I just wanted to quickly let you know that on Friday Lucie discovered
that it's possible to use the wbmergeitems API without passing an edit
token to it, also it was possible to use it via GET requests.
Not requiring a token made that module vulnerable to CSRF attacks.
We opened a security bug, fixed the problem and deployed a patch on
Friday, thus the problem has been fixed on Wikidata.org
Anyone running their own Wikibase installations is advised to update to
master or to cherry-pick https://gerrit.wikimedia.org/r/198736
Users of the wbmergeitems API should check whether they use POST for
their requests and are sending a valid token.
For further details, please see: