Hi,
I just wanted to quickly let you know that on Friday Lucie discovered
that it's possible to use the wbmergeitems API without passing an edit
token to it, also it was possible to use it via GET requests.
Not requiring a token made that module vulnerable to CSRF attacks.
We opened a security bug, fixed the problem and deployed a patch on
Friday, thus the problem has been fixed on
Wikidata.org.
Anyone running their own Wikibase installations is advised to update to
master or to cherry-pick
https://gerrit.wikimedia.org/r/198736.
Users of the wbmergeitems API should check whether they use POST for
their requests and are sending a valid token.
Cheers,
Marius
For further details, please see:
https://phabricator.wikimedia.org/T93365