| Possible to make restricted files public on Phabricator via Diffusion |
None |
https://hackerone.com/reports/1560717 |
| Conduit feed.publish API allows you to spoof other users or make it look like you have access to a restricted object |
None |
https://hackerone.com/reports/1566325 |
| Global default settings page is accessible to non-administrators |
None |
https://hackerone.com/reports/1563139 |
| Deprecated owners.query API bypasses object view policy |
None |
https://hackerone.com/reports/1584409 |
| Users can view limited information about secure Phabricator revisions due to publicly joinable group mozilla-phabricator-emails |
None |
https://bugzilla.mozilla.org/show_bug.cgi?id=1773931 |
| Mozilla Phabricator emails allow any user to secretly access secure revision title, comments and private files |
None |
https://bugzilla.mozilla.org/show_bug.cgi?id=1820151 |
| Unauthorized users can undo edits on any protected page and view contents of private wikis using mcrundo |
CVE-2021-44858, CVE-2021-44857 |
https://phabricator.wikimedia.org/T297322 |
| Unauthorized users can access private wiki contents using rollback action |
CVE-2021-45038 |
https://phabricator.wikimedia.org/T297574 |
| XSS in Wikibase using formatter URL |
CVE-2021-45472 |
https://phabricator.wikimedia.org/T297570 |
| XSS in Special:ImportFile URL |
CVE-2021-45474 |
https://phabricator.wikimedia.org/T296605 |
| Rest API incorrectly publicly caches results from private wikis |
CVE-2021-44854 |
https://phabricator.wikimedia.org/T292763 |
| Globally blocked IPs can edit EntitySchema items |
CVE-2021-45471 |
https://phabricator.wikimedia.org/T296578 |
| XSS on page information Wikibase central description |
CVE-2021-45473 |
https://phabricator.wikimedia.org/T294693 |
| FileImporter allows imports to cascade protected files when the importer does not have administrator permissions |
CVE-2022-28206 |
https://phabricator.wikimedia.org/T294256 |
| L36 Legalpad document is editable by anyone |
None |
https://phabricator.wikimedia.org/T307974 |
| acl*wmcs-team, acl*blog-admins joinable by anyone |
None |
https://phabricator.wikimedia.org/T310098 |
| Public Phabricator dump includes restricted project columns |
None |
https://phabricator.wikimedia.org/T309757 |
| XSS in ShortDescription extension |
CVE-2022-21710 |
https://phabricator.miraheze.org/T8609 |
| Private wiki pages can leak via Special:Preferences signature preview |
None |
https://phabricator.miraheze.org/T8448 |