On Thursday, November 29th, between 21:00-22:00 UTC (1-2pm PST)
Wikimedia Foundation will release security updates for current and
supported branches of the MediaWiki software. We are providing this
pre-announcement as a courtesy for administrators to be ready to
accept the fix for these on Thursday. We will send another
announcement email when the patches and tar files are ready for
* Vulnerabilities were found in both MediaWiki core and the
CentralAuth extension. Successful exploitation could allow an attacker
to compromise another user's account. Risk is considered moderate
(CVSS Base Score: 4).
* One vulnerability was discovered that could allow an attacker to
prevent users from viewing Special:RecentChanges, and other pages,
which could prevent the detection of SPAM or vandalism. Public wikis
are encouraged to upgrade.
* A flaw in the MediaWiki 1.20 API could allow a stored XSS.
Exploitation requires user interaction or an existing XSS
vulnerability, so risk of exploitation is low.
For information about how to upgrade, see