Greetings-

With the security/maintenance release of MediaWiki 1.35.11/1.38.7/1.39.4/1.40.0, we would also like to provide this supplementary announcement of MediaWiki extensions and skins with now-public Phabricator tasks, security patches and backports [1]:

CheckUser
+ (T333569, CVE-2023-37255) - Special:CheckUser 'get edits' is vulnerable to HTML injection through user agent string.
https://gerrit.wikimedia.org/r/c/mediawiki/extensions/CheckUser/+/905706/

GoogleAnalyticsMetrics
+ (T333980, CVE-2023-37251) - GoogleAnalyticsMetrics parser function in extension does not properly escape js in onclick handler and does not prevent using javascript urls.
https://gerrit.wikimedia.org/r/c/905661

CheckUser
+ (T330968, CVE-2023-37252) - Special:CheckUserLog shows usernames which have been hidden.
https://gerrit.wikimedia.org/r/c/933686
https://gerrit.wikimedia.org/r/c/932822

Cargo
+ (T331311, CVE-2023-37256) - Cargo allows storing javascript URLs in URL fields, and automatically linking them.
https://gerrit.wikimedia.org/r/c/mediawiki/extensions/Cargo/+/894679

Cargo
+ (T331065, CVE-2023-37254) - XSS in Special:CargoQuery using default format.
https://gerrit.wikimedia.org/r/c/mediawiki/extensions/Cargo/+/894666


ProofreadPage
+ (T326952, CVE-2023-37253) - ProofreadPage leaks suppressed user via the API and config variables.
https://gerrit.wikimedia.org/r/q/Ibe5f8e25dea155bbd811a65833394c0d4b906a34

DoubleWiki
+ (T323651, CVE-2023-37304) - XSS in DoubleWiki extension (Wikisource).
https://gerrit.wikimedia.org/r/c/933666
https://gerrit.wikimedia.org/r/c/933667
https://gerrit.wikimedia.org/r/c/932825

CheckUser
+ (T338276, CVE-2023-37303) - Wikimedia\Rdbms\DBQueryDisconnectedError when blocking user.
https://gerrit.wikimedia.org/r/c/932823

Wikibase
+ (T250720, CVE-2023-37301) - Wikidata edit filter does not fire when test tool says it should.
https://gerrit.wikimedia.org/r/c/933663

Wikibase
+ (T339111, CVE-2023-37302) - Style injection into badges on Wikidata due to unescaped quotes.
https://gerrit.wikimedia.org/r/c/933649
https://gerrit.wikimedia.org/r/c/933650

The Wikimedia Security Team recommends updating these extensions and/or skins to the current master branch or relevant, supported release branch [2] as soon as possible. Some of the referenced Phabricator tasks above _may_ still be private. Unfortunately, when security issues are reported, sometimes sensitive information is exposed and since Phabricator is historical, we cannot make these tasks public without exposing this sensitive information. If you have any additional questions or concerns regarding this update, please feel free to contact security@wikimedia.org or file a security task within Phabricator [3].

[1] https://phabricator.wikimedia.org/T333626
[2] https://www.mediawiki.org/wiki/Version_lifecycle
[3] https://www.mediawiki.org/wiki/Reporting_security_bugs