A stored XSS vulnerability was discovered when Kartographer is configured to receive map data from wiki pages via JsonConfig. Unless your wiki has both extensions installed and JsonConfig is configured to provide map data, it is safe. Otherwise, you're encouraged to upgrade both extensions IMMEDIATELY.

Affected versions: * Versions for latest MediaWiki release, 1.28, don't support the aforementioned functionality and therefore are not vulnerable. * Versions for pre-release 1.29 and alpha 1.30 are affected and have fixes applied in source control.

Upgrading: You can download latest sources from Git[1] or ExtensionDistributor[2]

See this ticket for more information: https://phabricator.wikimedia.org/T163166

---- [1] https://www.mediawiki.org/wiki/Download_from_Git#Using_Git_to_download_Media... [2] https://www.mediawiki.org/wiki/Special:ExtensionDistributor