MediaWiki allows remote attackers to discover the IP addresses of Wiki visitors via a style="background-image: attr(title url);" attack within a DIV element that has an attacker-controlled URL in the title attribute.
Reference:
https://phabricator.wikimedia.org/T68404
Comment 1Product Security DevOps Team
2022-03-03 06:20:55 UTC