Impact
It is possible for users with (delete) or (suppressrevision) on any wiki in the farm to access suppressed wiki requests by going to the request's entry on Special:RequestWikiQueue on the wiki where they have these rights. The same vulnerability was present briefly on the REST API before being quickly corrected in commit 6bc0685. To our knowledge, the vulnerable commits of the REST API are not running in production anywhere.
Patches
https://issue-tracker.miraheze.org/F3093343
Issue has also been fixed as of commit 3415c1
Workarounds
Disable Special:RequestWikiQueue outside of the wiki where you receive wiki requests. An example of this is available at miraheze/mw-config@fb3e68b
References
https://issue-tracker.miraheze.org/T11999
redbluegreenhat Remediation developer
Impact
It is possible for users with (delete) or (suppressrevision) on any wiki in the farm to access suppressed wiki requests by going to the request's entry on Special:RequestWikiQueue on the wiki where they have these rights. The same vulnerability was present briefly on the REST API before being quickly corrected in commit
6bc0685. To our knowledge, the vulnerable commits of the REST API are not running in production anywhere.Patches
https://issue-tracker.miraheze.org/F3093343
Issue has also been fixed as of commit
3415c1Workarounds
Disable Special:RequestWikiQueue outside of the wiki where you receive wiki requests. An example of this is available at miraheze/mw-config@fb3e68b
References
https://issue-tracker.miraheze.org/T11999