Greetings-

There was a delay in CVE assignment due to a backlog with Mitre. With the security/maintenance release of MediaWiki .39.7/1.40.3/1.41.1, we would also like to provide this supplementary announcement of MediaWiki extensions and skins with now-public Phabricator tasks, security patches and backports [1]:

CheckUser
+ (T355434, CVE-2024-34505) - Temporary account IP reveal does not check the deleted status
https://gerrit.wikimedia.org/r/c/mediawiki/extensions/CheckUser/+/992795/

CheckUser
+ (T356226, CVE-2024-34501) - CheckUser Client Hints REST API does not use a CSRF token
https://gerrit.wikimedia.org/r/q/Idc776c7c7612c8b9e2c134706c9e2ebc2f5b655f

ReportIncident
+ (T356190, CVE-2024-34503) - ReportIncident REST API does not use a CSRF token
https://gerrit.wikimedia.org/r/q/I27b5899cf69837c9ab8fee2b5bc9b2e788e69f9e

IPInfo
+ (T356183, CVE-2024-34504) - IPInfo REST APIs are not safe from CSRF attacks
https://gerrit.wikimedia.org/r/q/I5974c1e71286f5f920ace51ba064e96c88296a4e

WikiDiscover
+ (GHSA-cfcf-94jv-455f, CVE-2024-25107) - Cross-Site Scripting on Special:WikiDiscover
https://github.com/miraheze/WikiDiscover/security/advisories/GHSA-cfcf-94jv-455f

UnlinkedWikibase
+ (T357203, CVE-2024-34500) - XSS through interface message in UnlinkedWikibase
https://gerrit.wikimedia.org/r/c/mediawiki/extensions/UnlinkedWikibase/+/1002175

WikibaseLexeme
+ (T357101, CVE-2024-34502) - Special:MergeLexemes makes edits on GET requests without edit tokens
https://gerrit.wikimedia.org/r/q/Iae0c7c3b979118559c9ce2276618c6cdec11e63d

Cargo
+ (T331362, CVE-2023-29134) - SQL injection in Cargo handling of quotes inside backticks
https://gerrit.wikimedia.org/r/c/mediawiki/extensions/Cargo/+/1005478

ManageWiki
+ (GHSA-cfcf-94jv-455f, CVE-2024-25109) - Special:ManageWiki does not escape escape interface messages
https://github.com/miraheze/ManageWiki/security/advisories/GHSA-4jr2-jhfm-2r84

CreateWiki
+ (GHSA-8wjf-mxjg-j8p9, CVE-2024-29883) - Special:ManageWiki does not escape escape interface messages
https://github.com/miraheze/CreateWiki/security/advisories/GHSA-8wjf-mxjg-j8p9

[1] https://phabricator.wikimedia.org/T353904 
[2] https://www.mediawiki.org/wiki/Version_lifecycle
[3] https://www.mediawiki.org/wiki/Reporting_security_bugs