Needs Triage (violet)
|
|
|
|
|
|
T260485
|
T260485: CentralAuth uses wrong actor ID when locally suppressing the user (CVE-2020-25869)
|
resolved
|
High (red)
|
|
|
|
|
|
T260587
|
T260587: Security Readiness Review For Wikimedia/oauth2-server
|
resolved
|
Medium (orange)
|
|
|
|
|
|
T260588
|
T260588: Security Readiness Review For Adding Private Claims To OAuth Extension
|
resolved
|
Medium (orange)
|
|
|
|
|
|
T260631
|
T260631: BotPasswords doesn't validate length of resultant bp_restrictions JSON
|
resolved
|
Medium (orange)
|
|
|
|
|
|
T260633
|
T260633: BotPasswords doesn't validate length of resultant bp_grants JSON
|
resolved
|
Medium (orange)
|
|
|
|
|
|
T261050
|
T261050: Frequent "Invalid CSRF token" errors on Wikimedia projects using Pywikibot since August 2020
|
open
|
High (red)
|
|
|
|
|
|
T261143
|
T261143: Fix misattribution of block due to bad values in the ipblocks ipb_by_actor field
|
resolved
|
Medium (orange)
|
|
|
|
|
|
T261325
|
T261325: Fix rows in ipblocks that point to a non-existing user in ipb_by_actor field, due to T260485
|
declined
|
High (red)
|
|
|
|
|
|
T261358
|
T261358: Review CORS strategy for WikimediaApiPortalOAuth extension
|
resolved
|
Medium (orange)
|
|
|
|
|
|
T262554
|
T262554: Don't run gadgets on Special:OAuth/authorize
|
resolved
|
Medium (orange)
|
|
|
|
|
|
T263220
|
T263220: Limit concurrency of DPL queries
|
open
|
High (red)
|
|
|
|
|
|
T263927
|
T263927: MediaWiki user and password fields should have the proper autocomplete value
|
open
|
Needs Triage (violet)
|
|
|
|
|
|
T270713
|
T270713: CVE-2021-30152: action=protect lets users with 'protect' permission protect to higher protection level
|
resolved
|
High (red)
|
|
|
|
|
|
T272386
|
T272386: CVE-2021-30159: Non-admin deleted enwiki page in fast double move
|
resolved
|
Low (yellow)
|
|
|
|
|
|
T276316
|
T276316: Argument 1 passed to MediaWiki\User\UserNameUtils::getCanonical() must be of the type string, null given, called in /srv/mediawiki/php-1.36.0-wmf.33/extensions/CentralAuth/includes/CentralAuthGroupMembershipProxy.php on line 48
|
resolved
|
High (red)
|
|
|
|
|
|
T277687
|
T277687: Deprecated cross-wiki access to User. Expected: 'eswiki', Actual: the local wiki. Pass expected $wikiId. [Called from User::getId]
|
duplicate
|
Needs Triage (violet)
|
|
|
|
|
|
T281972
|
T281972: ActorStore::checkDatabaseDomain: InvalidArgumentException: DB connection domain does not match when suppressing via Special:CentralAuth (CVE-2021-36128)
|
resolved
|
Lowest (sky)
|
|
|
|
|
|
T284274
|
T284274: action=history with a high limit like >= 2000, can be slow and might timeout
|
open
|
Needs Triage (violet)
|
|
|
|
|
|
T287542
|
T287542: API action=parse&prop=headhtml leaking user tokens and other private info in cross-origin requests (again)
|
resolved
|
Needs Triage (violet)
|
|
|
|
|
|
T292763
|
T292763: CVE-2021-44854: Rest API incorrectly publicly caches results from private wikis
|
resolved
|
High (red)
|
|
|
|
|
|
T32018
|
T32018: Require some user groups to have a periodically confirmed valid email address
|
open
|
Lowest (sky)
|
|
|
|
|
|
T6845
|
T6845: CAPTCHA doesn't work for people with visual impairments
|
open
|
Medium (orange)
|
|
|
|
|
|
T92680
|
T92680: iptables firewall to limit access to Cassandra services
|
resolved
|
Medium (orange)
|
|
|
|
|
|