Greetings-
With the security/maintenance release of MediaWiki
1.35.11/1.38.7/1.39.4/1.40.0, we would also like to provide this
supplementary announcement of MediaWiki extensions and skins with
now-public Phabricator tasks, security patches and backports [1]:
CheckUser
+ (T333569, CVE-2023-37255) - Special:CheckUser 'get edits' is vulnerable
to HTML injection through user agent string.
https://gerrit.wikimedia.org/r/c/mediawiki/extensions/CheckUser/+/905706/
GoogleAnalyticsMetrics
+ (T333980, CVE-2023-37251) - GoogleAnalyticsMetrics parser function in
extension does not properly escape js in onclick handler and does not
prevent using javascript urls.
https://gerrit.wikimedia.org/r/c/905661
CheckUser
+ (T330968, CVE-2023-37252) - Special:CheckUserLog shows usernames which
have been hidden.
https://gerrit.wikimedia.org/r/c/933686
https://gerrit.wikimedia.org/r/c/932822
Cargo
+ (T331311, CVE-2023-37256) - Cargo allows storing javascript URLs in URL
fields, and automatically linking them.
https://gerrit.wikimedia.org/r/c/mediawiki/extensions/Cargo/+/894679
Cargo
+ (T331065, CVE-2023-37254) - XSS in Special:CargoQuery using default
format.
https://gerrit.wikimedia.org/r/c/mediawiki/extensions/Cargo/+/894666
ProofreadPage
+ (T326952, CVE-2023-37253) - ProofreadPage leaks suppressed user via the
API and config variables.
https://gerrit.wikimedia.org/r/q/Ibe5f8e25dea155bbd811a65833394c0d4b906a34
DoubleWiki
+ (T323651, CVE-2023-37304) - XSS in DoubleWiki extension (Wikisource).
https://gerrit.wikimedia.org/r/c/933666
https://gerrit.wikimedia.org/r/c/933667
https://gerrit.wikimedia.org/r/c/932825
CheckUser
+ (T338276, CVE-2023-37303) - Wikimedia\Rdbms\DBQueryDisconnectedError when
blocking user.
https://gerrit.wikimedia.org/r/c/932823
Wikibase
+ (T250720, CVE-2023-37301) - Wikidata edit filter does not fire when test
tool says it should.
https://gerrit.wikimedia.org/r/c/933663
Wikibase
+ (T339111, CVE-2023-37302) - Style injection into badges on Wikidata due
to unescaped quotes.
https://gerrit.wikimedia.org/r/c/933649
https://gerrit.wikimedia.org/r/c/933650
The Wikimedia Security Team recommends updating these extensions and/or
skins to the current master branch or relevant, supported release branch
[2] as soon as possible. Some of the referenced Phabricator tasks above
_may_ still be private. Unfortunately, when security issues are reported,
sometimes sensitive information is exposed and since Phabricator is
historical, we cannot make these tasks public without exposing this
sensitive information. If you have any additional questions or concerns
regarding this update, please feel free to contact security@wikimedia.org
or file a security task within Phabricator [3].
[1] https://phabricator.wikimedia.org/T333626
[2] https://www.mediawiki.org/wiki/Version_lifecycle
[3] https://www.mediawiki.org/wiki/Reporting_security_bugs
With the security/maintenance release of MediaWiki
1.35.11/1.38.7/1.39.4/1.40.0, we would also like to provide this
supplementary announcement of MediaWiki extensions and skins with
now-public Phabricator tasks, security patches and backports [1]:
CheckUser
+ (T333569, CVE-2023-37255) - Special:CheckUser 'get edits' is vulnerable
to HTML injection through user agent string.
https://gerrit.wikimedia.org/r/c/mediawiki/extensions/CheckUser/+/905706/
GoogleAnalyticsMetrics
+ (T333980, CVE-2023-37251) - GoogleAnalyticsMetrics parser function in
extension does not properly escape js in onclick handler and does not
prevent using javascript urls.
https://gerrit.wikimedia.org/r/c/905661
CheckUser
+ (T330968, CVE-2023-37252) - Special:CheckUserLog shows usernames which
have been hidden.
https://gerrit.wikimedia.org/r/c/933686
https://gerrit.wikimedia.org/r/c/932822
Cargo
+ (T331311, CVE-2023-37256) - Cargo allows storing javascript URLs in URL
fields, and automatically linking them.
https://gerrit.wikimedia.org/r/c/mediawiki/extensions/Cargo/+/894679
Cargo
+ (T331065, CVE-2023-37254) - XSS in Special:CargoQuery using default
format.
https://gerrit.wikimedia.org/r/c/mediawiki/extensions/Cargo/+/894666
ProofreadPage
+ (T326952, CVE-2023-37253) - ProofreadPage leaks suppressed user via the
API and config variables.
https://gerrit.wikimedia.org/r/q/Ibe5f8e25dea155bbd811a65833394c0d4b906a34
DoubleWiki
+ (T323651, CVE-2023-37304) - XSS in DoubleWiki extension (Wikisource).
https://gerrit.wikimedia.org/r/c/933666
https://gerrit.wikimedia.org/r/c/933667
https://gerrit.wikimedia.org/r/c/932825
CheckUser
+ (T338276, CVE-2023-37303) - Wikimedia\Rdbms\DBQueryDisconnectedError when
blocking user.
https://gerrit.wikimedia.org/r/c/932823
Wikibase
+ (T250720, CVE-2023-37301) - Wikidata edit filter does not fire when test
tool says it should.
https://gerrit.wikimedia.org/r/c/933663
Wikibase
+ (T339111, CVE-2023-37302) - Style injection into badges on Wikidata due
to unescaped quotes.
https://gerrit.wikimedia.org/r/c/933649
https://gerrit.wikimedia.org/r/c/933650
The Wikimedia Security Team recommends updating these extensions and/or
skins to the current master branch or relevant, supported release branch
[2] as soon as possible. Some of the referenced Phabricator tasks above
_may_ still be private. Unfortunately, when security issues are reported,
sometimes sensitive information is exposed and since Phabricator is
historical, we cannot make these tasks public without exposing this
sensitive information. If you have any additional questions or concerns
regarding this update, please feel free to contact security@wikimedia.org
or file a security task within Phabricator [3].
[1] https://phabricator.wikimedia.org/T333626
[2] https://www.mediawiki.org/wiki/Version_lifecycle
[3] https://www.mediawiki.org/wiki/Reporting_security_bugs