[IT-SecNots] [MediaWiki-announce] MediaWiki Extensions and Skins Security Release Supplement (1.39.11/1.41.5/1.42.4)

[Manfredi Martorana <mmartorana AT wikimedia.org>]

Greetings-

With the security/maintenance release of MediaWiki 1.39.11/1.41.5/1.42.4,
we would also like to provide this supplementary announcement of MediaWiki
extensions and skins with now-public Phabricator tasks, security patches
and backports [1]:

SocialProfile
+ (T373265 <https://phabricator.wikimedia.org/T373265>, CVE-2025-23074) -
Special:EditProfile exposes the contents of profile fields marked
"hidden"/friends or "friends of friends" when the privileged user isn't a
friend of the user whose profile they edit(ed)
https://gerrit.wikimedia.org/r/q/I4b77ced314bc6cea0ef3657a82e7467d3661fe2a

GlobalBlocking
+ (T377855 <https://phabricator.wikimedia.org/T377855>, CVE-2025-23073) -
API list=globalblocks can reveal IP of autoblock if username and IP are
included in the bgtargets parameter
https://gerrit.wikimedia.org/r/q/I2a2d32aedf6328be0a9f1b4e04a6567a25f19486

RefreshSpecial
+ (T378885 <https://phabricator.wikimedia.org/T378885>, CVE-2025-23072) -
XSS in Special:RefreshSpecial
https://gerrit.wikimedia.org/r/q/Ic9547e80a8296d707ad8a157eb8ba7aa26fb08dc

DataTransfer
+ (T379749 <https://phabricator.wikimedia.org/T379749>, CVE-2025-23081) -
Various security vulnerabilities in Extension:DataTransfer
https://gerrit.wikimedia.org/r/q/I773c616db781d2f3f30893ad01ef503bf251a2b3
https://gerrit.wikimedia.org/r/q/I7c9de4c8dcdb3276ba923c6bc7c8eef3531324c7
https://gerrit.wikimedia.org/r/q/I9223c31f02f31f1e06e1a8cddf7d539cc8d3a3d9
https://gerrit.wikimedia.org/r/q/I5e1538a3bf66378810f905834c05626e1d2c82f0
https://gerrit.wikimedia.org/r/c/mediawiki/extensions/DataTransfer/+/1093931
https://gerrit.wikimedia.org/r/c/mediawiki/extensions/DataTransfer/+/1080451

OpenBadges
+ (T381220 <https://phabricator.wikimedia.org/T381220>, CVE-2025-23080) -
XSSes in Special:BadgeView
https://gerrit.wikimedia.org/r/q/Ic9448312fa7f1cbc8feac3f852bc8720568522e2

ArticleFeedbackv5
+ (T381753 <https://phabricator.wikimedia.org/T381753>, CVE-2025-23079) -
XSSes in Extension:ArticleFeedbackv5
https://gerrit.wikimedia.org/r/q/I6ee51c8b518bda41739fd666fa2891cc12e79ac3

BreadCrumbs2
+ (T382043 <https://phabricator.wikimedia.org/T382043>, CVE-2025-23078) -
XSS in BreadCrumbs2
https://gerrit.wikimedia.org/r/q/I7878f8f7bc067080f80427b90f8d85337f172711

The Wikimedia Security Team recommends updating these extensions and/or
skins to the current master branch or relevant, supported release branch
[2] as soon as possible. Some of the referenced Phabricator tasks above
_may_ still be private. Unfortunately, when security issues are reported,
sometimes sensitive information is exposed and since Phabricator is
historical, we cannot make these tasks public without exposing this
sensitive information. If you have any additional questions or concerns
regarding this update, please feel free to contact security AT wikimedia.org
or file a security task within Phabricator [3].

[1] https://phabricator.wikimedia.org/T375631
[2] https://www.mediawiki.org/wiki/Version_lifecycle
[3] https://www.mediawiki.org/wiki/Reporting_security_bugs
_______________________________________________
MediaWiki-announce mailing list -- mediawiki-announce AT lists.wikimedia.org
To unsubscribe send an email to mediawiki-announce-leave AT lists.wikimedia.org