Greetings-
With the security/maintenance release of MediaWiki
1.35.14/1.39.6/1.40.2/1.41.0, we would also like to provide this
supplementary announcement of MediaWiki extensions and skins with
now-public Phabricator tasks, security patches and backports [1]:
PageTriage
+ (T347704, CVE-2024-23174) - XSS in pagetriage-tags-quickfilter-label
PageTriage
https://gerrit.wikimedia.org/r/c/mediawiki/extensions/PageTriage/+/989177
Cargo
+ (T348687, CVE-2024-23173) - Reflected XSS Could Lead to Steal User Cookie
https://gerrit.wikimedia.org/r/c/mediawiki/extensions/Cargo/+/965214/
CampaignTools
+ (T348343, CVE-2024-23171) - Various i18n-based XSSs in
Special:EventDetails
https://gerrit.wikimedia.org/r/c/mediawiki/extensions/CampaignEvents/+/971248/
CheckUser
+ (T347708, CVE-2024-23172) - Several not properly escaped messages in the
CheckUser extension
https://gerrit.wikimedia.org/r/q/If3ce02cac9c5f2a6f84c42d902b8290eb1fa7250
MassMessage
+ (T347742, CVE-2024-23176) - MassMessage i18n key
massmessage-form-page-help allows i18n-xss
https://gerrit.wikimedia.org/r/q/Ife6fb590af53fa0d8eb59201ce88a3c47ddde45c
GlobalBlocking
+ (T347746, CVE-2024-23179) - GlobalBlocking subtitle links have i18n-xss
via the parentheses message
https://gerrit.wikimedia.org/r/q/Ide490ca62bdb79b80be5e016986c6c96bfa3b4cf
https://gerrit.wikimedia.org/r/q/I1cad283235ea974c7d4ffabc49e1ff801dd4d276
WatchAnalytics
+ (T348979, CVE-2024-23177) - WatchAnalytics: classic XSS on
Special:PageStatistics with the 'page' URL parameter
https://gerrit.wikimedia.org/r/q/I09f4663c1c619796624b7d296c1351e0245cdaf1
Phonos
+ (T349312, CVE-2024-23178) - XSS in Phonos via the
phonos-purge-needed-error message
https://gerrit.wikimedia.org/r/q/I4cbdd3a35ded2385c29983c77f98835fa2ca307c
FlexDiagrams
+ (T353138, CVE-2024-23178) - FlexDiagrams XSS bug
https://gerrit.wikimedia.org/r/q/I139e88d8669b14469e359d1d124b2647dde2a7ca
The Wikimedia Security Team recommends updating these extensions and/or
skins to the current master branch or relevant, supported release branch
[2] as soon as possible. Some of the referenced Phabricator tasks above
_may_ still be private. Unfortunately, when security issues are reported,
sometimes sensitive information is exposed and since Phabricator is
historical, we cannot make these tasks public without exposing this
sensitive information. If you have any additional questions or concerns
regarding this update, please feel free to contact security@wikimedia.org
or file a security task within Phabricator [3].
[1] https://phabricator.wikimedia.org/T347659
[2] https://www.mediawiki.org/wiki/Version_lifecycle
[3] https://www.mediawiki.org/wiki/Reporting_security_bugs
_______________________________________________
MediaWiki-announce mailing list -- mediawiki-announce@lists.wikimedia.org
To unsubscribe send an email to mediawiki-announce-leave@lists.wikimedia.org
With the security/maintenance release of MediaWiki
1.35.14/1.39.6/1.40.2/1.41.0, we would also like to provide this
supplementary announcement of MediaWiki extensions and skins with
now-public Phabricator tasks, security patches and backports [1]:
PageTriage
+ (T347704, CVE-2024-23174) - XSS in pagetriage-tags-quickfilter-label
PageTriage
https://gerrit.wikimedia.org/r/c/mediawiki/extensions/PageTriage/+/989177
Cargo
+ (T348687, CVE-2024-23173) - Reflected XSS Could Lead to Steal User Cookie
https://gerrit.wikimedia.org/r/c/mediawiki/extensions/Cargo/+/965214/
CampaignTools
+ (T348343, CVE-2024-23171) - Various i18n-based XSSs in
Special:EventDetails
https://gerrit.wikimedia.org/r/c/mediawiki/extensions/CampaignEvents/+/971248/
CheckUser
+ (T347708, CVE-2024-23172) - Several not properly escaped messages in the
CheckUser extension
https://gerrit.wikimedia.org/r/q/If3ce02cac9c5f2a6f84c42d902b8290eb1fa7250
MassMessage
+ (T347742, CVE-2024-23176) - MassMessage i18n key
massmessage-form-page-help allows i18n-xss
https://gerrit.wikimedia.org/r/q/Ife6fb590af53fa0d8eb59201ce88a3c47ddde45c
GlobalBlocking
+ (T347746, CVE-2024-23179) - GlobalBlocking subtitle links have i18n-xss
via the parentheses message
https://gerrit.wikimedia.org/r/q/Ide490ca62bdb79b80be5e016986c6c96bfa3b4cf
https://gerrit.wikimedia.org/r/q/I1cad283235ea974c7d4ffabc49e1ff801dd4d276
WatchAnalytics
+ (T348979, CVE-2024-23177) - WatchAnalytics: classic XSS on
Special:PageStatistics with the 'page' URL parameter
https://gerrit.wikimedia.org/r/q/I09f4663c1c619796624b7d296c1351e0245cdaf1
Phonos
+ (T349312, CVE-2024-23178) - XSS in Phonos via the
phonos-purge-needed-error message
https://gerrit.wikimedia.org/r/q/I4cbdd3a35ded2385c29983c77f98835fa2ca307c
FlexDiagrams
+ (T353138, CVE-2024-23178) - FlexDiagrams XSS bug
https://gerrit.wikimedia.org/r/q/I139e88d8669b14469e359d1d124b2647dde2a7ca
The Wikimedia Security Team recommends updating these extensions and/or
skins to the current master branch or relevant, supported release branch
[2] as soon as possible. Some of the referenced Phabricator tasks above
_may_ still be private. Unfortunately, when security issues are reported,
sometimes sensitive information is exposed and since Phabricator is
historical, we cannot make these tasks public without exposing this
sensitive information. If you have any additional questions or concerns
regarding this update, please feel free to contact security@wikimedia.org
or file a security task within Phabricator [3].
[1] https://phabricator.wikimedia.org/T347659
[2] https://www.mediawiki.org/wiki/Version_lifecycle
[3] https://www.mediawiki.org/wiki/Reporting_security_bugs
_______________________________________________
MediaWiki-announce mailing list -- mediawiki-announce@lists.wikimedia.org
To unsubscribe send an email to mediawiki-announce-leave@lists.wikimedia.org