⚓ T386908 CVE-2025-32074: XSSes in Extension:ConfirmAccount

Subject	Repo	Branch	Lines +/-
SECURITY: Fix various XSSes	mediawiki/extensions/ConfirmAccount	REL1_41	+5 -5
SECURITY: Fix various XSSes	mediawiki/extensions/ConfirmAccount	master	+5 -5
SECURITY: Fix various XSSes	mediawiki/extensions/ConfirmAccount	REL1_43	+5 -5
SECURITY: Fix various XSSes	mediawiki/extensions/ConfirmAccount	REL1_42	+5 -5
SECURITY: Fix various XSSes	mediawiki/extensions/ConfirmAccount	REL1_39	+5 -5

BlankEclair created this task.Feb 20 2025, 10:07 AM

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptFeb 20 2025, 10:07 AM

BlankEclair claimed this task.Feb 20 2025, 10:09 AM

BlankEclair added projects: MediaWiki-extensions-ConfirmAccount, Vuln-XSS.

BlankEclair updated the task description. (Show Details)

BlankEclair added a subscriber: aaron.

BlankEclair updated the task description. (Show Details)Feb 20 2025, 10:11 AM

T386908.patch3 KBDownload

RhinosF1 subscribed.Feb 20 2025, 1:56 PM

In T386908#10567028, @BlankEclair wrote:

T386908.patch3 KBDownload

CR+1, this should just go through gerrit when possible.

Change #1121574 had a related patch set uploaded (by BlankEclair; author: BlankEclair):

[mediawiki/extensions/ConfirmAccount@master] SECURITY: Fix various XSSes

https://gerrit.wikimedia.org/r/1121574

gerritbot added a project: Patch-For-Review.Feb 21 2025, 9:03 AM

Change #1121575 had a related patch set uploaded (by Paladox; author: BlankEclair):

[mediawiki/extensions/ConfirmAccount@REL1_43] SECURITY: Fix various XSSes

https://gerrit.wikimedia.org/r/1121575

Change #1121576 had a related patch set uploaded (by Paladox; author: BlankEclair):

[mediawiki/extensions/ConfirmAccount@REL1_42] SECURITY: Fix various XSSes

https://gerrit.wikimedia.org/r/1121576

Change #1121578 had a related patch set uploaded (by Paladox; author: BlankEclair):

[mediawiki/extensions/ConfirmAccount@REL1_41] SECURITY: Fix various XSSes

https://gerrit.wikimedia.org/r/1121578

Change #1121579 had a related patch set uploaded (by Paladox; author: BlankEclair):

[mediawiki/extensions/ConfirmAccount@REL1_39] SECURITY: Fix various XSSes

https://gerrit.wikimedia.org/r/1121579

Change #1121579 merged by jenkins-bot:

[mediawiki/extensions/ConfirmAccount@REL1_39] SECURITY: Fix various XSSes

https://gerrit.wikimedia.org/r/1121579

Change #1121576 merged by jenkins-bot:

[mediawiki/extensions/ConfirmAccount@REL1_42] SECURITY: Fix various XSSes

https://gerrit.wikimedia.org/r/1121576

Change #1121575 merged by jenkins-bot:

[mediawiki/extensions/ConfirmAccount@REL1_43] SECURITY: Fix various XSSes

https://gerrit.wikimedia.org/r/1121575

Change #1121574 merged by jenkins-bot:

[mediawiki/extensions/ConfirmAccount@master] SECURITY: Fix various XSSes

https://gerrit.wikimedia.org/r/1121574

Change #1121578 merged by Paladox:

[mediawiki/extensions/ConfirmAccount@REL1_41] SECURITY: Fix various XSSes

https://gerrit.wikimedia.org/r/1121578

BlankEclair removed a project: Patch-For-Review.Feb 21 2025, 12:33 PM

sbassett mentioned this in T382326: Write and send supplementary release announcement for extensions and skins with security patches (1.39.12/1.42.6/1.43.1).Feb 21 2025, 3:09 PM

sbassett moved this task from Incoming to Our Part Is Done on the Security-Team board.Feb 24 2025, 5:04 PM

sbassett added a project: SecTeam-Processed.

Mstyles renamed this task from XSSes in Extension:ConfirmAccount to CVE-2025-32074: XSSes in Extension:ConfirmAccount.Apr 11 2025, 5:05 PM

Mstyles closed this task as Resolved.

Mstyles changed the visibility from "Custom Policy" to "Public (No Login Required)".

Mstyles changed the edit policy from "Custom Policy" to "All Users".

CVE-2025-32074: XSSes in Extension:ConfirmAccount
Closed, ResolvedPublicSecurity
Actions

Description

Details

Related Objects

Event Timeline

	F58432766: T386908.patch
	Feb 20 2025, 10:14 AM

CVE-2025-32074: XSSes in Extension:ConfirmAccountClosed, ResolvedPublicSecurityActions

Description

Details

Related Objects

Event Timeline

CVE-2025-32074: XSSes in Extension:ConfirmAccount
Closed, ResolvedPublicSecurity
Actions