A flaw was found in Mediawiki before 1.28.1 / 1.27.2 / 1.23.16. Affected versions contains a flaw where the "Mark all pages visited" on the watchlist does not require a CSRF token. References: https://lists.wikimedia.org/pipermail/mediawiki-announce/2017-April/000207.html https://phabricator.wikimedia.org/T150044
Created mediawiki tracking bugs for this issue: Affects: fedora-all [bug 1569741] Created mediawiki123 tracking bugs for this issue: Affects: epel-7 [bug 1569740] Created mediawiki119 tracking bugs for this issue: Affects: epel-6 [bug 1569739]