[IT-SecNots] [MediaWiki-announce] MediaWiki Extensions and Skins Security Release Supplement (1.39.13/1.42.7/1.43.2)

[Manfredi Martorana <mmartorana AT wikimedia.org>]

Greetings-

With the security/maintenance release of MediaWiki 1.39.13/1.42.7/1.43.2,
we would also like to provide this supplementary announcement of MediaWiki
extensions and skins with now-public Phabricator tasks, security patches
and backports [1]:

ManageWiki
+ (
https://github.com/miraheze/ManageWiki/security/advisories/GHSA-gg42-cv66-f5x7,
CVE-2025-32956) - SQL injection vulnerability in NamespaceMigrationJob
https://github.com/miraheze/ManageWiki/commit/f504ed8eeb59b57ebb90f93cd44f23da4c5bc4c9

IPInfo
+ (T392976 <https://phabricator.wikimedia.org/T392976>, CVE-2025-53481) -
Denial of service vector on ipinfo/v0/norevision
https://gerrit.wikimedia.org/r/q/I474b7a1b3bc1e7597fee0826a18a0cf042359f0f

IPInfo
+ (T392976 <https://phabricator.wikimedia.org/T392976>, CVE-2025-53481) -
Denial of service vector on ipinfo/v0/norevision
https://gerrit.wikimedia.org/r/q/I08a7154f8fa08bb6f0940e522075bdc2a3d4433f

IPInfo
+ (T394393 <https://phabricator.wikimedia.org/T394393>, CVE-2025-53482) -
IPInfo: Message key XSS through several IPInfo messages in infobox and popup
https://gerrit.wikimedia.org/r/c/mediawiki/extensions/CheckUser/+/1146685

IPInfo
+ (T394393 <https://phabricator.wikimedia.org/T394393>, CVE-2025-53482) -
IPInfo: Message key XSS through several IPInfo messages in infobox and popup
https://gerrit.wikimedia.org/r/q/Ibb9b7dcb04f551a3da32e9de09a8ac11caa2a3aa

SecurePoll
+ (T392341 <https://phabricator.wikimedia.org/T392341>, CVE-2025-53483) -
SecurePoll is vulnerable to XSS, CSRF, and lack of authorisation
https://gerrit.wikimedia.org/r/c/mediawiki/extensions/SecurePoll/+/1149618

SecurePoll
+ (T392341 <https://phabricator.wikimedia.org/T392341>, CVE-2025-53484) -
SecurePoll is vulnerable to XSS, CSRF, and lack of authorisation
https://gerrit.wikimedia.org/r/q/I5fb4da635b538b6ef121ae77d9088737fd8bf0de

SecurePoll
+ (T392341 <https://phabricator.wikimedia.org/T392341>, CVE-2025-53483) -
SecurePoll is vulnerable to XSS, CSRF, and lack of authorisation
https://gerrit.wikimedia.org/r/q/I7a771f81cc72bd5c6242767cf3f5e19fa140accc

SecurePoll
+ (T392341 <https://phabricator.wikimedia.org/T392341>, CVE-2025-53485) -
SecurePoll is vulnerable to XSS, CSRF, and lack of authorisation
https://gerrit.wikimedia.org/r/q/Iaaae70289464b8f097ff8d2d6c828ddf942d2d60

SecurePoll
+ (T392341 <https://phabricator.wikimedia.org/T392341>, CVE-2025-53484) -
SecurePoll is vulnerable to XSS, CSRF, and lack of authorisation
https://gerrit.wikimedia.org/r/q/Id6e0c8c3020c293460010ef0019bc6c40d43b596

WikiCategoryTagCloud
+ (T394590 <https://phabricator.wikimedia.org/T394590>, CVE-2025-53486) -
Reflected XSS in WikiCategoryTagCloud
https://gerrit.wikimedia.org/r/q/Idd68cf2372aedd916687d30b1bd09ebb48fcfd17

ApprovedRevs
+ (T394383 <https://phabricator.wikimedia.org/T394383>, CVE-2025-53487) -
Stored XSS through system messages in Extension:ApprovedRevs
https://gerrit.wikimedia.org/r/q/Ifcab085111e7898da485a5e2ae287fee4e6d167b

CheckUser
+ (T394692 <https://phabricator.wikimedia.org/T394692>, CVE-2025-53478) -
Special:Investigate 'IPs and User agents' tab has i18n XSS vectors
https://gerrit.wikimedia.org/r/q/I3a1e21b6800ff4d813a33ee9fe9b7ccf070b6b2e

CheckUser
+ (T394693 <https://phabricator.wikimedia.org/T394693>, CVE-2025-53479) -
Special:CheckUser has i18n XSS vectors
https://gerrit.wikimedia.org/r/q/I159e14543912cb3bc7f4a00c3090c0285b154786

CheckUser
+ (T394700 <https://phabricator.wikimedia.org/T394700>, CVE-2025-53480) -
Special:Investigate 'Account information' tab has i18n XSS vectors
https://gerrit.wikimedia.org/r/q/I777fc55fef15c3b00df0db268af2b64cb2d6e381

MsUpload
+ (T394864 <https://phabricator.wikimedia.org/T394864>, CVE-2025-7362) -
Stored XSS through a system message in MsUpload
https://gerrit.wikimedia.org/r/q/Icf4c0a5a936926ea887ca2e48c3a7bd297201d9f

TitleIcon
+ (T394721 <https://phabricator.wikimedia.org/T394721>, CVE-2025-7363) -
XSS in TitleIcon
https://gerrit.wikimedia.org/r/q/I107ab638fecbf52b5bec3f02726ed24b1ae74429

TwoColConflict
+ (T394938 <https://phabricator.wikimedia.org/T394938>, CVE-2025-53494) -
Stored XSS in TwoColConflict
https://gerrit.wikimedia.org/r/c/mediawiki/extensions/TwoColConflict/+/1150011

MintyDocs
+ (T395376 <https://phabricator.wikimedia.org/T395376>, CVE-2025-53493) -
Stored XSS in MintyDocs
https://gerrit.wikimedia.org/r/c/mediawiki/extensions/MintyDocs/+/1151800

MintyDocs
+ (T395737 <https://phabricator.wikimedia.org/T395737>, CVE-2025-53492) -
Stored XSS in MintyDocs
https://gerrit.wikimedia.org/r/c/mediawiki/extensions/MintyDocs/+/1152771

FlaggedRevs
+ (T394397 <https://phabricator.wikimedia.org/T394397>, CVE-2025-53491) -
Stored XSS in FlaggedRevs
https://gerrit.wikimedia.org/r/c/mediawiki/extensions/FlaggedRevs/+/1165929

CampaignEvents
+ (T395622 <https://phabricator.wikimedia.org/T395622>, CVE-2025-53490) -
Multiple XSS in CampaignEvents
https://gerrit.wikimedia.org/r/c/mediawiki/extensions/CampaignEvents/+/1165949

GoogleDocs4MW
+ (T395949 <https://phabricator.wikimedia.org/T395949>, CVE-2025-53489) -
XSS in GoogleDocs4MW
https://gerrit.wikimedia.org/r/c/mediawiki/extensions/GoogleDocs4MW/+/1155269

wikihiero
+ (T396524 <https://phabricator.wikimedia.org/T396524>, CVE-2025-53488) -
Stored XSS in WikiHiero
https://gerrit.wikimedia.org/r/c/mediawiki/extensions/wikihiero/+/1166018

RelatedArticles
+ (T396413 <https://phabricator.wikimedia.org/T396413>, CVE-2025-53497) -
Stored XSS in RelatedArticles
https://gerrit.wikimedia.org/r/c/mediawiki/extensions/RelatedArticles/+/1166024

MediaSearch
+ (T396946 <https://phabricator.wikimedia.org/T396946>, CVE-2025-53496) -
Stored XSS in MediaSearch
https://gerrit.wikimedia.org/r/c/mediawiki/extensions/MediaSearch/+/1166030

AbuseFilter
+ (T396750 <https://phabricator.wikimedia.org/T396750>, CVE-2025-53495) -
Unauthorized Disclosure of IP Reputation in AbuseFilter
https://gerrit.wikimedia.org/r/c/mediawiki/extensions/AbuseFilter/+/1166040

AbuseFilter
+ (T397196 <https://phabricator.wikimedia.org/T397196>, CVE-2025-53499) -
Unauthorized Inspection of Protected Variables in AbuseFilter
https://gerrit.wikimedia.org/r/c/mediawiki/extensions/AbuseFilter/+/1166045

AbuseFilter
+ (T397221 <https://phabricator.wikimedia.org/T397221>, CVE-2025-53498) -
Lack of Audit Logging in AbuseFilter
https://gerrit.wikimedia.org/r/c/mediawiki/extensions/AbuseFilter/+/1166844

FeaturedFeeds
+ (T392279 <https://phabricator.wikimedia.org/T392279>, CVE-2025-53502) -
HTML injection in FeaturedFeeds
https://gerrit.wikimedia.org/r/c/mediawiki/extensions/FeaturedFeeds/+/1149742

Scribunto
+ (T397524 <https://phabricator.wikimedia.org/T397524>, CVE-2025-53501) -
Content Access Bypass in Scribunto
https://gerrit.wikimedia.org/r/c/mediawiki/extensions/Scribunto/+/1164541

MassEditRegex
+ (T397334 <https://phabricator.wikimedia.org/T397334>, CVE-2025-53500) -
Stored XSS in MassEditRegex
https://gerrit.wikimedia.org/r/c/mediawiki/extensions/MassEditRegex/+/1163878

CentralAuth
+ (T389010 <https://phabricator.wikimedia.org/T389010>, CVE-2025-6926) -
Security Authentication Bypass in CentralAuth
https://gerrit.wikimedia.org/r/c/mediawiki/core/+/1165117

ManageWiki
+ (
https://github.com/miraheze/ManageWiki/security/advisories/GHSA-ccrf-x5rp-gppr,
CVE-2025-32964) - ManageWiki Vulnerable To Permission Bypass When Disabling
Extensions Requiring Certain Permissions In Special:ManageWiki/Extensions
https://github.com/miraheze/ManageWiki/commit/00bebea43a3e3ff0157b5f04df17c1d1e88a9acd

ManageWiki
+ (
https://github.com/miraheze/ManageWiki/security/advisories/GHSA-859x-46h8-vcrv,
CVE-2025-43861) - ManageWiki Vulnerable to Self-XSS in review dialog via
unsanitized field reflection
https://github.com/miraheze/ManageWiki/commit/2f177dc83b28b727613215b835d4036cb179e4ab

Citizen
+ (
https://github.com/StarCitizenTools/mediawiki-skins-Citizen/security/advisories/GHSA-4c2h-67qq-vm87,
CVE-2025-49575) - Citizen Allows Stored XSS In Command Palette Tip Messages
https://github.com/StarCitizenTools/mediawiki-skins-Citizen/commit/4fa69e1d062dca7e407cc0530cf1da3e2baaf0b5

Citizen
+ (
https://github.com/StarCitizenTools/mediawiki-skins-Citizen/security/advisories/GHSA-86xf-2mgp-gv3g,
CVE-2025-49576) - Citizen Allows Stored XSS In Search No Result Messages
https://github.com/StarCitizenTools/mediawiki-skins-Citizen/commit/93c36ac778397e0e7c46cf7adb1e5d848265f1bd

Citizen
+ (
https://github.com/StarCitizenTools/mediawiki-skins-Citizen/security/advisories/GHSA-jwr7-992g-68mh,
CVE-2025-49577) - Citizen Allows Stored XSS In Preference Menu Headings
https://github.com/StarCitizenTools/mediawiki-skins-Citizen/commit/93c36ac778397e0e7c46cf7adb1e5d848265f1bd

Citizen
+ (
https://github.com/StarCitizenTools/mediawiki-skins-Citizen/security/advisories/GHSA-2v3v-3whp-953h,
CVE-2025-49578) - Citizen Allows Stored XSS In User Registration Date
Message
https://github.com/StarCitizenTools/mediawiki-skins-Citizen/commit/64cb5d7ab3a6dc0381fae54b31e8fc4afadc8beb

Citizen
+ (
https://github.com/StarCitizenTools/mediawiki-skins-Citizen/security/advisories/GHSA-g3cp-pq72-hjpv,
CVE-2025-49579) - Citizen Allows Stored XSS In Menu Heading Message
https://github.com/StarCitizenTools/mediawiki-skins-Citizen/commit/54c8717d45ce1594918f11cb9ce5d0ccd8dfee65

TabberNeue
+ (
https://github.com/StarCitizenTools/mediawiki-extensions-TabberNeue/security/advisories/GHSA-jfj7-249r-7j2m,
CVE-2025-53093) - TabberNeue Vulnerable To Stored XSS Through Wikitext
https://github.com/StarCitizenTools/mediawiki-extensions-TabberNeue/commit/4cdf217ef96da74a1503d1dd0bb0ed898fc2a612

ShortDescription
+ (
https://github.com/StarCitizenTools/mediawiki-extensions-ShortDescription/security/advisories/GHSA-p85q-mww9-gwqf,
CVE-2025-53369) - Citizen Short Description Stored XSS Vulnerability
Through Wikitext
https://github.com/StarCitizenTools/mediawiki-extensions-ShortDescription/commit/bc4fdbaeb1dff127fb6d08c0d385b64aa128c8f8

Citizen
+ (
https://github.com/StarCitizenTools/mediawiki-skins-Citizen/security/advisories/GHSA-rq6g-6g94-jfr4,
CVE-2025-53368) - Citizen Is Vulnerable To Stored XSS Attack In The Legacy
Search Bar
https://github.com/StarCitizenTools/mediawiki-skins-Citizen/commit/aedbceb3380bb48db6b59e272fc187529c71c8ca

Citizen
+ (
https://github.com/StarCitizenTools/mediawiki-skins-Citizen/security/advisories/GHSA-prmv-7r8c-794g,
CVE-2025-53370) - Citizen Stored XSS Vulnerability Through Short
Descriptions
https://github.com/StarCitizenTools/mediawiki-skins-Citizen/commit/c85a40bddc8651fff66df83a72debddcb34f0521

UrlShortener
+ (T394869 <https://phabricator.wikimedia.org/T394869>, CVE-2025-7056) -
Stored XSS in UrlShortener
https://gerrit.wikimedia.org/r/c/mediawiki/extensions/UrlShortener/+/1166268

Quiz
+ (T394612 <https://phabricator.wikimedia.org/T394612>, CVE-2025-7057) -
Stored XSS in Quiz
https://gerrit.wikimedia.org/r/c/mediawiki/extensions/Quiz/+/1166274

The Wikimedia Security Team recommends updating these extensions and/or
skins to the current master branch or relevant, supported release branch
[2] as soon as possible. Some of the referenced Phabricator tasks above
_may_ still be private. Unfortunately, when security issues are reported,
sometimes sensitive information is exposed and since Phabricator is
historical, we cannot make these tasks public without exposing this
sensitive information. If you have any additional questions or concerns
regarding this update, please feel free to contact security AT wikimedia.org
or file a security task within Phabricator [3].

[1] https://phabricator.wikimedia.org/T389312
[2] https://www.mediawiki.org/wiki/Version_lifecycle
[3] https://www.mediawiki.org/wiki/Reporting_security_bugs
_______________________________________________
MediaWiki-announce mailing list -- mediawiki-announce AT lists.wikimedia.org
To unsubscribe send an email to mediawiki-announce-leave AT lists.wikimedia.org