[Maps-l] Fwd: [Wikitech-l] Security announcement: XSS when Kartographer is used with JsonConfig

4 May 2017


      Cross-posting to the Maps list.
--
deb tankersley
irc: debt
Product Manager, Discovery
Wikimedia Foundation
---------- Forwarded message ----------
From: Max Semenik maxsem.wiki@gmail.com
Date: Tue, May 2, 2017 at 6:51 PM
Subject: [Wikitech-l] Security announcement: XSS when Kartographer is used
with JsonConfig
To: Wikimedia developers wikitech-l@lists.wikimedia.org, MediaWiki
announcements and site admin list mediawiki-l@lists.wikimedia.org
A stored XSS vulnerability was discovered when Kartographer is configured
to receive map data from wiki pages via JsonConfig. Unless your wiki has
both extensions installed and JsonConfig is configured to provide map data,
it is safe. Otherwise, you're encouraged to upgrade both extensions
IMMEDIATELY.
Affected versions:
* Versions for latest MediaWiki release, 1.28, don't support the
aforementioned functionality and therefore are not vulnerable.
* Versions for pre-release 1.29 and alpha 1.30 are affected and have fixes
applied in source control.
Upgrading:
You can download latest sources from Git[1] or ExtensionDistributor[2]
See this ticket for more information:
https://phabricator.wikimedia.org/T163166
----
[1]
https://www.mediawiki.org/wiki/Download_from_Git#Using_
Git_to_download_MediaWiki_extensions
[2] https://www.mediawiki.org/wiki/Special:ExtensionDistributor
--
Best regards,
Max Semenik ([[User:MaxSem]])
_______________________________________________
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

[Maps-l] Fwd: [Wikitech-l] Security announcement: XSS when Kartographer is used with JsonConfig