Updates are available for the CentralNotice extension to fix an XSS
vulnerability [1] and improve escaping in the extension's administration UI
and in database queries [2].
The XSS vulnerability is exploitable by unauthenticated users, and only
requires an attacker to convince their target to click on a specially
crafted link to execute JavaScript in the context of a wiki running
CentralNotice. Affected versions include git master after 2016-10-26 or
release branches REL1_29 and REL1_30.
The weaknesses in escaping would only be exploitable by users with
CentralNotice administrator rights.
If you are running CentralNotice, please update to the latest code from git
[1] or download updated snapshots for release versions 1.27, 1.29, 1.30, or
git master from [2].
Many thanks to Brian Wolff for finding the XSS vulnerability and writing
the fixes, and to Andrew Green for finding the weak escaping and organizing
the patches.
[1]
https://phabricator.wikimedia.org/T175900
[2]
https://phabricator.wikimedia.org/T171987
[3]
https://gerrit.wikimedia.org/r/mediawiki/extensions/CentralNotice
[4]
https://www.mediawiki.org/wiki/Special:ExtensionDistributor/
CentralNotice