Translations:2021-12 security release/FAQ/3/en


 * CVE-2021-44858: The "undo" feature allowed an attacker to view the contents of arbitrary revisions, regardless of whether they had permissions to do so. This was also found in the "mcrundo" and "mcrrestore" actions (  and  ).
 * CVE-2021-45038: The "rollback" feature could be passed a specially crafted parameter that allowed an attacker to view the contents of arbitrary pages, regardless of whether they had permissions to do so.
 * CVE-2021-44857: The "mcrundo" and "mcrrestore" actions ( and  ) did not properly check for editing permissions, and allowed an attacker to take the content of any arbitrary revision and save it on any page of their choosing. This affects both public wikis and public pages on private wikis.