Cross-posting to the Maps list.
-- deb tankersley irc: debt Product Manager, Discovery Wikimedia Foundation
---------- Forwarded message ---------- From: Max Semenik maxsem.wiki@gmail.com Date: Tue, May 2, 2017 at 6:51 PM Subject: [Wikitech-l] Security announcement: XSS when Kartographer is used with JsonConfig To: Wikimedia developers wikitech-l@lists.wikimedia.org, MediaWiki announcements and site admin list mediawiki-l@lists.wikimedia.org
A stored XSS vulnerability was discovered when Kartographer is configured to receive map data from wiki pages via JsonConfig. Unless your wiki has both extensions installed and JsonConfig is configured to provide map data, it is safe. Otherwise, you're encouraged to upgrade both extensions IMMEDIATELY.
Affected versions: * Versions for latest MediaWiki release, 1.28, don't support the aforementioned functionality and therefore are not vulnerable. * Versions for pre-release 1.29 and alpha 1.30 are affected and have fixes applied in source control.
Upgrading: You can download latest sources from Git[1] or ExtensionDistributor[2]
See this ticket for more information: https://phabricator.wikimedia.org/T163166
---- [1] https://www.mediawiki.org/wiki/Download_from_Git#Using_ Git_to_download_MediaWiki_extensions [2] https://www.mediawiki.org/wiki/Special:ExtensionDistributor
-- Best regards, Max Semenik ([[User:MaxSem]]) _______________________________________________ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l