Almost forgot: this is https://bugzilla.wikimedia.org/show_bug.cgi?id=65042

On Wed, May 14, 2014 at 4:28 PM, Max Semenik maxsem.wiki@gmail.com wrote:

During internal review, an XSS (cross-site scripting) vulnerability was discovered in MobileFrontend extension. Due to an unneeded unescaping of already sanitized section titles, HTML inserted as plaintext into them was injected into DOM. While on ordinary page views only users who have intentionally enabled MobileFrontend's beta mode are in danger, it is possible to construct URLs that enable beta for every user following them. Another requirement for this vulnerability is screen witdth which must be at least 768 pixels.

Affected versions include MobileFrontend for MediaWiki 1.23 (branch REL1_23, still in release candidate phase) and 1.24 (master). If you are running a 1.24 WMF branch earlier than wmf/1.24wmf3, please update to a later branch.

-- Best regards, Max Semenik ([[User:MaxSem]])