---------- Forwarded message ---------- From: Max Semenik<maxsem.wiki@gmail.com> Date: Tue, May 2, 2017 at 6:51 PM Subject: [Wikitech-l] Security announcement: XSS when Kartographer is used with JsonConfig To: Wikimedia developers <wikitech-l@lists.wikimedia.org>, MediaWiki announcements and site admin list <mediawiki-l@lists.wikimedia.org>
A stored XSS vulnerability was discovered when Kartographer is configured
to receive map data from wiki pages via JsonConfig. Unless your wiki has
both extensions installed and JsonConfig is configured to provide map data,
it is safe. Otherwise, you're encouraged to upgrade both extensions
IMMEDIATELY.
Affected versions:
* Versions for latest MediaWiki release, 1.28, don't support the
aforementioned functionality and therefore are not vulnerable.
* Versions for pre-release 1.29 and alpha 1.30 are affected and have fixes
applied in source control.
Upgrading:
You can download latest sources from Git[1] or ExtensionDistributor[2]