Greetings-
There was a delay in CVE assignment due to a backlog with Mitre. With the security/maintenance release of MediaWiki .39.7/1.40.3/1.41.1, we would also like to provide this supplementary announcement of MediaWiki extensions and skins with now-public Phabricator tasks, security patches and backports [1]:
CheckUser + (T355434, CVE-2024-34505) - Temporary account IP reveal does not check the deleted status https://gerrit.wikimedia.org/r/c/mediawiki/extensions/CheckUser/+/992795/
CheckUser + (T356226, CVE-2024-34501) - CheckUser Client Hints REST API does not use a CSRF token https://gerrit.wikimedia.org/r/q/Idc776c7c7612c8b9e2c134706c9e2ebc2f5b655f
ReportIncident + (T356190, CVE-2024-34503) - ReportIncident REST API does not use a CSRF token https://gerrit.wikimedia.org/r/q/I27b5899cf69837c9ab8fee2b5bc9b2e788e69f9e
IPInfo + (T356183, CVE-2024-34504) - IPInfo REST APIs are not safe from CSRF attacks https://gerrit.wikimedia.org/r/q/I5974c1e71286f5f920ace51ba064e96c88296a4e
WikiDiscover + (GHSA-cfcf-94jv-455f, CVE-2024-25107) - Cross-Site Scripting on Special:WikiDiscover https://github.com/miraheze/WikiDiscover/security/advisories/GHSA-cfcf-94jv-...
UnlinkedWikibase + (T357203, CVE-2024-34500) - XSS through interface message in UnlinkedWikibase https://gerrit.wikimedia.org/r/c/mediawiki/extensions/UnlinkedWikibase/+/100...
WikibaseLexeme + (T357101, CVE-2024-34502) - Special:MergeLexemes makes edits on GET requests without edit tokens https://gerrit.wikimedia.org/r/q/Iae0c7c3b979118559c9ce2276618c6cdec11e63d
Cargo + (T331362, CVE-2023-29134) - SQL injection in Cargo handling of quotes inside backticks https://gerrit.wikimedia.org/r/c/mediawiki/extensions/Cargo/+/1005478
ManageWiki + (GHSA-cfcf-94jv-455f, CVE-2024-25109) - Special:ManageWiki does not escape escape interface messages https://github.com/miraheze/ManageWiki/security/advisories/GHSA-4jr2-jhfm-2r...
CreateWiki + (GHSA-8wjf-mxjg-j8p9, CVE-2024-29883) - Special:ManageWiki does not escape escape interface messages https://github.com/miraheze/CreateWiki/security/advisories/GHSA-8wjf-mxjg-j8...
[1] https://phabricator.wikimedia.org/T353904 [2] https://www.mediawiki.org/wiki/Version_lifecycle [3] https://www.mediawiki.org/wiki/Reporting_security_bugs
wikitech-l@lists.wikimedia.org