Greetings-
With the security/maintenance release of MediaWiki 1.39.11/1.41.5/1.42.4, we would also like to provide this supplementary announcement of MediaWiki extensions and skins with now-public Phabricator tasks, security patches and backports [1]:
SocialProfile + (T373265 https://phabricator.wikimedia.org/T373265, CVE-2025-23074) - Special:EditProfile exposes the contents of profile fields marked "hidden"/friends or "friends of friends" when the privileged user isn't a friend of the user whose profile they edit(ed) https://gerrit.wikimedia.org/r/q/I4b77ced314bc6cea0ef3657a82e7467d3661fe2a
GlobalBlocking + (T377855 https://phabricator.wikimedia.org/T377855, CVE-2025-23073) - API list=globalblocks can reveal IP of autoblock if username and IP are included in the bgtargets parameter https://gerrit.wikimedia.org/r/q/I2a2d32aedf6328be0a9f1b4e04a6567a25f19486
RefreshSpecial + (T378885 https://phabricator.wikimedia.org/T378885, CVE-2025-23072) - XSS in Special:RefreshSpecial https://gerrit.wikimedia.org/r/q/Ic9547e80a8296d707ad8a157eb8ba7aa26fb08dc
DataTransfer + (T379749 https://phabricator.wikimedia.org/T379749, CVE-2025-23081) - Various security vulnerabilities in Extension:DataTransfer https://gerrit.wikimedia.org/r/q/I773c616db781d2f3f30893ad01ef503bf251a2b3 https://gerrit.wikimedia.org/r/q/I7c9de4c8dcdb3276ba923c6bc7c8eef3531324c7 https://gerrit.wikimedia.org/r/q/I9223c31f02f31f1e06e1a8cddf7d539cc8d3a3d9 https://gerrit.wikimedia.org/r/q/I5e1538a3bf66378810f905834c05626e1d2c82f0 https://gerrit.wikimedia.org/r/c/mediawiki/extensions/DataTransfer/+/1093931 https://gerrit.wikimedia.org/r/c/mediawiki/extensions/DataTransfer/+/1080451
OpenBadges + (T381220 https://phabricator.wikimedia.org/T381220, CVE-2025-23080) - XSSes in Special:BadgeView https://gerrit.wikimedia.org/r/q/Ic9448312fa7f1cbc8feac3f852bc8720568522e2
ArticleFeedbackv5 + (T381753 https://phabricator.wikimedia.org/T381753, CVE-2025-23079) - XSSes in Extension:ArticleFeedbackv5 https://gerrit.wikimedia.org/r/q/I6ee51c8b518bda41739fd666fa2891cc12e79ac3
BreadCrumbs2 + (T382043 https://phabricator.wikimedia.org/T382043, CVE-2025-23078) - XSS in BreadCrumbs2 https://gerrit.wikimedia.org/r/q/I7878f8f7bc067080f80427b90f8d85337f172711
The Wikimedia Security Team recommends updating these extensions and/or skins to the current master branch or relevant, supported release branch [2] as soon as possible. Some of the referenced Phabricator tasks above _may_ still be private. Unfortunately, when security issues are reported, sometimes sensitive information is exposed and since Phabricator is historical, we cannot make these tasks public without exposing this sensitive information. If you have any additional questions or concerns regarding this update, please feel free to contact security@wikimedia.org or file a security task within Phabricator [3].
[1] https://phabricator.wikimedia.org/T375631 [2] https://www.mediawiki.org/wiki/Version_lifecycle [3] https://www.mediawiki.org/wiki/Reporting_security_bugs
mediawiki-announce@lists.wikimedia.org