Greetings-
With the security/maintenance release of MediaWiki 1.35.11/1.38.7/1.39.4/1.40.0, we would also like to provide this supplementary announcement of MediaWiki extensions and skins with now-public Phabricator tasks, security patches and backports [1]:
CheckUser + (T333569, CVE-2023-37255) - Special:CheckUser 'get edits' is vulnerable to HTML injection through user agent string. https://gerrit.wikimedia.org/r/c/mediawiki/extensions/CheckUser/+/905706/
GoogleAnalyticsMetrics + (T333980, CVE-2023-37251) - GoogleAnalyticsMetrics parser function in extension does not properly escape js in onclick handler and does not prevent using javascript urls. https://gerrit.wikimedia.org/r/c/905661
CheckUser + (T330968, CVE-2023-37252) - Special:CheckUserLog shows usernames which have been hidden. https://gerrit.wikimedia.org/r/c/933686 https://gerrit.wikimedia.org/r/c/932822
Cargo + (T331311, CVE-2023-37256) - Cargo allows storing javascript URLs in URL fields, and automatically linking them. https://gerrit.wikimedia.org/r/c/mediawiki/extensions/Cargo/+/894679
Cargo + (T331065, CVE-2023-37254) - XSS in Special:CargoQuery using default format. https://gerrit.wikimedia.org/r/c/mediawiki/extensions/Cargo/+/894666
ProofreadPage + (T326952, CVE-2023-37253) - ProofreadPage leaks suppressed user via the API and config variables. https://gerrit.wikimedia.org/r/q/Ibe5f8e25dea155bbd811a65833394c0d4b906a34
DoubleWiki + (T323651, CVE-2023-37304) - XSS in DoubleWiki extension (Wikisource). https://gerrit.wikimedia.org/r/c/933666 https://gerrit.wikimedia.org/r/c/933667 https://gerrit.wikimedia.org/r/c/932825
CheckUser + (T338276, CVE-2023-37303) - Wikimedia\Rdbms\DBQueryDisconnectedError when blocking user. https://gerrit.wikimedia.org/r/c/932823
Wikibase + (T250720, CVE-2023-37301) - Wikidata edit filter does not fire when test tool says it should. https://gerrit.wikimedia.org/r/c/933663
Wikibase + (T339111, CVE-2023-37302) - Style injection into badges on Wikidata due to unescaped quotes. https://gerrit.wikimedia.org/r/c/933649 https://gerrit.wikimedia.org/r/c/933650
The Wikimedia Security Team recommends updating these extensions and/or skins to the current master branch or relevant, supported release branch [2] as soon as possible. Some of the referenced Phabricator tasks above _may_ still be private. Unfortunately, when security issues are reported, sometimes sensitive information is exposed and since Phabricator is historical, we cannot make these tasks public without exposing this sensitive information. If you have any additional questions or concerns regarding this update, please feel free to contact security@wikimedia.org or file a security task within Phabricator [3].
[1] https://phabricator.wikimedia.org/T333626 [2] https://www.mediawiki.org/wiki/Version_lifecycle [3] https://www.mediawiki.org/wiki/Reporting_security_bugs
mediawiki-l@lists.wikimedia.org