Page MenuHomePhabricator
Create Task
Maniphest T389312

Write and send supplementary release announcement for extensions and skins with security patches (1.39.13/1.42.7/1.43.2)
Closed, ResolvedPublic
Actions

Description

Previous work: T382326: Write and send supplementary release announcement for extensions and skins with security patches (1.39.12/1.42.6/1.43.1)

Issue IDExtension or SkinCVE IDREL1_39REL1_42REL1_43REL1_44master/main
GHSA-gg42-cv66-f5x7ManageWikiCVE-2025-32956N/AN/AN/AN/AYes
T392976 (patch 1)IPInfoCVE-2025-53481NoNoYesYesYes
T392976 (patch 2)IPInfoCVE-2025-53481NoNoNoYesYes
T394393 (patch 1)IPInfoCVE-2025-53482N/AN/AN/AN/AYes
T394393 (patch 2)IPInfoCVE-2025-53482YesYesYesYesYes
T392341 (patch 1)SecurePollCVE-2025-53483NoNoNoNoYes
T392341 (patch 2)SecurePollCVE-2025-53484NoNoNoNoYes
T392341 (patch 3)SecurePollCVE-2025-53483NoNoNoNoYes
T392341 (patch 4)SecurePollCVE-2025-53485NoNoNoNoYes
T392341 (patch 5)SecurePollCVE-2025-53484NoNoNoNoYes
T394590WikiCategoryTagCloudCVE-2025-53486YesYesYesYesYes
T394383ApprovedRevsCVE-2025-53487NoNoYesYesYes
T394692CheckUserCVE-2025-53478YesYesYesYesYes
T394693CheckUserCVE-2025-53479N/AN/AN/AYesYes
T394700CheckUserCVE-2025-53480YesYesYesYesYes
T394864MsUploadCVE-2025-7362YesYesYesYesYes
T394721TitleIconCVE-2025-7363YesYesYesYesYes
T394938TwoColConflictCVE-2025-53494YesYesYesYesYes
T395376MintyDocsCVE-2025-53493NoNoYesYesYes
T395737MintyDocsCVE-2025-53492NoNoYesYesYes
T394397FlaggedRevsCVE-2025-53491N/AN/AYesYesYes
T395622CampaignEventsCVE-2025-53490NoNoYesYesYes
T395949GoogleDocs4MWCVE-2025-53489N/AYesYesYesYes
T396524wikihieroCVE-2025-53488YesYesYesYesYes
T396413RelatedArticlesCVE-2025-53497N/AN/AYesYesYes
T396946MediaSearchCVE-2025-53496NoNoYesYesYes
T396750AbuseFilterCVE-2025-53495N/AN/AN/AYesYes
T397196AbuseFilterCVE-2025-53499N/AN/ANoYesYes
T397221AbuseFilterCVE-2025-53498N/AN/ANoYesYes
T392279FeaturedFeedsCVE-2025-53502NoNoNoNoYes
T397524ScribuntoCVE-2025-53501YesYesYesYesYes
T397334MassEditRegexCVE-2025-53500YesYesYesYesYes
T389010CentralAuthCVE-2025-6926YesYesYesYesYes
GHSA-ccrf-x5rp-gpprManageWikiCVE-2025-32964N/AN/AN/AN/AYes
GHSA-859x-46h8-vcrvManageWikiCVE-2025-43861N/AN/AN/AN/AYes
GHSA-4c2h-67qq-vm87CitizenCVE-2025-49575N/AN/AN/AN/AYes
GHSA-86xf-2mgp-gv3gCitizenCVE-2025-49576N/AN/AN/AN/AYes
GHSA-jwr7-992g-68mhCitizenCVE-2025-49577N/AN/AN/AN/AYes
GHSA-2v3v-3whp-953hCitizenCVE-2025-49578N/AN/AN/AN/AYes
GHSA-g3cp-pq72-hjpvCitizenCVE-2025-49579N/AN/AN/AN/AYes
GHSA-jfj7-249r-7j2mTabberNeueCVE-2025-53093N/AN/AN/AN/AYes
GHSA-p85q-mww9-gwqfShortDescriptionCVE-2025-53369N/AN/AN/AN/AYes
GHSA-rq6g-6g94-jfr4CitizenCVE-2025-53368N/AN/AN/AN/AYes
GHSA-prmv-7r8c-794gCitizenCVE-2025-53370N/AN/AN/AN/AYes
T394869UrlShortenerCVE-2025-7056NoYesYesYesYes
T394612QuizCVE-2025-7057YesYesYesYesYes

Notes

  • Some quality control issues from the previous release we'll want to double-check this time:
    • Let's ensure we send out the correct email to the various listhosts.
    • Let's ensure we have the correct ratings for each CVE. Eight CVEs from the previous release had a CVSS score of 10.0/critical (the default) which I'm not certain was correct for each of those vulnerabilities.

Template

TxxxxxxExtNameCVE-2025-xxxxxNoNoNoNoNo

Details

Other Assignee
sbassett

Related Objects
Search...

Event Timeline

There are a very large number of changes, so older changes are hidden. Show Older Changes
Mstyles updated the task description. (Show Details)Jun 9 2025, 3:14 PM
Mstyles updated the task description. (Show Details)Jun 9 2025, 4:23 PM
sbassett updated the task description. (Show Details)Jun 9 2025, 4:26 PM
sbassett updated the task description. (Show Details)Jun 10 2025, 4:38 PM
sbassett mentioned this in T395949: CVE-2025-53489: Improperly sanitized style parameter in GoogleDocs4MW.
sbassett updated the task description. (Show Details)Jun 12 2025, 10:06 PM
sbassett mentioned this in T396946: CVE-2025-53496: Stored XSS through a system message in MediaSearch.Jun 16 2025, 9:39 PM
sbassett updated the task description. (Show Details)
Dreamy_Jazz updated the task description. (Show Details)Jun 19 2025, 4:42 PM
Dreamy_Jazz updated the task description. (Show Details)
Dreamy_Jazz updated the task description. (Show Details)Jun 20 2025, 2:18 PM
sbassett updated the task description. (Show Details)Jun 23 2025, 4:07 PM
sbassett updated the task description. (Show Details)Jun 23 2025, 9:34 PM
Reedy mentioned this in T397776: Write and send supplementary release announcement for extensions and skins with security patches (1.39.14/1.43.4/1.44.1).Jun 24 2025, 8:09 PM
sbassett updated the task description. (Show Details)Jun 25 2025, 8:54 PM
mmartorana added a subscriber: Jly.EditedJun 26 2025, 4:47 PM

Assigned CVE and backport duties for this report:

@mmartorana
GHSA-gg42-cv66-f5x7 - ManageWiki
T392976 - IPInfo
T392976 - IPInfo
T394393 - IPInfo
T394393 - IPInfo
T392341 - SecurePoll
T392341 - SecurePoll
T392341 - SecurePoll
T392341 - SecurePoll
T392341 - SecurePoll
T394590 - WikiCategoryTagCloud
T394383 - ApprovedRevs
T394692 - CheckUser
T394693 - CheckUser
T394700 - CheckUser
T394864 - MsUpload
T394721 - TitleIcon
@Jly
T394938 - TwoColConflict
T395376 - MintyDocs
T395737 - MintyDocs
T394397 - FlaggedRevs
T395622 - CampaignEvents
T395949 - GoogleDocs4MW
T396524 - wikihiero
T396413 - RelatedArticles
T396946- MediaSearch
T396750 - AbuseFilter
T397196 - AbuseFilter
T397221 - AbuseFilter
T392279 - FeaturedFeeds
T397524 - Scribunto
T397334 - MassEditRegex
T389010 - CentralAuth
sbassett updated the task description. (Show Details)Jun 26 2025, 9:57 PM

FYI ^ I just added one last-minute CentralAuth patch that deployed to Wikimedia production today. I'm hopeful that's it for this release!

Jly updated the task description. (Show Details)Jun 30 2025, 7:37 PM
Jly updated the task description. (Show Details)Jun 30 2025, 10:52 PM
sbassett mentioned this in T394383: CVE-2025-53487: Stored XSS through system messages in Extension:ApprovedRevs.Jul 1 2025, 12:36 PM
Jly updated the task description. (Show Details)Jul 1 2025, 3:42 PM
mmartorana added a comment.EditedJul 2 2025, 3:40 PM

Subject: MediaWiki Extensions and Skins Security Release Supplement (1.39.13/1.42.7/1.43.2)

Greetings-

With the security/maintenance release of MediaWiki 1.39.13/1.42.7/1.43.2, we would also like to provide this supplementary announcement of MediaWiki extensions and skins with now-public Phabricator tasks, security patches and backports [1]:

ManageWiki
+ (https://github.com/miraheze/ManageWiki/security/advisories/GHSA-gg42-cv66-f5x7, CVE-2025-32956) - SQL injection vulnerability in NamespaceMigrationJob
https://github.com/miraheze/ManageWiki/commit/f504ed8eeb59b57ebb90f93cd44f23da4c5bc4c9

IPInfo
+ (T392976, CVE-2025-53481) - Denial of service vector on ipinfo/v0/norevision
https://gerrit.wikimedia.org/r/q/I474b7a1b3bc1e7597fee0826a18a0cf042359f0f

IPInfo
+ (T392976, CVE-2025-53481) - Denial of service vector on ipinfo/v0/norevision
https://gerrit.wikimedia.org/r/q/I08a7154f8fa08bb6f0940e522075bdc2a3d4433f

IPInfo
+ (T394393, CVE-2025-53482) - IPInfo: Message key XSS through several IPInfo messages in infobox and popup
https://gerrit.wikimedia.org/r/c/mediawiki/extensions/CheckUser/+/1146685

IPInfo
+ (T394393, CVE-2025-53482) - IPInfo: Message key XSS through several IPInfo messages in infobox and popup
https://gerrit.wikimedia.org/r/q/Ibb9b7dcb04f551a3da32e9de09a8ac11caa2a3aa

SecurePoll
+ (T392341, CVE-2025-53483) - SecurePoll is vulnerable to XSS, CSRF, and lack of authorisation
https://gerrit.wikimedia.org/r/c/mediawiki/extensions/SecurePoll/+/1149618

SecurePoll
+ (T392341, CVE-2025-53484) - SecurePoll is vulnerable to XSS, CSRF, and lack of authorisation
https://gerrit.wikimedia.org/r/q/I5fb4da635b538b6ef121ae77d9088737fd8bf0de

SecurePoll
+ (T392341, CVE-2025-53483) - SecurePoll is vulnerable to XSS, CSRF, and lack of authorisation
https://gerrit.wikimedia.org/r/q/I7a771f81cc72bd5c6242767cf3f5e19fa140accc

SecurePoll
+ (T392341, CVE-2025-53485) - SecurePoll is vulnerable to XSS, CSRF, and lack of authorisation
https://gerrit.wikimedia.org/r/q/Iaaae70289464b8f097ff8d2d6c828ddf942d2d60

SecurePoll
+ (T392341, CVE-2025-53484) - SecurePoll is vulnerable to XSS, CSRF, and lack of authorisation
https://gerrit.wikimedia.org/r/q/Id6e0c8c3020c293460010ef0019bc6c40d43b596

WikiCategoryTagCloud
+ (T394590, CVE-2025-53486) - Reflected XSS in WikiCategoryTagCloud
https://gerrit.wikimedia.org/r/q/Idd68cf2372aedd916687d30b1bd09ebb48fcfd17

ApprovedRevs
+ (T394383, CVE-2025-53487) - Stored XSS through system messages in Extension:ApprovedRevs
https://gerrit.wikimedia.org/r/q/Ifcab085111e7898da485a5e2ae287fee4e6d167b

CheckUser
+ (T394692, CVE-2025-53478) - Special:Investigate 'IPs and User agents' tab has i18n XSS vectors
https://gerrit.wikimedia.org/r/q/I3a1e21b6800ff4d813a33ee9fe9b7ccf070b6b2e

CheckUser
+ (T394693, CVE-2025-53479) - Special:CheckUser has i18n XSS vectors
https://gerrit.wikimedia.org/r/q/I159e14543912cb3bc7f4a00c3090c0285b154786

CheckUser
+ (T394700, CVE-2025-53480) - Special:Investigate 'Account information' tab has i18n XSS vectors
https://gerrit.wikimedia.org/r/q/I777fc55fef15c3b00df0db268af2b64cb2d6e381

MsUpload
+ (T394864, CVE-2025-7362) - Stored XSS through a system message in MsUpload
https://gerrit.wikimedia.org/r/q/Icf4c0a5a936926ea887ca2e48c3a7bd297201d9f

TitleIcon
+ (T394721, CVE-2025-7363) - XSS in TitleIcon
https://gerrit.wikimedia.org/r/q/I107ab638fecbf52b5bec3f02726ed24b1ae74429

TwoColConflict
+ (T394938, CVE-2025-53494) - Stored XSS in TwoColConflict
https://gerrit.wikimedia.org/r/c/mediawiki/extensions/TwoColConflict/+/1150011

MintyDocs
+ (T395376, CVE-2025-53493) - Stored XSS in MintyDocs
https://gerrit.wikimedia.org/r/c/mediawiki/extensions/MintyDocs/+/1151800

MintyDocs
+ (T395737, CVE-2025-53492) - Stored XSS in MintyDocs
https://gerrit.wikimedia.org/r/c/mediawiki/extensions/MintyDocs/+/1152771

FlaggedRevs
+ (T394397, CVE-2025-53491) - Stored XSS in FlaggedRevs
https://gerrit.wikimedia.org/r/c/mediawiki/extensions/FlaggedRevs/+/1165929

CampaignEvents
+ (T395622, CVE-2025-53490) - Multiple XSS in CampaignEvents
https://gerrit.wikimedia.org/r/c/mediawiki/extensions/CampaignEvents/+/1165949

GoogleDocs4MW
+ (T395949, CVE-2025-53489) - XSS in GoogleDocs4MW
https://gerrit.wikimedia.org/r/c/mediawiki/extensions/GoogleDocs4MW/+/1155269

wikihiero
+ (T396524, CVE-2025-53488) - Stored XSS in WikiHiero
https://gerrit.wikimedia.org/r/c/mediawiki/extensions/wikihiero/+/1166018

RelatedArticles
+ (T396413, CVE-2025-53497) - Stored XSS in RelatedArticles
https://gerrit.wikimedia.org/r/c/mediawiki/extensions/RelatedArticles/+/1166024

MediaSearch
+ (T396946, CVE-2025-53496) - Stored XSS in MediaSearch
https://gerrit.wikimedia.org/r/c/mediawiki/extensions/MediaSearch/+/1166030

AbuseFilter
+ (T396750, CVE-2025-53495) - Unauthorized Disclosure of IP Reputation in AbuseFilter
https://gerrit.wikimedia.org/r/c/mediawiki/extensions/AbuseFilter/+/1166040

AbuseFilter
+ (T397196, CVE-2025-53499) - Unauthorized Inspection of Protected Variables in AbuseFilter
https://gerrit.wikimedia.org/r/c/mediawiki/extensions/AbuseFilter/+/1166045

AbuseFilter
+ (T397221, CVE-2025-53498) - Lack of Audit Logging in AbuseFilter
https://gerrit.wikimedia.org/r/c/mediawiki/extensions/AbuseFilter/+/1166844

FeaturedFeeds
+ (T392279, CVE-2025-53502) - HTML injection in FeaturedFeeds
https://gerrit.wikimedia.org/r/c/mediawiki/extensions/FeaturedFeeds/+/1149742

Scribunto
+ (T397524, CVE-2025-53501) - Content Access Bypass in Scribunto
https://gerrit.wikimedia.org/r/c/mediawiki/extensions/Scribunto/+/1164541

MassEditRegex
+ (T397334, CVE-2025-53500) - Stored XSS in MassEditRegex
https://gerrit.wikimedia.org/r/c/mediawiki/extensions/MassEditRegex/+/1163878

CentralAuth
+ (T389010, CVE-2025-6926) - Security Authentication Bypass in CentralAuth
https://gerrit.wikimedia.org/r/c/mediawiki/core/+/1165117

ManageWiki
+ (https://github.com/miraheze/ManageWiki/security/advisories/GHSA-ccrf-x5rp-gppr, CVE-2025-32964) - ManageWiki Vulnerable To Permission Bypass When Disabling Extensions Requiring Certain Permissions In Special:ManageWiki/Extensions
https://github.com/miraheze/ManageWiki/commit/00bebea43a3e3ff0157b5f04df17c1d1e88a9acd

ManageWiki
+ (https://github.com/miraheze/ManageWiki/security/advisories/GHSA-859x-46h8-vcrv, CVE-2025-43861) - ManageWiki Vulnerable to Self-XSS in review dialog via unsanitized field reflection
https://github.com/miraheze/ManageWiki/commit/2f177dc83b28b727613215b835d4036cb179e4ab

Citizen
+ (https://github.com/StarCitizenTools/mediawiki-skins-Citizen/security/advisories/GHSA-4c2h-67qq-vm87, CVE-2025-49575) - Citizen Allows Stored XSS In Command Palette Tip Messages
https://github.com/StarCitizenTools/mediawiki-skins-Citizen/commit/4fa69e1d062dca7e407cc0530cf1da3e2baaf0b5

Citizen
+ (https://github.com/StarCitizenTools/mediawiki-skins-Citizen/security/advisories/GHSA-86xf-2mgp-gv3g, CVE-2025-49576) - Citizen Allows Stored XSS In Search No Result Messages
https://github.com/StarCitizenTools/mediawiki-skins-Citizen/commit/93c36ac778397e0e7c46cf7adb1e5d848265f1bd

Citizen
+ (https://github.com/StarCitizenTools/mediawiki-skins-Citizen/security/advisories/GHSA-jwr7-992g-68mh, CVE-2025-49577) - Citizen Allows Stored XSS In Preference Menu Headings
https://github.com/StarCitizenTools/mediawiki-skins-Citizen/commit/93c36ac778397e0e7c46cf7adb1e5d848265f1bd

Citizen
+ (https://github.com/StarCitizenTools/mediawiki-skins-Citizen/security/advisories/GHSA-2v3v-3whp-953h, CVE-2025-49578) - Citizen Allows Stored XSS In User Registration Date Message
https://github.com/StarCitizenTools/mediawiki-skins-Citizen/commit/64cb5d7ab3a6dc0381fae54b31e8fc4afadc8beb

Citizen
+ (https://github.com/StarCitizenTools/mediawiki-skins-Citizen/security/advisories/GHSA-g3cp-pq72-hjpv, CVE-2025-49579) - Citizen Allows Stored XSS In Menu Heading Message
https://github.com/StarCitizenTools/mediawiki-skins-Citizen/commit/54c8717d45ce1594918f11cb9ce5d0ccd8dfee65

TabberNeue
+ (https://github.com/StarCitizenTools/mediawiki-extensions-TabberNeue/security/advisories/GHSA-jfj7-249r-7j2m, CVE-2025-53093) - TabberNeue Vulnerable To Stored XSS Through Wikitext
https://github.com/StarCitizenTools/mediawiki-extensions-TabberNeue/commit/4cdf217ef96da74a1503d1dd0bb0ed898fc2a612

ShortDescription
+ (https://github.com/StarCitizenTools/mediawiki-extensions-ShortDescription/security/advisories/GHSA-p85q-mww9-gwqf, CVE-2025-53369) - Citizen Short Description Stored XSS Vulnerability Through Wikitext
https://github.com/StarCitizenTools/mediawiki-extensions-ShortDescription/commit/bc4fdbaeb1dff127fb6d08c0d385b64aa128c8f8

Citizen
+ (https://github.com/StarCitizenTools/mediawiki-skins-Citizen/security/advisories/GHSA-rq6g-6g94-jfr4, CVE-2025-53368) - Citizen Is Vulnerable To Stored XSS Attack In The Legacy Search Bar
https://github.com/StarCitizenTools/mediawiki-skins-Citizen/commit/aedbceb3380bb48db6b59e272fc187529c71c8ca

Citizen
+ (https://github.com/StarCitizenTools/mediawiki-skins-Citizen/security/advisories/GHSA-prmv-7r8c-794g, CVE-2025-53370) - Citizen Stored XSS Vulnerability Through Short Descriptions
https://github.com/StarCitizenTools/mediawiki-skins-Citizen/commit/c85a40bddc8651fff66df83a72debddcb34f0521

UrlShortener
+ (T394869, CVE-2025-7056) - Stored XSS in UrlShortener
https://gerrit.wikimedia.org/r/c/mediawiki/extensions/UrlShortener/+/1166268

Quiz
+ (T394612, CVE-2025-7057) - Stored XSS in Quiz
https://gerrit.wikimedia.org/r/c/mediawiki/extensions/Quiz/+/1166274

The Wikimedia Security Team recommends updating these extensions and/or skins to the current master branch or relevant, supported release branch [2] as soon as possible. Some of the referenced Phabricator tasks above _may_ still be private. Unfortunately, when security issues are reported, sometimes sensitive information is exposed and since Phabricator is historical, we cannot make these tasks public without exposing this sensitive information. If you have any additional questions or concerns regarding this update, please feel free to contact security@wikimedia.org or file a security task within Phabricator [3].

[1] https://phabricator.wikimedia.org/T389312
[2] https://www.mediawiki.org/wiki/Version_lifecycle
[3] https://www.mediawiki.org/wiki/Reporting_security_bugs

mmartorana updated the task description. (Show Details)Jul 2 2025, 3:42 PM
RhinosF1 added a comment.Jul 2 2025, 4:29 PM
In T389312#10968398, @mmartorana wrote:

Subject: MediaWiki Extensions and Skins Security Release Supplement (1.39.13/1.42.7/1.43.2)

Greetings-

With the security/maintenance release of MediaWiki 1.39.13/1.42.7/1.43.2, we would also like to provide this supplementary announcement of MediaWiki extensions and skins with now-public Phabricator tasks, security patches and backports [1]:

ManageWiki
+ (https://github.com/miraheze/ManageWiki/security/advisories/GHSA-gg42-cv66-f5x7, CVE-2025-32956) - SQL injection vulnerability in NamespaceMigrationJob
https://github.com/miraheze/ManageWiki/commit/f504ed8eeb59b57ebb90f93cd44f23da4c5bc4c9

The Wikimedia Security Team recommends updating these extensions and/or skins to the current master branch or relevant, supported release branch [2] as soon as possible. Some of the referenced Phabricator tasks above _may_ still be private. Unfortunately, when security issues are reported, sometimes sensitive information is exposed and since Phabricator is historical, we cannot make these tasks public without exposing this sensitive information. If you have any additional questions or concerns regarding this update, please feel free to contact security@wikimedia.org or file a security task within Phabricator [3].

[1] https://phabricator.wikimedia.org/T389312
[2] https://www.mediawiki.org/wiki/Version_lifecycle
[3] https://www.mediawiki.org/wiki/Reporting_security_bugs

The email should be a lot bigger than just the 1 based on the table

RhinosF1 updated the task description. (Show Details)Jul 2 2025, 4:33 PM

I'm extremely late adding them so if I'm too late then apologies but I added the 2 other ManageWiki CVEs that I forgot to add here

sbassett added a comment.Jul 2 2025, 7:04 PM
In T389312#10968689, @RhinosF1 wrote:

The email should be a lot bigger than just the 1 based on the table

Yes, I believe the release is still being worked on by @mmartorana and @Jly. They are hopeful to release it this week. Or, at worst, very early next week. The above email text will be updated accordingly.

sbassett added a comment.Jul 2 2025, 7:05 PM
In T389312#10968698, @RhinosF1 wrote:

I'm extremely late adding them so if I'm too late then apologies but I added the 2 other ManageWiki CVEs that I forgot to add here

Since they are tracked outside of Phab/Gerrit and have CVEs assigned and merged patches already, it should be fairly trivial to include them for this release.

Jly updated the task description. (Show Details)Jul 3 2025, 11:16 AM
RhinosF1 updated the task description. (Show Details)Jul 3 2025, 12:12 PM
RhinosF1 added a subscriber: Paladox.Jul 3 2025, 12:17 PM
In T389312#10969468, @sbassett wrote:
In T389312#10968698, @RhinosF1 wrote:

I'm extremely late adding them so if I'm too late then apologies but I added the 2 other ManageWiki CVEs that I forgot to add here

Since they are tracked outside of Phab/Gerrit and have CVEs assigned and merged patches already, it should be fairly trivial to include them for this release.

Thanks, I added the 5 CVEs from the last citizen release too. I'll try and think of a good way of tracking the ones we find that are from non-Wikimedia maintained extensions. It shouldn't be too difficult now both me and @Paladox have security access to create a Miraheze equivalent we can sync up to here close to the release for the next one. Obviously not sharing anything from here the other way around, just us sharing up to you.

RhinosF1 updated the task description. (Show Details)Jul 3 2025, 12:21 PM

T394869: CVE-2025-7056: Stored XSS through a system message in UrlShortener and T394612: CVE-2025-7057: Stored XSS through a system message in Extension:Quiz are WMF tracked and missing off the list too

RhinosF1 updated the task description. (Show Details)Jul 3 2025, 5:51 PM
RhinosF1 updated the task description. (Show Details)
RhinosF1 updated the task description. (Show Details)Jul 3 2025, 5:53 PM
RhinosF1 updated the task description. (Show Details)
RhinosF1 updated the task description. (Show Details)Jul 3 2025, 6:02 PM
RhinosF1 added a comment.Jul 3 2025, 6:11 PM
In T389312#10972300, @RhinosF1 wrote:
In T389312#10969468, @sbassett wrote:
In T389312#10968698, @RhinosF1 wrote:

I'm extremely late adding them so if I'm too late then apologies but I added the 2 other ManageWiki CVEs that I forgot to add here

Since they are tracked outside of Phab/Gerrit and have CVEs assigned and merged patches already, it should be fairly trivial to include them for this release.

Thanks, I added the 5 CVEs from the last citizen release too. I'll try and think of a good way of tracking the ones we find that are from non-Wikimedia maintained extensions. It shouldn't be too difficult now both me and @Paladox have security access to create a Miraheze equivalent we can sync up to here close to the release for the next one. Obviously not sharing anything from here the other way around, just us sharing up to you.

I created https://issue-tracker.miraheze.org/T13939 as a tracker for Miraheze so we have a list we can keep in sync between our phab and yours of tasks we expect to see in the security release

Jly updated the task description. (Show Details)Jul 3 2025, 10:13 PM
In T389312#10972306, @RhinosF1 wrote:

T394869: CVE-2025-7056: Stored XSS through a system message in UrlShortener and T394612: CVE-2025-7057: Stored XSS through a system message in Extension:Quiz are WMF tracked and missing off the list too

Thanks for catching and raising this, I have added them into the table and will work on them.

mmartorana updated the task description. (Show Details)Jul 4 2025, 3:49 PM
mmartorana updated the task description. (Show Details)Jul 4 2025, 4:02 PM
mmartorana updated the task description. (Show Details)Jul 4 2025, 5:29 PM
mmartorana updated the task description. (Show Details)Jul 4 2025, 5:35 PM
mmartorana updated the task description. (Show Details)Jul 4 2025, 5:40 PM
Jly updated the task description. (Show Details)Jul 7 2025, 1:55 PM
Dreamy_Jazz updated the task description. (Show Details)Jul 7 2025, 2:58 PM
mmartorana updated the task description. (Show Details)Jul 7 2025, 3:08 PM
Jly updated the task description. (Show Details)Jul 7 2025, 3:10 PM
mmartorana updated the task description. (Show Details)Jul 7 2025, 3:15 PM
mmartorana updated the task description. (Show Details)Jul 7 2025, 3:19 PM
Jly updated the task description. (Show Details)Jul 7 2025, 4:14 PM
Jly updated the task description. (Show Details)Jul 7 2025, 4:22 PM
Jly updated the task description. (Show Details)Jul 7 2025, 6:18 PM
mmartorana updated the task description. (Show Details)Jul 7 2025, 6:20 PM
mmartorana updated the task description. (Show Details)
Jly updated the task description. (Show Details)Jul 7 2025, 6:39 PM
Dreamy_Jazz updated the task description. (Show Details)Jul 7 2025, 6:48 PM
Dreamy_Jazz updated the task description. (Show Details)
Dreamy_Jazz updated the task description. (Show Details)Jul 7 2025, 7:09 PM
Jly updated the task description. (Show Details)Jul 7 2025, 7:11 PM
mmartorana updated the task description. (Show Details)Jul 8 2025, 2:26 PM
mmartorana updated the task description. (Show Details)Jul 8 2025, 2:53 PM
mmartorana updated the task description. (Show Details)Jul 8 2025, 2:58 PM
Dreamy_Jazz added a comment.Jul 8 2025, 2:59 PM

The AbuseFilter CVEs are wrong. The issues are not present in either 1.39 or 1.42, yet the CVE description incorrectly says that the issue was present "from 1.39.X before 1.39.13" and "1.42.X before 1.42.7"

sbassett added a comment.Jul 8 2025, 3:01 PM
In T389312#10984426, @Dreamy_Jazz wrote:

The AbuseFilter CVEs are wrong. The issues are not present in either 1.39 or 1.42, yet the CVE description incorrectly says that the issue was present "from 1.39.X before 1.39.13" and "1.42.X before 1.42.7"

Thanks. We should be able to submit requests to Mitre to update these.

mmartorana updated the task description. (Show Details)Jul 8 2025, 5:23 PM
mmartorana updated the task description. (Show Details)Jul 8 2025, 5:27 PM
mmartorana updated the task description. (Show Details)Jul 8 2025, 5:32 PM
mmartorana updated the task description. (Show Details)Jul 8 2025, 5:37 PM
mmartorana updated the task description. (Show Details)Jul 8 2025, 5:46 PM
mmartorana updated the task description. (Show Details)
Dreamy_Jazz added a comment.Jul 8 2025, 5:51 PM

Same issue applies to CVE for T394693. It mentions 1.39 but is not a problem in that release.

mmartorana added a comment.Jul 9 2025, 5:03 PM

Supplemental announcement is out!

sbassett closed this task as Resolved.Jul 9 2025, 5:52 PM
sbassett awarded a token.
sbassett changed the visibility from "Custom Policy" to "Public (No Login Required)".
sbassett changed the edit policy from "Subscribers" to "All Users".
Restricted Application added a subscriber: Reception123. · View Herald TranscriptJul 9 2025, 5:53 PM
sbassett moved this task from In Progress to Done on the user-sbassett board.Jul 9 2025, 5:53 PM
RhinosF1 mentioned this in T399132: Add security reports from 1.39.13/1.42.7/1.43.2/1.44.0 (+ extension supplement) to security hall of fame.Jul 9 2025, 8:55 PM
sbassett updated the task description. (Show Details)Jul 15 2025, 5:27 PM
sbassett mentioned this in T399414: XSS through system messages in WikiHiero still reproducible on certain versions.
Dreamy_Jazz updated the task description. (Show Details)Jul 23 2025, 10:44 AM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits