Greetings-
With the security/maintenance release of MediaWiki 1.39.8/1.40.4/1.41.2/1.42.0, we would also like to provide this supplementary announcement of MediaWiki extensions and skins with now-public Phabricator tasks, security patches and backports [1]:
CheckUser
+ (T361293, CVE-2024-40606) - Special:CheckUser 'Get users' shows hidden usernames to those who do not have the rights to see it
https://gerrit.wikimedia.org/r/q/Idc7ed16ca9f3b97735758286c1d1b924b49fb1b2
CheckUser
+ (T361295, CVE-2024-40610) - CheckUser API for the 'ipusers' and 'actions' request type shows hidden usernames to those who cannot see them
https://gerrit.wikimedia.org/r/q/I7a797d509e86916b8cc8a5b6519c42e6aa355ea9
CheckUser
+ (T361296, CVE-2024-40608) - Special:Investigate exposes suppressed usernames to those who do not have the rights to see them
https://gerrit.wikimedia.org/r/q/I75cce32b121ce4c7c2e35f7d00929dc201392241
CheckUser
+ (T361479, CVE-2024-40607) - Special:CheckUser 'Get actions' page link can expose the username of a suppressed user via the 'logs' URL
https://gerrit.wikimedia.org/r/q/I67d76232b131054713534d619d04972f4d84e232
CheckUser
+ (T326867, CVE-2024-40598) - CheckUser API can expose suppressed information for log events
https://gerrit.wikimedia.org/r/c/mediawiki/extensions/CheckUser/+/1017294
CheckUser
+ (T326865, CVE-2024-40597) - Special:CheckUser can expose suppressed information for log events
https://gerrit.wikimedia.org/r/c/mediawiki/extensions/CheckUser/+/1018782
CheckUser
+ (T338419, CVE-2024-40609) - Wikimedia\RequestTimeout\RequestTimeoutException on Special:Investigate timeline mode
https://gerrit.wikimedia.org/r/q/I968310f1f2383001d399befdfc72d41636501f22
CheckUser
+ (T268147, CVE-2024-40611) - Special:CheckUser shows deleted edits to non-admins
CheckUser
+ (T326866, CVE-2024-40596) - Special:Investigate can expose suppressed information for log events
https://gerrit.wikimedia.org/r/c/mediawiki/extensions/CheckUser/+/1034524
https://gerrit.wikimedia.org/r/c/mediawiki/extensions/CheckUser/+/1034100
GuMaxDD
+ (T361448, CVE-2024-40599) - GuMaxDD skin: stored XSS via MediaWiki:Sidebar
https://gerrit.wikimedia.org/r/q/I6c8a72fc6b9d53fc1cefa2ba20ea951eff21060a
Nimbus
+ (T361450, CVE-2024-40604) - Nimbus skin: stored XSS via MediaWiki:Nimbus-sidebar
https://gerrit.wikimedia.org/r/q/Ie06722d1728d9cca010dc08fe1b08257c6d77dad
Tempo
+ (T361451, CVE-2024-40602) - Tempo skin: stored XSS via MediaWiki:Sidebar
https://gerrit.wikimedia.org/r/q/I574710e673bf09270f385afb4e4b045790a5c14a
Foreground
+ (T361452, CVE-2024-40605) - Foreground skin: stored XSS via MediaWiki:Sidebar
https://gerrit.wikimedia.org/r/q/I19522422f6dde1602322b9bd67f8ce028ee48344
BlueLL
+ (T361453, CVE-2024-40612) - BlueLL skin: stored XSS via MediaWiki:Sidebar
https://github.com/lingua-libre/BlueLL/pull/18
Metrolook
+ (T361449, CVE-2024-40600) - Metrolook skin: stored XSS via MediaWiki:Sidebar
https://gerrit.wikimedia.org/r/q/I269fa3af31ff4cdc18a65b095bc7e7d6f175582e
MediaWikiChat
+ (T362588, CVE-2024-40601) - Classic CSRF in MediaWikiChat's API modules
https://gerrit.wikimedia.org/r/c/mediawiki/extensions/MediaWikiChat/+/1023496
ArticleRatings
+ (T363884, CVE-2024-40603) - Special:ChangeRating is vulnerable to CSRF
https://gerrit.wikimedia.org/r/q/Iafe1b12bc8567d39ca964b16223784374e8e4aa7
Gadgets
+ (T363773, CVE-2024-40613) - Evil regex used to process gadget definitions
https://gerrit.wikimedia.org/r/q/Ic9e1a181b261ae4d25e9ce2f91ad12f92e9855d9
The Wikimedia Security Team recommends updating these extensions and/or skins to the current master branch or relevant, supported release branch [2] as soon as possible. Some of the referenced Phabricator tasks above _may_ still be private. Unfortunately, when security issues are reported, sometimes sensitive information is exposed and since Phabricator is historical, we cannot make these tasks public without exposing this sensitive information. If you have any additional questions or concerns regarding this update, please feel free to contact security@wikimedia.org or file a security task within Phabricator [3].
[1] https://phabricator.wikimedia.org/T361321
[2] https://www.mediawiki.org/wiki/Version_lifecycle
[3] https://www.mediawiki.org/wiki/Reporting_security_bugs