Phabricator Link
|
Wiki Link
|
Status
|
Priority
|
Author
|
Assignee
|
Projects
|
Subtasks
|
Parent Tasks
|
T106762
|
T106762: Security review for firebase/php-jwt
|
resolved
|
High (red)
|
|
|
|
|
|
T120888
|
T120888: Create optional XSS filter step for the parser
|
open
|
Medium (orange)
|
|
|
|
|
|
T125382
|
T125382: Ensure DOMPurify meets our SVG sanitization requirements for Graphs
|
resolved
|
Medium (orange)
|
|
|
|
|
|
T135963
|
T135963: Add support for Content-Security-Policy (CSP) headers in MediaWiki
|
open
|
Medium (orange)
|
|
|
|
|
|
T196923
|
T196923: CSP Report: Triggered by mediawiki.js's domEval() function in Chrome and Safari (but not Firefox)
|
resolved
|
Medium (orange)
|
|
|
|
|
|
T208188
|
T208188: RFC: Partial opt-out method for Content security policy
|
open
|
Medium (orange)
|
|
|
|
|
|
T209022
|
T209022: current CSP testing policy would block frames
|
invalid
|
Needs Triage (violet)
|
|
|
|
|
|
T209083
|
T209083: Come up with a plan for community security reviews of MediaWiki extensions/skins
|
open
|
Low (yellow)
|
|
|
|
|
|
T222598
|
T222598: NamespaceInfo::getRestrictionLevels() does not correctly handle namespace restrictions that require more than one permission
|
resolved
|
Needs Triage (violet)
|
|
|
|
|
|
T222720
|
T222720: NamespaceInfo::getRestrictionLevels does not correctly handle group permissions
|
duplicate
|
Needs Triage (violet)
|
|
|
|
|
|
T232568
|
T232568: Special:UserRights exposes the existence of hidden users (CVE-2020-25813)
|
resolved
|
High (red)
|
|
|
|
|
|
T237852
|
T237852: System Administrator avoids CSRF attacks on MediaWiki REST API
|
resolved
|
Medium (orange)
|
|
|
|
|
|
T246991
|
T246991: Memcached keys sometimes outlive their TTL (affects MW rate limit)
|
resolved
|
High (red)
|
|
|
|
|
|
T248339
|
T248339: Decide how to deal with WebAuthn login/registration flow on Wikimedia wikis in future
|
open
|
Needs Triage (violet)
|
|
|
|
|
|
T248367
|
T248367: Update messages to notify WebAuthn users that they need to login on the same wiki they registered
|
resolved
|
Needs Triage (violet)
|
|
|
|
|
|
T251661
|
T251661: TOTP throttle not enforced cross-wiki (CVE-2020-25827)
|
resolved
|
High (red)
|
|
|
|
|
|
T260485
|
T260485: CentralAuth uses wrong actor ID when locally suppressing the user (CVE-2020-25869)
|
resolved
|
High (red)
|
|
|
|
|
|
T260631
|
T260631: BotPasswords doesn't validate length of resultant bp_restrictions JSON
|
resolved
|
Medium (orange)
|
|
|
|
|
|
T260633
|
T260633: BotPasswords doesn't validate length of resultant bp_grants JSON
|
resolved
|
Medium (orange)
|
|
|
|
|
|
T261358
|
T261358: Review CORS strategy for WikimediaApiPortalOAuth extension
|
resolved
|
Medium (orange)
|
|
|
|
|
|
T264798
|
T264798: CentralAuth should not emit central cookies when creating a local session
|
open
|
Low (yellow)
|
|
|
|
|
|
T270713
|
T270713: CVE-2021-30152: action=protect lets users with 'protect' permission protect to higher protection level
|
resolved
|
High (red)
|
|
|
|
|
|
T272386
|
T272386: CVE-2021-30159: Non-admin deleted enwiki page in fast double move
|
resolved
|
Low (yellow)
|
|
|
|
|
|
T277687
|
T277687: Deprecated cross-wiki access to User. Expected: 'eswiki', Actual: the local wiki. Pass expected $wikiId. [Called from User::getId]
|
duplicate
|
Needs Triage (violet)
|
|
|
|
|
|
T281972
|
T281972: ActorStore::checkDatabaseDomain: InvalidArgumentException: DB connection domain does not match when suppressing via Special:CentralAuth (CVE-2021-36128)
|
resolved
|
Lowest (sky)
|
|
|
|
|
|
T284274
|
T284274: action=history with a high limit like >= 2000, can be slow and might timeout
|
open
|
Needs Triage (violet)
|
|
|
|
|
|
T287542
|
T287542: API action=parse&prop=headhtml leaking user tokens and other private info in cross-origin requests (again)
|
resolved
|
Needs Triage (violet)
|
|
|
|
|
|
T292763
|
T292763: CVE-2021-44854: Rest API incorrectly publicly caches results from private wikis
|
resolved
|
High (red)
|
|
|
|
|
|
T50976
|
T50976: Update SecurePoll to use ResourceLoader
|
resolved
|
Medium (orange)
|
|
|
|
|
|