Cross-posting to the Maps list.

deb tankersley
irc: debt
Product Manager, Discovery
Wikimedia Foundation

---------- Forwarded message ----------
From: Max Semenik <>
Date: Tue, May 2, 2017 at 6:51 PM
Subject: [Wikitech-l] Security announcement: XSS when Kartographer is used with JsonConfig
To: Wikimedia developers <>, MediaWiki announcements and site admin list <>

A stored XSS vulnerability was discovered when Kartographer is configured
to receive map data from wiki pages via JsonConfig. Unless your wiki has
both extensions installed and JsonConfig is configured to provide map data,
it is safe. Otherwise, you're encouraged to upgrade both extensions

Affected versions:
* Versions for latest MediaWiki release, 1.28, don't support the
aforementioned functionality and therefore are not vulnerable.
* Versions for pre-release 1.29 and alpha 1.30 are affected and have fixes
applied in source control.

You can download latest sources from Git[1] or ExtensionDistributor[2]

See this ticket for more information:


Best regards,
Max Semenik ([[User:MaxSem]])
Wikitech-l mailing list