logo

Hall of Fame


This page contains various people that the Wikimedia Security Team would like to give thanks to for responsibly reporting security issues.

If you've previously reported a valid security issue (and had it acknowledged and fixed) to Wikimedia, and would like mentioning on this page, please contact us and provide details.

Submit your previously-resolved security issues for Hall of Fame consideration using this Google Form (Google Form Privacy Statement).

Hall of Fame (December 2015 - Current)

Date Reporter Task/Ticket Product Description CVE
2024-06-13 Chocapikk1337 T365644 svgtranslate tool svgtranslate allowed for remote code execution via improperly-sanitized input data N/A
2023-02-20 Majid Alqabandi T330086 OATHAuth Extension OATHAuth allows replay attacks when configured without ObjectCache CVE-2023-29142
2022-10-14 Sheldon Menezes T320785 MediaWiki Core XSS in Special:Search None, never released
2021-10-17 Aidil Arief T293589 VisualEditor Extension Blind Stored XSS via Upload Image URL CVE-2021-44855
2021-10-16 Aidil Arief T293556 WikibaseMediaInfo extension Stored XSS via WikibaseMediaInfo caption fields at commons.wikimedia.org CVE-2021-46146
2021-01-14 surg4bij4k T272082 Jetty as bundled with archiva Reflected XSS on archiva.wikimedia.org CVE-2019-10241
November 2017 Abdullah Hussam T128209 MediaWiki 1.29.2, 1.28.3 and 1.27.4 api.php in MediaWiki before 1.27.4, 1.28.x before 1.28.3, and 1.29.x before 1.29.2 has a Reflected File Download vulnerability. CVE-2017-8809
November 2017 User:Anomie T165846 MediaWiki 1.29.2, 1.28.3 and 1.27.4 No CVE documented. Please consult Phab for more info. none
November 2017 User:Matma Rex T134100 MediaWiki 1.29.2, 1.28.3 and 1.27.4 MediaWiki before 1.27.4, 1.28.x before 1.28.3, and 1.29.x before 1.29.2, when a private wiki is configured, provides different error messages for failed login attempts depending on whether the username exists, which allows remote attackers to enumerate account names and conduct brute-force attacks via a series of requests. CVE-2017-8810
November 2017 User:Bawolff T178451 MediaWiki 1.29.2, 1.28.3 and 1.27.4 MediaWiki before 1.27.4, 1.28.x before 1.28.3, and 1.29.x before 1.29.2 has XSS when the $wgShowExceptionDetails setting is false and the browser sends non-standard URL escaping. CVE-2017-8808
November 2017 User:Bastenbas T176247 MediaWiki 1.29.2, 1.28.3 and 1.27.4 The implementation of raw message parameter expansion in MediaWiki before 1.27.4, 1.28.x before 1.28.3, and 1.29.x before 1.29.2 allows HTML mangling attacks. CVE-2017-8811
November 2017 User:Bawolff T125163 MediaWiki 1.29.2, 1.28.3 and 1.27.4 MediaWiki before 1.27.4, 1.28.x before 1.28.3, and 1.29.x before 1.29.2 allows remote attackers to inject > (greater than) characters via the id attribute of a headline. CVE-2017-8812
November 2017 User:Bawolff T124404 MediaWiki 1.29.2, 1.28.3 and 1.27.4 The language converter in MediaWiki before 1.27.4, 1.28.x before 1.28.3, and 1.29.x before 1.29.2 allows attackers to replace text inside tags via a rule definition followed by "a lot of junk." CVE-2017-8814
November 2017 User:Bawolff T119158 MediaWiki 1.29.2, 1.28.3 and 1.27.4 The language converter in MediaWiki before 1.27.4, 1.28.x before 1.28.3, and 1.29.x before 1.29.2 allows attribute injection attacks via glossary rules. CVE-2017-8815
November 2017 User:Anomie T180488 MediaWiki 1.29.2, 1.28.3 and 1.27.4 Mediawiki before 1.28.1 / 1.27.2 / 1.23.16 contains an information disclosure flaw, where the api.log might contain passwords in plaintext. CVE-2017-0361
November 2017 Tom Hutchison T180231 MediaWiki 1.29.2, 1.28.3 and 1.27.4 Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP code via HTTP POST data beginning with a " CVE-2017-9841
April 2017 User:Valhallasw T109140 MediaWiki 1.28.1, 1.27.2 and 1.23.16 Mediawiki before 1.28.1 / 1.27.2 / 1.23.16 has a flaw where Special:UserLogin?returnto=interwiki:foo will redirect to external sites. CVE-2017-0363
April 2017 User:Bawolff T122209 MediaWiki 1.28.1, 1.27.2 and 1.23.16 Mediawiki before 1.28.1 / 1.27.2 / 1.23.16 contains a flaw where Special:Search allows redirects to any interwiki link. CVE-2017-0364
April 2017 User:Bawolff T144845 MediaWiki 1.28.1, 1.27.2 and 1.23.16 Mediawiki before 1.28.1 / 1.27.2 / 1.23.16 contains a XSS vulnerability in SearchHighlighter::highlightText() with non-default configurations. CVE-2017-0365
April 2017 User:Tgr T125177 MediaWiki 1.28.1, 1.27.2 and 1.23.16 Mediawiki before 1.28.1 / 1.27.2 / 1.23.16 contains an information disclosure flaw, where the api.log might contain passwords in plaintext. CVE-2017-0361
April 2017 User:Legoktm T150044 MediaWiki 1.28.1, 1.27.2 and 1.23.16 Mediawiki before 1.28.1 / 1.27.2 / 1.23.16 contains a flaw where the "Mark all pages visited" on the watchlist does not require a CSRF token. CVE-2017-0362
April 2017 User:Bawolff T156184 MediaWiki 1.28.1, 1.27.2 and 1.23.16 Mediawiki before 1.28.1 / 1.27.2 / 1.23.16 contains a flaw making rawHTML mode apply to system messages. CVE-2017-0368
April 2017 User:Cassiogomes11 T151735 MediaWiki 1.28.1, 1.27.2 and 1.23.16 Mediawiki before 1.28.1 / 1.27.2 / 1.23.16 contains a flaw allowing to evade SVG filter using default attribute values in DTD declaration. CVE-2017-0366
April 2017 User:MZMcBride T48143 MediaWiki 1.28.1, 1.27.2 and 1.23.16 Mediawiki before 1.28.1 / 1.27.2 / 1.23.16 contains a flaw were Spam blacklist is ineffective on encoded URLs inside file inclusion syntax's link parameter. CVE-2017-0370
April 2017 User:Luke081515 T108138 MediaWiki 1.28.1, 1.27.2 and 1.23.16 Mediawiki before 1.28.1 / 1.27.2 / 1.23.16 contains a flaw, allowing a sysops to undelete pages, although the page is protected against it. CVE-2017-0369
April 2017 User:Bawolff T161453 MediaWiki 1.28.1, 1.27.2 and 1.23.16 Mediawiki before 1.28.1 / 1.27.2 contains an unsafe use of temporary directory, where having LocalisationCache directory default to system tmp directory is insecure. CVE-2017-0367
April 2017 Yorick Koster (Securify) T158689 MediaWiki 1.28.1, 1.27.2 and 1.23.16 Parameters injection in the SyntaxHighlight extension of Mediawiki before 1.23.16, 1.27.3 and 1.28.2 might result in multiple vulnerabilities. CVE-2017-0372
August 2016 User:This, that and the other T139565, T139570 MediaWiki 1.27.1, 1.26.4, 1.23.15 MediaWiki before 1.23.15, 1.26.x before 1.26.4, and 1.27.x before 1.27.1 does not generate head items in the context of a given title, which allows remote attackers to obtain sensitive information via a parse action to api.php. CVE-2016-6335
August 2016 User:Bawolff T137264 MediaWiki 1.27.1, 1.26.4, 1.23.15 Cross-site scripting (XSS) vulnerability in the Parser::replaceInternalLinks2 method in MediaWiki before 1.23.15, 1.26.x before 1.26.4, and 1.27.x before 1.27.1 allows remote attackers to inject arbitrary web script or HTML via vectors involving replacement of percent encoding in unclosed internal links. CVE-2016-6334
August 2016 User:Bawolff T133147 MediaWiki 1.27.1, 1.26.4, 1.23.15 Cross-site scripting (XSS) vulnerability in the CSS user subpage preview feature in MediaWiki before 1.23.15, 1.26.x before 1.26.4, and 1.27.x before 1.27.1 allows remote attackers to inject arbitrary web script or HTML via the edit box in Special:MyPage/common.css. CVE-2016-6333
August 2016 User:Bawolff T132926 MediaWiki 1.27.1, 1.26.4, 1.23.15 MediaWiki before 1.23.15, 1.26.x before 1.26.4, and 1.27.x before 1.27.1 allows remote authenticated users with undelete permissions to bypass intended suppressrevision and deleterevision restrictions and remove the revision deletion status of arbitrary file revisions by using Special:Undelete. CVE-2016-6336
August 2016 User:Multichill T129738 MediaWiki 1.27.1, 1.26.4, 1.23.15 MediaWiki before 1.23.15, 1.26.x before 1.26.4, and 1.27.x before 1.27.1, when $wgBlockDisablesLogin is true, might allow remote attackers to obtain sensitive information by leveraging failure to terminate sessions when a user account is blocked. CVE-2016-6332
August 2016 User:Church of emacs T115333 MediaWiki 1.27.1, 1.26.4, 1.23.15 ApiParse in MediaWiki before 1.23.15, 1.26.x before 1.26.4, and 1.27.x before 1.27.1 allows remote attackers to bypass intended per-title read restrictions via a parse action to api.php. CVE-2016-6331
August 2016 User:PleaseStand T57548 MediaWiki 1.27.1, 1.26.4, 1.23.15 No CVE documented. Please consult Phab for more info. none
August 2016 User:Anomie T139670 MediaWiki 1.27.1, 1.26.4, 1.23.15 MediaWiki 1.27.x before 1.27.1 might allow remote attackers to bypass intended session access restrictions by leveraging a call to the UserGetRights function after Session::getAllowedUserRights. CVE-2016-6337
May 2016 User:Unicornisaurous T122056 MediaWiki 1.26.3, 1.25.6 and 1.23.14 No CVE documented. Please consult Phab for more info. none
May 2016 User:Bawolff T127114 MediaWiki 1.26.3, 1.25.6 and 1.23.14 No CVE documented. Please consult Phab for more info. none
May 2016 User:MaxSem T123653 MediaWiki 1.26.3, 1.25.6 and 1.23.14 No CVE documented. Please consult Phab for more info. none
May 2016 User:Bawolff T123071 MediaWiki 1.26.3, 1.25.6 and 1.23.14 No CVE documented. Please consult Phab for more info. none
May 2016 User:eranroz T129506 MediaWiki 1.26.3, 1.25.6 and 1.23.14 No CVE documented. Please consult Phab for more info. none
May 2016 User:Matiia T125283 MediaWiki 1.26.3, 1.25.6 and 1.23.14 No CVE documented. Please consult Phab for more info. none
May 2016 User:Fomafix T103239 MediaWiki 1.26.3, 1.25.6 and 1.23.14 No CVE documented. Please consult Phab for more info. none
May 2016 User:CSteipp (WMF) T122807 MediaWiki 1.26.3, 1.25.6 and 1.23.14 No CVE documented. Please consult Phab for more info. none
May 2016 User:MaxSem T130947 MediaWiki 1.26.3, 1.25.6 and 1.23.14 No CVE documented. Please consult Phab for more info. none
May 2016 User:Ori Livneh T133507 MediaWiki 1.26.3, 1.25.6 and 1.23.14 No CVE documented. Please consult Phab for more info. none
May 2016 User:Bawolff T110143 MediaWiki 1.26.3, 1.25.6 and 1.23.14 No CVE documented. Please consult Phab for more info. none
May 2016 User:Anomie T132874 MediaWiki 1.26.3, 1.25.6 and 1.23.14 No CVE documented. Please consult Phab for more info. none
May 2016 User:PleaseStand T127420 MediaWiki 1.26.3, 1.25.6 and 1.23.14 No CVE documented. Please consult Phab for more info. none
May 2016 User:CSteipp (WMF) T126685 MediaWiki 1.26.3, 1.25.6 and 1.23.14 No CVE documented. Please consult Phab for more info. none
May 2016 User:CSteipp (WMF) T116030 MediaWiki 1.26.3, 1.25.6 and 1.23.14 No CVE documented. Please consult Phab for more info. none
Dec 2015 User:Xavier Combelle T109724 MediaWiki 1.26.1, 1.25.4, 1.24.5 and 1.23.12 The (1) Special:MyPage, (2) Special:MyTalk, (3) Special:MyContributions, (4) Special:MyUploads, and (5) Special:AllMyUploads pages in MediaWiki before 1.23.12, 1.24.x before 1.24.5, 1.25.x before 1.25.4, and 1.26.x before 1.26.1 allow remote attackers to obtain sensitive user login information via crafted links combined with page view statistics. CVE-2015-8628
Dec 2015 User:Vituzzu T97897 MediaWiki 1.26.1, 1.25.4, 1.24.5 and 1.23.12 MediaWiki before 1.23.12, 1.24.x before 1.24.5, 1.25.x before 1.25.4, and 1.26.x before 1.26.1 do not properly normalize IP addresses containing zero-padded octets, which might allow remote attackers to bypass intended access restrictions by using an IP address that was not supposed to have been allowed. CVE-2015-8627
Dec 2015 Frank R. Farmer T115522 MediaWiki 1.26.1, 1.25.4, 1.24.5 and 1.23.12 The User::randomPassword function in MediaWiki before 1.23.12, 1.24.x before 1.24.5, 1.25.x before 1.25.4, and 1.26.x before 1.26.1 generates passwords smaller than $wgMinimalPasswordLength, which makes it easier for remote attackers to obtain access via a brute-force attack. CVE-2015-8626
Dec 2015 User:Catrope T118032 MediaWiki 1.26.1, 1.25.4, 1.24.5 and 1.23.12 MediaWiki before 1.23.12, 1.24.x before 1.24.5, 1.25.x before 1.25.4, and 1.26.x before 1.26.1 do not properly sanitize parameters when calling the cURL library, which allows remote attackers to read arbitrary files via an @ (at sign) character in unspecified POST array parameters. CVE-2015-8625
Dec 2015 User:Anomie gerrit:156336 MediaWiki 1.26.1, 1.25.4, 1.24.5 and 1.23.12 The User::matchEditToken function in includes/User.php in MediaWiki before 1.23.12 and 1.24.x before 1.24.5 does not perform token comparison in constant time before returning, which allows remote attackers to guess the edit token and bypass CSRF protection via a timing attack, a different vulnerability than CVE-2015-8624. CVE-2015-8623
Dec 2015 User:Tgr (WMF) T119309 MediaWiki 1.26.1, 1.25.4, 1.24.5 and 1.23.12 The User::matchEditToken function in includes/User.php in MediaWiki before 1.23.12, 1.24.x before 1.24.5, 1.25.x before 1.25.4, and 1.26.x before 1.26.1 does not perform token comparison in constant time before determining if a debugging message should be logged, which allows remote attackers to guess the edit token and bypass CSRF protection via a timing attack, a different vulnerability than CVE-2015-8623. CVE-2015-8624
Dec 2015 User:Matma Rex T117899 MediaWiki 1.26.1, 1.25.4, 1.24.5 and 1.23.12 Cross-site scripting (XSS) vulnerability in MediaWiki before 1.23.12, 1.24.x before 1.24.5, 1.25.x before 1.25.4, and 1.26.x before 1.26.1, when is configured with a relative URL, allows remote authenticated users to inject arbitrary web script or HTML via wikitext, as demonstrated by a wikilink to a page named "javascript:alert('XSS!')." CVE-2015-8622

Hall of Fame (Older)

Year Reporter Found Fixed
2016 Sergey Belov T118769
2016 User:Ori Livneh T118769
2015 User:BWolff (WMF) CVE-2015-2933, CVE-2015-2932 CVE-2015-8628, CVE-2015-2933
2015 User:BJorsch (WMF) CVE-2015-8004 CVE-2015-8623, CVE-2015-8626, CVE-2015-8001, CVE-2015-8002, CVE-2015-6728, CVE-2015-2938, CVE-2015-8004
2015 User:Brion Vibber (WMF) CVE-2015-6735
2015 User:Bsadowski1 CVE-2015-6727
2015 User:CSteipp (WMF) CVE-2015-8003, CVE-2015-6732, CVE-2015-6732, CVE-2015-6728, CVE-2015-6730, CVE-2015-2937, CVE-2015-2934, CVE-2015-2936 CVE-2015-8009, CVE-2015-8008, CVE-2015-8003, CVE-2015-6732, CVE-2015-6731, CVE-2015-6730, CVE-2015-2931, CVE-2015-2937, CVE-2015-2934, CVE-2015-2942, CVE-2015-2932
2015 User:DPatrick (WMF) T98533
2015 User:Frankrfarmer CVE-2015-8626
2015 User:Grunny CVE-2015-6731, CVE-2015-8006 CVE-2015-8006
2015 User:Hoo man CVE-2015-6736
2015 User:Jackmcbarn CVE-2015-2939 CVE-2015-2939
2015 John Menerick CVE-2015-6729
2015 User:Legoktm CVE-2015-8007 CVE-2015-6727, CVE-2015-2941, CVE-2015-2940, CVE-2015-8007
2015 Majr CVE-2015-6737
2015 User:MaxSem CVE-2015-6733 CVE-2015-6734, CVE-2015-6733
2015 User:McZusatz CVE-2015-6735
2015 User:Ngocdh CVE-2015-6734
2015 User:Parent5446 CVE-2015-2936, CVE-2015-2935
2015 User:Roan Kattouw (WMF) CVE-2015-8625 CVE-2015-8625
2015 User:RobinHood70 CVE-2015-8001
2015 Richard Stanway CVE-2015-8005, CVE-2015-8002
2015 User:Sitic CVE-2015-8009, CVE-2015-8008
2015 User:Tgr (WMF) CVE-2015-8624 CVE-2015-8624
2015 User:Vituzzu CVE-2015-8627
2015 User:Xavier Combelle CVE-2015-8628
2015 User:^demon CVE-2015-6736