Greetings-
With the security/maintenance release of MediaWiki 1.35.14/1.39.6/1.40.2/1.41.0, we would also like to provide this supplementary announcement of MediaWiki extensions and skins with now-public Phabricator tasks, security patches and backports [1]:
PageTriage + (T347704, CVE-2024-23174) - XSS in pagetriage-tags-quickfilter-label PageTriage https://gerrit.wikimedia.org/r/c/mediawiki/extensions/PageTriage/+/989177
Cargo + (T348687, CVE-2024-23173) - Reflected XSS Could Lead to Steal User Cookie https://gerrit.wikimedia.org/r/c/mediawiki/extensions/Cargo/+/965214/
CampaignTools + (T348343, CVE-2024-23171) - Various i18n-based XSSs in Special:EventDetails https://gerrit.wikimedia.org/r/c/mediawiki/extensions/CampaignEvents/+/97124...
CheckUser + (T347708, CVE-2024-23172) - Several not properly escaped messages in the CheckUser extension https://gerrit.wikimedia.org/r/q/If3ce02cac9c5f2a6f84c42d902b8290eb1fa7250
MassMessage + (T347742, CVE-2024-23176) - MassMessage i18n key massmessage-form-page-help allows i18n-xss https://gerrit.wikimedia.org/r/q/Ife6fb590af53fa0d8eb59201ce88a3c47ddde45c
GlobalBlocking + (T347746, CVE-2024-23179) - GlobalBlocking subtitle links have i18n-xss via the parentheses message https://gerrit.wikimedia.org/r/q/Ide490ca62bdb79b80be5e016986c6c96bfa3b4cf https://gerrit.wikimedia.org/r/q/I1cad283235ea974c7d4ffabc49e1ff801dd4d276
WatchAnalytics + (T348979, CVE-2024-23177) - WatchAnalytics: classic XSS on Special:PageStatistics with the 'page' URL parameter https://gerrit.wikimedia.org/r/q/I09f4663c1c619796624b7d296c1351e0245cdaf1
Phonos + (T349312, CVE-2024-23178) - XSS in Phonos via the phonos-purge-needed-error message https://gerrit.wikimedia.org/r/q/I4cbdd3a35ded2385c29983c77f98835fa2ca307c
FlexDiagrams + (T353138, CVE-2024-23178) - FlexDiagrams XSS bug https://gerrit.wikimedia.org/r/q/I139e88d8669b14469e359d1d124b2647dde2a7ca
The Wikimedia Security Team recommends updating these extensions and/or skins to the current master branch or relevant, supported release branch [2] as soon as possible. Some of the referenced Phabricator tasks above _may_ still be private. Unfortunately, when security issues are reported, sometimes sensitive information is exposed and since Phabricator is historical, we cannot make these tasks public without exposing this sensitive information. If you have any additional questions or concerns regarding this update, please feel free to contact security@wikimedia.org or file a security task within Phabricator [3].
[1] https://phabricator.wikimedia.org/T347659 [2] https://www.mediawiki.org/wiki/Version_lifecycle [3] https://www.mediawiki.org/wiki/Reporting_security_bugs
wikitech-l@lists.wikimedia.org