Page MenuHomePhabricator

Publish maintenance releases of Wikibase including fixes to XSS vulnerabilities in the Query Service UI
Closed, ResolvedPublicSecurity

Description

Targeting both the most recent Mediawiki 1.35 and 1.36 based Wikibase releases, i.e. 1.35.5-wmde3, and 1.36.3-wmde4.

Issues for which fixes are to be included:
T297686: Wikidata Query UI lets users build links with arbitrary link text and javascript: URL
T298839: XSS in WDQS query helper
T298871: XSS in WDQS UI result view explore button

Once the Wikibase releases are published, security fixes applied to Wikidata and wikibase.cloud, the relevant issues and tasks can be made public and closed.

Details

Author Affiliation
Wikimedia Deutschland

Event Timeline

Reedy renamed this task from Publish maintenance releases of Wikibase including fixes to XSS vulnerabilities in the Query Service UI. to Publish maintenance releases of Wikibase including fixes to XSS vulnerabilities in the Query Service UI.Feb 7 2022, 4:45 PM
Reedy edited projects, added SecTeam-Processed; removed Security-Team.
Addshore changed the visibility from "Custom Policy" to "Public (No Login Required)".
Addshore changed the edit policy from "Custom Policy" to "All Users".