Greetings-

With the security/maintenance release of MediaWiki 1.35.14/1.39.6/1.40.2/1.41.0, we would also like to provide this supplementary announcement of MediaWiki extensions and skins with now-public Phabricator tasks, security patches and backports [1]:

PageTriage
+ (T347704, CVE-2024-23174) - XSS in pagetriage-tags-quickfilter-label PageTriage
https://gerrit.wikimedia.org/r/c/mediawiki/extensions/PageTriage/+/989177

Cargo
+ (T348687, CVE-2024-23173) - Reflected XSS Could Lead to Steal User Cookie
https://gerrit.wikimedia.org/r/c/mediawiki/extensions/Cargo/+/965214/

CampaignTools
+ (T348343, CVE-2024-23171) - Various i18n-based XSSs in Special:EventDetails
https://gerrit.wikimedia.org/r/c/mediawiki/extensions/CampaignEvents/+/971248/

CheckUser
+ (T347708, CVE-2024-23172) - Several not properly escaped messages in the CheckUser extension
https://gerrit.wikimedia.org/r/q/If3ce02cac9c5f2a6f84c42d902b8290eb1fa7250

MassMessage
+ (T347742, CVE-2024-23176) - MassMessage i18n key massmessage-form-page-help allows i18n-xss
https://gerrit.wikimedia.org/r/q/Ife6fb590af53fa0d8eb59201ce88a3c47ddde45c

GlobalBlocking
+ (T347746, CVE-2024-23179) - GlobalBlocking subtitle links have i18n-xss via the parentheses message
https://gerrit.wikimedia.org/r/q/Ide490ca62bdb79b80be5e016986c6c96bfa3b4cf
https://gerrit.wikimedia.org/r/q/I1cad283235ea974c7d4ffabc49e1ff801dd4d276

WatchAnalytics
+ (T348979, CVE-2024-23177) - WatchAnalytics: classic XSS on Special:PageStatistics with the 'page' URL parameter
https://gerrit.wikimedia.org/r/q/I09f4663c1c619796624b7d296c1351e0245cdaf1

Phonos
+ (T349312, CVE-2024-23178) - XSS in Phonos via the phonos-purge-needed-error message
https://gerrit.wikimedia.org/r/q/I4cbdd3a35ded2385c29983c77f98835fa2ca307c

FlexDiagrams
+ (T353138, CVE-2024-23178) - FlexDiagrams XSS bug
https://gerrit.wikimedia.org/r/q/I139e88d8669b14469e359d1d124b2647dde2a7ca

The Wikimedia Security Team recommends updating these extensions and/or skins to the current master branch or relevant, supported release branch [2] as soon as possible. Some of the referenced Phabricator tasks above _may_ still be private. Unfortunately, when security issues are reported, sometimes sensitive information is exposed and since Phabricator is historical, we cannot make these tasks public without exposing this sensitive information. If you have any additional questions or concerns regarding this update, please feel free to contact security@wikimedia.org or file a security task within Phabricator [3].

[1] https://phabricator.wikimedia.org/T347659
[2] https://www.mediawiki.org/wiki/Version_lifecycle
[3] https://www.mediawiki.org/wiki/Reporting_security_bugs