Updates are available for the CentralNotice extension to fix an XSS vulnerability [1] and improve escaping in the extension's administration UI and in database queries [2].
The XSS vulnerability is exploitable by unauthenticated users, and only requires an attacker to convince their target to click on a specially crafted link to execute JavaScript in the context of a wiki running CentralNotice. Affected versions include git master after 2016-10-26 or release branches REL1_29 and REL1_30.
The weaknesses in escaping would only be exploitable by users with CentralNotice administrator rights.
If you are running CentralNotice, please update to the latest code from git [1] or download updated snapshots for release versions 1.27, 1.29, 1.30, or git master from [2].
Many thanks to Brian Wolff for finding the XSS vulnerability and writing the fixes, and to Andrew Green for finding the weak escaping and organizing the patches.
[1] https://phabricator.wikimedia.org/T175900 [2] https://phabricator.wikimedia.org/T171987 [3] https://gerrit.wikimedia.org/r/mediawiki/extensions/CentralNotice [4] https://www.mediawiki.org/wiki/Special:ExtensionDistributor/ CentralNotice