Greetings- With the security/maintenance release of MediaWiki 1.39.13/1.42.7/1.43.2, we would also like to provide this supplementary announcement of MediaWiki extensions and skins with now-public Phabricator tasks, security patches and backports [1]:
ManageWiki + ( https://github.com/miraheze/ManageWiki/security/advisories/GHSA-gg42-cv66-f5x7, CVE-2025-32956) - SQL injection vulnerability in NamespaceMigrationJob https://github.com/miraheze/ManageWiki/commit/f504ed8eeb59b57ebb90f93cd44f23da4c5bc4c9 IPInfo + (T392976 <https://phabricator.wikimedia.org/T392976>, CVE-2025-53481) - Denial of service vector on ipinfo/v0/norevision https://gerrit.wikimedia.org/r/q/I474b7a1b3bc1e7597fee0826a18a0cf042359f0f IPInfo + (T392976 <https://phabricator.wikimedia.org/T392976>, CVE-2025-53481) - Denial of service vector on ipinfo/v0/norevision https://gerrit.wikimedia.org/r/q/I08a7154f8fa08bb6f0940e522075bdc2a3d4433f IPInfo + (T394393 <https://phabricator.wikimedia.org/T394393>, CVE-2025-53482) - IPInfo: Message key XSS through several IPInfo messages in infobox and popup https://gerrit.wikimedia.org/r/c/mediawiki/extensions/CheckUser/+/1146685 IPInfo + (T394393 <https://phabricator.wikimedia.org/T394393>, CVE-2025-53482) - IPInfo: Message key XSS through several IPInfo messages in infobox and popup https://gerrit.wikimedia.org/r/q/Ibb9b7dcb04f551a3da32e9de09a8ac11caa2a3aa SecurePoll + (T392341 <https://phabricator.wikimedia.org/T392341>, CVE-2025-53483) - SecurePoll is vulnerable to XSS, CSRF, and lack of authorisation https://gerrit.wikimedia.org/r/c/mediawiki/extensions/SecurePoll/+/1149618 SecurePoll + (T392341 <https://phabricator.wikimedia.org/T392341>, CVE-2025-53484) - SecurePoll is vulnerable to XSS, CSRF, and lack of authorisation https://gerrit.wikimedia.org/r/q/I5fb4da635b538b6ef121ae77d9088737fd8bf0de SecurePoll + (T392341 <https://phabricator.wikimedia.org/T392341>, CVE-2025-53483) - SecurePoll is vulnerable to XSS, CSRF, and lack of authorisation https://gerrit.wikimedia.org/r/q/I7a771f81cc72bd5c6242767cf3f5e19fa140accc SecurePoll + (T392341 <https://phabricator.wikimedia.org/T392341>, CVE-2025-53485) - SecurePoll is vulnerable to XSS, CSRF, and lack of authorisation https://gerrit.wikimedia.org/r/q/Iaaae70289464b8f097ff8d2d6c828ddf942d2d60 SecurePoll + (T392341 <https://phabricator.wikimedia.org/T392341>, CVE-2025-53484) - SecurePoll is vulnerable to XSS, CSRF, and lack of authorisation https://gerrit.wikimedia.org/r/q/Id6e0c8c3020c293460010ef0019bc6c40d43b596 WikiCategoryTagCloud + (T394590 <https://phabricator.wikimedia.org/T394590>, CVE-2025-53486) - Reflected XSS in WikiCategoryTagCloud https://gerrit.wikimedia.org/r/q/Idd68cf2372aedd916687d30b1bd09ebb48fcfd17 ApprovedRevs + (T394383 <https://phabricator.wikimedia.org/T394383>, CVE-2025-53487) - Stored XSS through system messages in Extension:ApprovedRevs https://gerrit.wikimedia.org/r/q/Ifcab085111e7898da485a5e2ae287fee4e6d167b CheckUser + (T394692 <https://phabricator.wikimedia.org/T394692>, CVE-2025-53478) - Special:Investigate 'IPs and User agents' tab has i18n XSS vectors https://gerrit.wikimedia.org/r/q/I3a1e21b6800ff4d813a33ee9fe9b7ccf070b6b2e CheckUser + (T394693 <https://phabricator.wikimedia.org/T394693>, CVE-2025-53479) - Special:CheckUser has i18n XSS vectors https://gerrit.wikimedia.org/r/q/I159e14543912cb3bc7f4a00c3090c0285b154786 CheckUser + (T394700 <https://phabricator.wikimedia.org/T394700>, CVE-2025-53480) - Special:Investigate 'Account information' tab has i18n XSS vectors https://gerrit.wikimedia.org/r/q/I777fc55fef15c3b00df0db268af2b64cb2d6e381 MsUpload + (T394864 <https://phabricator.wikimedia.org/T394864>, CVE-2025-7362) - Stored XSS through a system message in MsUpload https://gerrit.wikimedia.org/r/q/Icf4c0a5a936926ea887ca2e48c3a7bd297201d9f TitleIcon + (T394721 <https://phabricator.wikimedia.org/T394721>, CVE-2025-7363) - XSS in TitleIcon https://gerrit.wikimedia.org/r/q/I107ab638fecbf52b5bec3f02726ed24b1ae74429 TwoColConflict + (T394938 <https://phabricator.wikimedia.org/T394938>, CVE-2025-53494) - Stored XSS in TwoColConflict https://gerrit.wikimedia.org/r/c/mediawiki/extensions/TwoColConflict/+/1150011 MintyDocs + (T395376 <https://phabricator.wikimedia.org/T395376>, CVE-2025-53493) - Stored XSS in MintyDocs https://gerrit.wikimedia.org/r/c/mediawiki/extensions/MintyDocs/+/1151800 MintyDocs + (T395737 <https://phabricator.wikimedia.org/T395737>, CVE-2025-53492) - Stored XSS in MintyDocs https://gerrit.wikimedia.org/r/c/mediawiki/extensions/MintyDocs/+/1152771 FlaggedRevs + (T394397 <https://phabricator.wikimedia.org/T394397>, CVE-2025-53491) - Stored XSS in FlaggedRevs https://gerrit.wikimedia.org/r/c/mediawiki/extensions/FlaggedRevs/+/1165929 CampaignEvents + (T395622 <https://phabricator.wikimedia.org/T395622>, CVE-2025-53490) - Multiple XSS in CampaignEvents https://gerrit.wikimedia.org/r/c/mediawiki/extensions/CampaignEvents/+/1165949 GoogleDocs4MW + (T395949 <https://phabricator.wikimedia.org/T395949>, CVE-2025-53489) - XSS in GoogleDocs4MW https://gerrit.wikimedia.org/r/c/mediawiki/extensions/GoogleDocs4MW/+/1155269 wikihiero + (T396524 <https://phabricator.wikimedia.org/T396524>, CVE-2025-53488) - Stored XSS in WikiHiero https://gerrit.wikimedia.org/r/c/mediawiki/extensions/wikihiero/+/1166018 RelatedArticles + (T396413 <https://phabricator.wikimedia.org/T396413>, CVE-2025-53497) - Stored XSS in RelatedArticles https://gerrit.wikimedia.org/r/c/mediawiki/extensions/RelatedArticles/+/1166024 MediaSearch + (T396946 <https://phabricator.wikimedia.org/T396946>, CVE-2025-53496) - Stored XSS in MediaSearch https://gerrit.wikimedia.org/r/c/mediawiki/extensions/MediaSearch/+/1166030 AbuseFilter + (T396750 <https://phabricator.wikimedia.org/T396750>, CVE-2025-53495) - Unauthorized Disclosure of IP Reputation in AbuseFilter https://gerrit.wikimedia.org/r/c/mediawiki/extensions/AbuseFilter/+/1166040 AbuseFilter + (T397196 <https://phabricator.wikimedia.org/T397196>, CVE-2025-53499) - Unauthorized Inspection of Protected Variables in AbuseFilter https://gerrit.wikimedia.org/r/c/mediawiki/extensions/AbuseFilter/+/1166045 AbuseFilter + (T397221 <https://phabricator.wikimedia.org/T397221>, CVE-2025-53498) - Lack of Audit Logging in AbuseFilter https://gerrit.wikimedia.org/r/c/mediawiki/extensions/AbuseFilter/+/1166844 FeaturedFeeds + (T392279 <https://phabricator.wikimedia.org/T392279>, CVE-2025-53502) - HTML injection in FeaturedFeeds https://gerrit.wikimedia.org/r/c/mediawiki/extensions/FeaturedFeeds/+/1149742 Scribunto + (T397524 <https://phabricator.wikimedia.org/T397524>, CVE-2025-53501) - Content Access Bypass in Scribunto https://gerrit.wikimedia.org/r/c/mediawiki/extensions/Scribunto/+/1164541 MassEditRegex + (T397334 <https://phabricator.wikimedia.org/T397334>, CVE-2025-53500) - Stored XSS in MassEditRegex https://gerrit.wikimedia.org/r/c/mediawiki/extensions/MassEditRegex/+/1163878 CentralAuth + (T389010 <https://phabricator.wikimedia.org/T389010>, CVE-2025-6926) - Security Authentication Bypass in CentralAuth https://gerrit.wikimedia.org/r/c/mediawiki/core/+/1165117 ManageWiki + ( https://github.com/miraheze/ManageWiki/security/advisories/GHSA-ccrf-x5rp-gppr, CVE-2025-32964) - ManageWiki Vulnerable To Permission Bypass When Disabling Extensions Requiring Certain Permissions In Special:ManageWiki/Extensions https://github.com/miraheze/ManageWiki/commit/00bebea43a3e3ff0157b5f04df17c1d1e88a9acd ManageWiki + ( https://github.com/miraheze/ManageWiki/security/advisories/GHSA-859x-46h8-vcrv, CVE-2025-43861) - ManageWiki Vulnerable to Self-XSS in review dialog via unsanitized field reflection https://github.com/miraheze/ManageWiki/commit/2f177dc83b28b727613215b835d4036cb179e4ab Citizen + ( https://github.com/StarCitizenTools/mediawiki-skins-Citizen/security/advisories/GHSA-4c2h-67qq-vm87, CVE-2025-49575) - Citizen Allows Stored XSS In Command Palette Tip Messages https://github.com/StarCitizenTools/mediawiki-skins-Citizen/commit/4fa69e1d062dca7e407cc0530cf1da3e2baaf0b5 Citizen + ( https://github.com/StarCitizenTools/mediawiki-skins-Citizen/security/advisories/GHSA-86xf-2mgp-gv3g, CVE-2025-49576) - Citizen Allows Stored XSS In Search No Result Messages https://github.com/StarCitizenTools/mediawiki-skins-Citizen/commit/93c36ac778397e0e7c46cf7adb1e5d848265f1bd Citizen + ( https://github.com/StarCitizenTools/mediawiki-skins-Citizen/security/advisories/GHSA-jwr7-992g-68mh, CVE-2025-49577) - Citizen Allows Stored XSS In Preference Menu Headings https://github.com/StarCitizenTools/mediawiki-skins-Citizen/commit/93c36ac778397e0e7c46cf7adb1e5d848265f1bd Citizen + ( https://github.com/StarCitizenTools/mediawiki-skins-Citizen/security/advisories/GHSA-2v3v-3whp-953h, CVE-2025-49578) - Citizen Allows Stored XSS In User Registration Date Message https://github.com/StarCitizenTools/mediawiki-skins-Citizen/commit/64cb5d7ab3a6dc0381fae54b31e8fc4afadc8beb Citizen + ( https://github.com/StarCitizenTools/mediawiki-skins-Citizen/security/advisories/GHSA-g3cp-pq72-hjpv, CVE-2025-49579) - Citizen Allows Stored XSS In Menu Heading Message https://github.com/StarCitizenTools/mediawiki-skins-Citizen/commit/54c8717d45ce1594918f11cb9ce5d0ccd8dfee65 TabberNeue + ( https://github.com/StarCitizenTools/mediawiki-extensions-TabberNeue/security/advisories/GHSA-jfj7-249r-7j2m, CVE-2025-53093) - TabberNeue Vulnerable To Stored XSS Through Wikitext https://github.com/StarCitizenTools/mediawiki-extensions-TabberNeue/commit/4cdf217ef96da74a1503d1dd0bb0ed898fc2a612 ShortDescription + ( https://github.com/StarCitizenTools/mediawiki-extensions-ShortDescription/security/advisories/GHSA-p85q-mww9-gwqf, CVE-2025-53369) - Citizen Short Description Stored XSS Vulnerability Through Wikitext https://github.com/StarCitizenTools/mediawiki-extensions-ShortDescription/commit/bc4fdbaeb1dff127fb6d08c0d385b64aa128c8f8 Citizen + ( https://github.com/StarCitizenTools/mediawiki-skins-Citizen/security/advisories/GHSA-rq6g-6g94-jfr4, CVE-2025-53368) - Citizen Is Vulnerable To Stored XSS Attack In The Legacy Search Bar https://github.com/StarCitizenTools/mediawiki-skins-Citizen/commit/aedbceb3380bb48db6b59e272fc187529c71c8ca Citizen + ( https://github.com/StarCitizenTools/mediawiki-skins-Citizen/security/advisories/GHSA-prmv-7r8c-794g, CVE-2025-53370) - Citizen Stored XSS Vulnerability Through Short Descriptions https://github.com/StarCitizenTools/mediawiki-skins-Citizen/commit/c85a40bddc8651fff66df83a72debddcb34f0521 UrlShortener + (T394869 <https://phabricator.wikimedia.org/T394869>, CVE-2025-7056) - Stored XSS in UrlShortener https://gerrit.wikimedia.org/r/c/mediawiki/extensions/UrlShortener/+/1166268 Quiz + (T394612 <https://phabricator.wikimedia.org/T394612>, CVE-2025-7057) - Stored XSS in Quiz https://gerrit.wikimedia.org/r/c/mediawiki/extensions/Quiz/+/1166274 The Wikimedia Security Team recommends updating these extensions and/or skins to the current master branch or relevant, supported release branch [2] as soon as possible. Some of the referenced Phabricator tasks above _may_ still be private. Unfortunately, when security issues are reported, sometimes sensitive information is exposed and since Phabricator is historical, we cannot make these tasks public without exposing this sensitive information. If you have any additional questions or concerns regarding this update, please feel free to contact secur...@wikimedia.org or file a security task within Phabricator [3]. [1] https://phabricator.wikimedia.org/T389312 [2] https://www.mediawiki.org/wiki/Version_lifecycle [3] https://www.mediawiki.org/wiki/Reporting_security_bugs
_______________________________________________ Wikitech-l mailing list -- wikitech-l@lists.wikimedia.org To unsubscribe send an email to wikitech-l-le...@lists.wikimedia.org https://lists.wikimedia.org/postorius/lists/wikitech-l.lists.wikimedia.org/
