Greetings- With the security/maintenance release of MediaWiki 1.35.11/1.38.7/1.39.4/1.40.0, we would also like to provide this supplementary announcement of MediaWiki extensions and skins with now-public Phabricator tasks, security patches and backports [1]:
CheckUser + (T333569, CVE-2023-37255) - Special:CheckUser 'get edits' is vulnerable to HTML injection through user agent string. https://gerrit.wikimedia.org/r/c/mediawiki/extensions/CheckUser/+/905706/ GoogleAnalyticsMetrics + (T333980, CVE-2023-37251) - GoogleAnalyticsMetrics parser function in extension does not properly escape js in onclick handler and does not prevent using javascript urls. https://gerrit.wikimedia.org/r/c/905661 CheckUser + (T330968, CVE-2023-37252) - Special:CheckUserLog shows usernames which have been hidden. https://gerrit.wikimedia.org/r/c/933686 https://gerrit.wikimedia.org/r/c/932822 Cargo + (T331311, CVE-2023-37256) - Cargo allows storing javascript URLs in URL fields, and automatically linking them. https://gerrit.wikimedia.org/r/c/mediawiki/extensions/Cargo/+/894679 Cargo + (T331065, CVE-2023-37254) - XSS in Special:CargoQuery using default format. https://gerrit.wikimedia.org/r/c/mediawiki/extensions/Cargo/+/894666 ProofreadPage + (T326952, CVE-2023-37253) - ProofreadPage leaks suppressed user via the API and config variables. https://gerrit.wikimedia.org/r/q/Ibe5f8e25dea155bbd811a65833394c0d4b906a34 DoubleWiki + (T323651, CVE-2023-37304) - XSS in DoubleWiki extension (Wikisource). https://gerrit.wikimedia.org/r/c/933666 https://gerrit.wikimedia.org/r/c/933667 https://gerrit.wikimedia.org/r/c/932825 CheckUser + (T338276, CVE-2023-37303) - Wikimedia\Rdbms\DBQueryDisconnectedError when blocking user. https://gerrit.wikimedia.org/r/c/932823 Wikibase + (T250720, CVE-2023-37301) - Wikidata edit filter does not fire when test tool says it should. https://gerrit.wikimedia.org/r/c/933663 Wikibase + (T339111, CVE-2023-37302) - Style injection into badges on Wikidata due to unescaped quotes. https://gerrit.wikimedia.org/r/c/933649 https://gerrit.wikimedia.org/r/c/933650 The Wikimedia Security Team recommends updating these extensions and/or skins to the current master branch or relevant, supported release branch [2] as soon as possible. Some of the referenced Phabricator tasks above _may_ still be private. Unfortunately, when security issues are reported, sometimes sensitive information is exposed and since Phabricator is historical, we cannot make these tasks public without exposing this sensitive information. If you have any additional questions or concerns regarding this update, please feel free to contact secur...@wikimedia.org or file a security task within Phabricator [3]. [1] https://phabricator.wikimedia.org/T333626 [2] https://www.mediawiki.org/wiki/Version_lifecycle [3] https://www.mediawiki.org/wiki/Reporting_security_bugs _______________________________________________ MediaWiki-announce mailing list -- mediawiki-announce@lists.wikimedia.org To unsubscribe send an email to mediawiki-announce-le...@lists.wikimedia.org
