| Vuln. type |
Component |
Date fixed |
Commit hash, Phab ticket, etc. |
| Missing authentication |
Extension:Comments |
7 January 2012 |
SVN r108296 |
| XSS |
Extension:Comments |
7 January 2012 |
SVN r108320 |
| Missing authentication |
Extension:Comments |
15 July 2012 |
SVN r115613, phab:T36303 |
| CSRF |
Extension:Comments |
29 July 2013 |
d8f84d4152d60da8dd641bab3591c2af038171ec |
| XSS |
Skin:NokiaDev |
2 November 2015 |
rSHWK3722 |
| XSS |
Skin:DeskMessMirrored |
3 November 2015 |
a1a4dfc37332cabcd8df15a07ad46de7dee48455 |
| XSS |
Skin:Gamepress |
3 November 2015 |
6f7901ed5def6533c34662d4e873f03470d5dc6f |
| XSS, SQL injection |
Extension:WikiCategoryTagCloud |
19 November 2015 |
3142e48296c06cabb9f4634d81cf0b51aca2e16e |
| SQL injection (potential) |
Extension:SocialProfile |
22 March 2016 |
b5de81ec4dab3a48640f03e2f817bd2c77700487 |
| XSS |
Extension:MediaWikiChat |
18 July 2016 |
42dfb6382a06810c0052b8696f4eb4bc33c15a9e |
| Privilege escalation |
Extension:Comments |
18 August 2016 |
2330bdae053585ca148f85e0c98bee4ed06a8495 |
| CSRF |
Extension:Comments |
1 September 2016 |
afa39f4027d298a9f6d7242a1870766b6568be45 |
| CSRF |
Extension:UserStatus |
2 September 2016 |
5b9fcdb2c22b2b3a42a3ffe70b76138b25475f6e |
| CSRF |
Extension:LinkFilter |
3 September 2016 |
d16c38cccaab69fe9cbb3124579c51ffafb29f45 |
| SQL injection, XSS, DOS |
Extension:BlogPage |
17 December 2016 |
c57f671db220176e1c51030e20534e0782c9387b, phab:T152884 |
| XSS |
Extension:SocialProfile |
13 January 2017 |
1a0e44e3e43db590ce7735b8001a1ee95fbfda0b |
| CSRF |
Extension:ImageRating |
16 January 2017 |
rSHWK4092 |
| CSRF, XSS |
Extension:SocialProfile |
22 July 2017 |
878d859d2efab27e86873da2da5f61e4158718b1 |
| CSRF |
Extension:CreateRedirect |
4 November 2017 |
9f6155fab7586f0401105885548439c8c8db6c20, phab:T178787 |
| XSS |
Extension:SocialProfile |
11 November 2017 |
e06b4fd22b5159cf8e882b4b69875ba719390832 |
| XSS |
Skin:Liberty |
21 November 2017 |
939ee9b8663f4de913f1667e4f56e281011a36dd |
| XSS |
Extension:MediaWikiChat |
27 July 2018 |
4d647df4474e8e5690ae669a46368f9ecd2a7257, phab:T166997 |
| SQL injection |
Extension:SportsTeams |
8 September 2018 |
6182c6b2a1a838fd9a25c61dfb69b8a60836ec8f |
| XSS |
SEO (HydraWiki ext.) |
5 December 2019 |
2f701e4d45eb1d4ced6f5cee79b8170d9c9947d5 |
| CSRF |
Extension:Challenge |
14 January 2020 |
ef1963a251531df56a06b7c5b9e91c5cfc8d639a, phab:T241735 |
| CSRF |
Extension:SocialProfile |
February 2020 |
phab:T242689 |
| CSRF |
Extension:SpamRegex |
11 March 2020 |
3dae67662a0ef7f50b75db9732402a23ca45a9e7, phab:T217871 |
| InfoLeak, Privilege escalation |
Extension:SocialProfile |
24 March 2020 |
a6ea1107cdbc096e50e6d2b5c0fa9c6de58062c1 phab:T248385 |
| CSRF |
Extension:SportsTeams |
15 April 2020 |
bccf8758c699f2ecb7b0f43a5f5606d2ec59beb2 |
| CSRF |
Extension:PollNY |
24 May 2020 |
phab:T248583, bbe723ea2cc38fee0de00a50d032e7d2c68bc2d1 |
| XSS |
Extension:PictureGame |
30 August 2020 |
fde2cd7a5e9b675e6c78003f47e21bd8634271f9 |
| CSRF |
Extension:SportsTeams |
29 September 2020 |
46a0054e0d0c5f15ecf10e6a428e73daf6608f4f |
| XSS (stored) |
Extension:RandomGameUnit |
26 October 2020 |
phab:T266400, 69bcc1ae9f8246f59b626d72348e11bd2ddb2231; CVE-2020-27957 (my first security bug with a CVE identifier!) |
| XSS (stored) |
Extension:PollNY |
16 November 2020 |
phab:T266508, 6bd768366a1da23fb3e29e36947d542effb2280c; CVE-2020-29003 |
| CSRF |
Extension:PushToWatch |
26 November 2020 |
phab:T268641, 14dc79b1f44c2a1ca6b1192284206c7b8626fb57; CVE-2020-35626 |
| XSS (stored) |
Extension:SocialProfile (SystemGifts) |
16 May 2021 |
phab:T281043, 58d2420c0f726cd469c638043ed66a4374b136f2; CVE-2021-36130 |
| XSS (stored) |
Extension:SportsTeams |
16 May 2021 |
phab:T281196, 2a94a2e78ef8f19bbd4dccd24f2a042791627f88; CVE-2021-36131 |
| Missing authentication |
Extension:QuizGame |
21 February 2022 |
phab:T302199, 665e33a68f6fa1167df99c0aa18ed0157cdf9f66 |
| CSRF |
Extension:PrivateDomains |
16 April 2022 |
phab:T306290, 1ad65d4c1c199b375ea80988d99ab51ae068f766, CVE-2022-29903 |
| CSRF |
Extension:FanBoxes |
23 April 2022 |
phab:T306741, 027ffb0b9d6fe0d823810cf03f5b562a212162d4 |
| XSS |
Skin:Nimbus |
25 April 2022 |
phab:T306815, CVE-2022-29907 |
| CSRF |
Extension:SportsTeams |
27 August 2023 |
phab:T345040, CVE-2023-45374 |
| Missing authentication |
Extension:SportsTeams |
21 September 2023 |
phab:T345680, CVE-2023-45370 |
| XSS |
Extension:WatchAnalytics |
17 October 2023 |
phab:T348979, CVE-2024-23177 |
| XSS (stored) |
Extension:Challenge |
31 March 2024 |
phab:T361365, 8548b653f07dca755708e9a7277891fe8c47434c |
| XSS (stored) |
Skin:Metrolook |
31 March 2024 |
phab:T361449, CVE-2024-40600, 5e4b1e426e88e395b3ce372069d0a183d4720418 |
| XSS (stored) |
Skin:GuMaxDD |
3 April 2024 |
phab:T361448, CVE-2024-40599, d83c0a04e676d8cf832e029ad5648c300f2d5637 |
| XSS (stored) |
Skin:Nimbus |
28 April 2024 |
phab:T361450, CVE-2024-40604 |
| XSS (stored) |
Skin:Tempo |
3 April 2024 |
phab:T361451, CVE-2024-40602, 358aaa73188ee0b8e36d4ce785f06df6e40dfc1b |
| XSS (stored) |
Skin:Foreground |
3 April 2024 |
phab:T361452, CVE-2024-40605, 0bb47d07264543bcf83493867369d591e03a3222 (patch committed by Sam Wilson) |
| XSS (stored) |
Skin:BlueLL |
9 July 2024 |
phab:T361453, CVE-2024-40612 |
| CSRF |
Extension:MediaWikiChat |
23 April 2024 |
phab:T362588, CVE-2024-40601, 1d0784ece6cc627622381fbd1357329d773a7d57 |
| CSRF |
Extension:ArticleRatings |
1 May 2024 |
phab:T363884, CVE-2024-40603, c4cb89b5e65c58099acf694cc971f04cb3e046f9 |
| CSRF |
Extension:ArticleFeedbackv5 |
28 May 2024 |
d0203912fe850e6da99fe3fcdcf35e53338aeeeb |
| XSS (stored) |
Skin:WebPlatform |
13 June 2024 |
2cd1e9d2eaa639b2baa54c1910b56bb0972f3b0c |
| InfoLeak |
Extension:SocialProfile |
14 January 2025 |
phab:T373265, CVE-2025-23074, 0c5c921927a3a03deda88e70b9a78a01c56d40ad (patch submitted to gerrit by Mmartorana) |
| CSRF, (stored) XSS |
Extension:WikiForum |
6 January 2025 |
phab:T312733, e0bd65ef5a40526e3d8eeb2f1363e87c080a08dc |