Greetings- With the security/maintenance release of MediaWiki 1.39.14/1.43.4/1.44.1, we would also like to provide this supplementary announcement of MediaWiki extensions and skins with now-public Phabricator tasks, security patches and backports [1]:
Lockdown + (T397521, CVE-2025-12004) - Compare API module breaks Lockdown Extension (Note: this issue was resolved by a MediaWiki core patch) https://gerrit.wikimedia.org/r/q/Id275382743957004fa7fc56318fc104d8e2d267b DiscordNotifications + (GHSA-gvfx-p3h5-qf65, CVE-2025-53371) - DOS, SSRF and possible RCE through requests to user-controlled URLs https://github.com/miraheze/DiscordNotifications/security/advisories/GHSA-gvfx-p3h5-qf65 https://github.com/miraheze/DiscordNotifications/commit/1f20d850cbcce5b15951c7c6127b87b927a5415e DynamicPageList3 + (GHSA-7pgw-q3qp-6pgq, CVE-2025-53625) - Exposure of hidden/suppressed usernames https://github.com/Universal-Omega/DynamicPageList3/security/advisories/GHSA-7pgw-q3qp-6pgq LastModified + (T399583, CVE-2025-62693) - Stored XSS through system messages https://gerrit.wikimedia.org/r/q/Ia406630dbac5ef9a9aed3f402f0ba6e434a6bcf2 MultiBoilerplate + (T399658, CVE-2025-62700) - Stored XSS through system messages https://gerrit.wikimedia.org/r/q/I10e205e3027d4772b2cd9801647fc6c171e4b35b ExternalGuidance + (T399662, CVE-2025-62698)- Stored XSS through system messages https://gerrit.wikimedia.org/r/q/I8bfb3c2766982f6633f47ed35720d4d9f51da71d LanguageSelector +(T399724, CVE-2025-62697) - Improperly sanitized style parameter in LanguageSelector https://gerrit.wikimedia.org/r/q/I338288e756de4e58a3f1f02a9c205b37f4927935 Translate + (T399627, CVE-2025-62699) - Edits performed using the Special:Translate tool do not use the correct IP and User-Agent in the CheckUser tool https://gerrit.wikimedia.org/r/q/Idac164418362c65d0ad37055fe9e0ad134197da3 https://gerrit.wikimedia.org/r/q/I65c740c8ca5130b40463d687e2f0775951abbf22 Springboard + (T400422, CVE-2025-62696) - Multiple critical security issues including unauthenticated RCE https://gerrit.wikimedia.org/r/c/mediawiki/extensions/Springboard/+/1174003 WikiLambda + (T400500, CVE-2025-62695) - Stored XSS through system messages https://gerrit.wikimedia.org/r/q/Id6e96d54b4dd73af205c69ba8774c0fd51632c87 WikiLove + (T400525, CVE-2025-62694) - Stored XSS through system messages https://gerrit.wikimedia.org/r/q/I17fc061112f61b4c37b772410b265df060819416 PageTriage + (CVE-2025-62704, T400526) - Stored XSS through system messages https://gerrit.wikimedia.org/r/q/I86c5f17364c7351e7c06ce4cc6e5592467bc8dc3 Wikistories + (CVE-2025-62701, T400545) - Stored XSS through system messages https://gerrit.wikimedia.org/r/q/I86c3bb7b7ce2d856cd2a5be787b703c85d7c41fa Skin:BlueSky + (T401046, CVE-2025-62665) - Stored XSS through system messages https://gerrit.wikimedia.org/r/q/I64c9e2983ed6629505f72ef9449c09137b3c69ae Tilesheets + (GHSA-hqfr-7cm9-4h87, CVE-2025-54865) - Potential SQL injection https://github.com/FTB-Gamepedia/Tilesheets/security/advisories/GHSA-hqfr-7cm9-4h87 ImageRating + (T402002, CVE-2025-62664) - Stored XSS through a system message https://gerrit.wikimedia.org/r/q/Ie42bba0d80bace319cf88d71233db1f598ac613b SecurePoll + (T402076, CVE-2025-11937) - Stored XSS through a system message https://gerrit.wikimedia.org/r/c/mediawiki/extensions/SecurePoll/+/1189186 UploadWizard + (T402095, CVE-2025-62663) - Stored XSS through a system message https://gerrit.wikimedia.org/r/q/I37ea7c8825e9de776e207b3919b451ba2b905369 AdvancedSearch + (T402146, CVE-2025-62662) - Stored XSS through system messages https://gerrit.wikimedia.org/r/q/I91bba2b570643ef74e6c210e7250e05cd2aa388e Cargo + (T402147, CVE-2025-62671) - Stored XSS through wikitext https://gerrit.wikimedia.org/r/c/mediawiki/extensions/Cargo/+/1179707 FlexDiagrams + (T402149, CVE-2025-62670) - Stored XSS through a system message https://gerrit.wikimedia.org/r/c/mediawiki/extensions/FlexDiagrams/+/1179692 Thanks + (T397497, CVE-2025-61654) - Incorrect permission checking https://gerrit.wikimedia.org/r/q/Idbc1b5a288ffaa7074eedcbac066358a8ec649dc GrowthExperiments + (T397497, CVE-2025-61654) - Incorrect permission checking https://gerrit.wikimedia.org/r/q/Ia584966bb7d4d707eef50529293aa3d468470f18 GrowthExperiments + (T402698, CVE-2025-62667) - Stored XSS through article extracts https://gerrit.wikimedia.org/r/q/Iafd0acccf9a5c20d9e955d7bc3de1304968401ec CirrusSearch + (T401220, CVE-2025-62666) - DoS vector through the cirrusbuilddoc query API https://gerrit.wikimedia.org/r/q/I3e8d819868c0491b18368af8e543180e747023c2 WebAuthn + (T403093, CVE-2025-62652) - Stored XSS in WebAuthn key name https://gerrit.wikimedia.org/r/q/I871ad11a68aad2a6389fdd918de5fcf0921f5a7c PollNY + (T403923, CVE-2025-62653) - Stored XSS through system messages in PollNY https://gerrit.wikimedia.org/r/q/If235d6e6c1d37de6748ef4774cdb3438f52ac532 QuizGame + (T403924, CVE-2025-62654) - Stored XSS through system messages in QuizGame https://gerrit.wikimedia.org/r/q/Iafb81db227107cd8be204f1b6f4eccd06fbec8ce 3DAlloy + (GHSA-f2rp-232x-mqrh, CVE-2025-59332) - Stored XSS through attributes provided to the 3d parser tag/function https://github.com/dolfinus/3DAlloy/security/advisories/GHSA-f2rp-232x-mqrh Cargo + (T404016, CVE-2025-62655) - SQL injection in Cargo via Special:CargoExport https://gerrit.wikimedia.org/r/q/I649ec974c33ad7c4e2338e2f5d8c497153dd6d25 https://gerrit.wikimedia.org/r/q/I9039a39aa92de193a2f2e9816856adc8c757cf85 WikiLambda + (T404392) - Arbitrary HTML injection through error display on Wikifunctions https://gerrit.wikimedia.org/r/q/T404392 CookieConsent + (T404475, CVE-2025-62659) - CookieConsent should use reserved data attributes to avoid potential XSS vectors https://gerrit.wikimedia.org/r/q/Ib6a53470f9f00fc180cac9fceddd0a3c43887825 GlobalBlocking + (T403291, CVE-2025-62656) - GlobalBlocking Special:GlobalBlockList vulnerable to message key stored XSS https://gerrit.wikimedia.org/r/q/I684c8ec425c7baa722a694ef23d5b6e2a4c3d57b PageForms + (T405357, CVE-2025-62657) - Stored XSS through system messages in PageForms https://gerrit.wikimedia.org/r/q/Ic88edd43f356935767730a97ccaf841758c854f1 EmbedVideo (fork) + (GHSA-4j5h-mvj3-m48v, CVE-2025-59839) - Stored XSS through wikitext caused by usage of non-reserved data attributes https://github.com/StarCitizenWiki/mediawiki-extensions-EmbedVideo/security/advisories/GHSA-4j5h-mvj3-m48v WatchAnalytics + (T406380, CVE-2025-62658) - SQL injection in WatchAnalytics through Special:ClearPendingReviews https://gerrit.wikimedia.org/r/q/I6c0018713e0fe0a2ec3610508ea3581e2c8035e4 The Wikimedia Security Team recommends updating these extensions and/or skins to the current master branch or relevant, supported release branch [2] as soon as possible. Some of the referenced Phabricator tasks above _may_ still be private. Unfortunately, when security issues are reported, sometimes sensitive information is exposed and since Phabricator is historical, we cannot make these tasks public without exposing this sensitive information. If you have any additional questions or concerns regarding this update, please feel free to contact [email protected] or file a security task within Phabricator [3]. [1] https://phabricator.wikimedia.org/T397776 [2] https://www.mediawiki.org/wiki/Version_lifecycle [3] https://www.mediawiki.org/wiki/Reporting_security_bugs -- Scott Bassett [email protected]
_______________________________________________ MediaWiki-l mailing list -- [email protected] To unsubscribe send an email to [email protected] https://lists.wikimedia.org/postorius/lists/mediawiki-l.lists.wikimedia.org/
