it-securitynotifies AT lists.piratenpartei.de
Betreff: Sicherheitsankündigungen
Listenarchiv
[IT-SecNots] [MediaWiki-announce] MediaWiki Extensions and Skins Security Release Supplement (1.39.13/1.42.7/1.43.2)
Chronologisch Thread
- From: Manfredi Martorana <mmartorana AT wikimedia.org>
- To: mediawiki-announce AT lists.wikimedia.org, mediawiki-l AT lists.wikimedia.org, wikitech-l AT lists.wikimedia.org
- Subject: [IT-SecNots] [MediaWiki-announce] MediaWiki Extensions and Skins Security Release Supplement (1.39.13/1.42.7/1.43.2)
- Date: Wed, 9 Jul 2025 18:53:41 +0200
- Archived-at: <https://lists.wikimedia.org/hyperkitty/list/mediawiki-announce AT lists.wikimedia.org/message/B757OC4UOPKOO4EYXNPUKQY2BS4CQE2E/>
- Authentication-results: lists.piratenpartei.de; dkim=pass header.d=lists.wikimedia.org header.s=wikimedia header.b="XcMqxf//"; spf=pass (lists.piratenpartei.de: domain of mediawiki-announce-bounces AT lists.wikimedia.org designates 2620:0:861:3:208:80:154:81 as permitted sender) smtp.mailfrom=mediawiki-announce-bounces AT lists.wikimedia.org; dmarc=pass (policy=none) header.from=wikimedia.org
- List-archive: <https://lists.wikimedia.org/hyperkitty/list/mediawiki-announce AT lists.wikimedia.org/>
- List-id: MediaWiki update and security announcements list <mediawiki-announce.lists.wikimedia.org>
Greetings-
With the security/maintenance release of MediaWiki 1.39.13/1.42.7/1.43.2,
we would also like to provide this supplementary announcement of MediaWiki
extensions and skins with now-public Phabricator tasks, security patches
and backports [1]:
ManageWiki
+ (
https://github.com/miraheze/ManageWiki/security/advisories/GHSA-gg42-cv66-f5x7,
CVE-2025-32956) - SQL injection vulnerability in NamespaceMigrationJob
https://github.com/miraheze/ManageWiki/commit/f504ed8eeb59b57ebb90f93cd44f23da4c5bc4c9
IPInfo
+ (T392976 <https://phabricator.wikimedia.org/T392976>, CVE-2025-53481) -
Denial of service vector on ipinfo/v0/norevision
https://gerrit.wikimedia.org/r/q/I474b7a1b3bc1e7597fee0826a18a0cf042359f0f
IPInfo
+ (T392976 <https://phabricator.wikimedia.org/T392976>, CVE-2025-53481) -
Denial of service vector on ipinfo/v0/norevision
https://gerrit.wikimedia.org/r/q/I08a7154f8fa08bb6f0940e522075bdc2a3d4433f
IPInfo
+ (T394393 <https://phabricator.wikimedia.org/T394393>, CVE-2025-53482) -
IPInfo: Message key XSS through several IPInfo messages in infobox and popup
https://gerrit.wikimedia.org/r/c/mediawiki/extensions/CheckUser/+/1146685
IPInfo
+ (T394393 <https://phabricator.wikimedia.org/T394393>, CVE-2025-53482) -
IPInfo: Message key XSS through several IPInfo messages in infobox and popup
https://gerrit.wikimedia.org/r/q/Ibb9b7dcb04f551a3da32e9de09a8ac11caa2a3aa
SecurePoll
+ (T392341 <https://phabricator.wikimedia.org/T392341>, CVE-2025-53483) -
SecurePoll is vulnerable to XSS, CSRF, and lack of authorisation
https://gerrit.wikimedia.org/r/c/mediawiki/extensions/SecurePoll/+/1149618
SecurePoll
+ (T392341 <https://phabricator.wikimedia.org/T392341>, CVE-2025-53484) -
SecurePoll is vulnerable to XSS, CSRF, and lack of authorisation
https://gerrit.wikimedia.org/r/q/I5fb4da635b538b6ef121ae77d9088737fd8bf0de
SecurePoll
+ (T392341 <https://phabricator.wikimedia.org/T392341>, CVE-2025-53483) -
SecurePoll is vulnerable to XSS, CSRF, and lack of authorisation
https://gerrit.wikimedia.org/r/q/I7a771f81cc72bd5c6242767cf3f5e19fa140accc
SecurePoll
+ (T392341 <https://phabricator.wikimedia.org/T392341>, CVE-2025-53485) -
SecurePoll is vulnerable to XSS, CSRF, and lack of authorisation
https://gerrit.wikimedia.org/r/q/Iaaae70289464b8f097ff8d2d6c828ddf942d2d60
SecurePoll
+ (T392341 <https://phabricator.wikimedia.org/T392341>, CVE-2025-53484) -
SecurePoll is vulnerable to XSS, CSRF, and lack of authorisation
https://gerrit.wikimedia.org/r/q/Id6e0c8c3020c293460010ef0019bc6c40d43b596
WikiCategoryTagCloud
+ (T394590 <https://phabricator.wikimedia.org/T394590>, CVE-2025-53486) -
Reflected XSS in WikiCategoryTagCloud
https://gerrit.wikimedia.org/r/q/Idd68cf2372aedd916687d30b1bd09ebb48fcfd17
ApprovedRevs
+ (T394383 <https://phabricator.wikimedia.org/T394383>, CVE-2025-53487) -
Stored XSS through system messages in Extension:ApprovedRevs
https://gerrit.wikimedia.org/r/q/Ifcab085111e7898da485a5e2ae287fee4e6d167b
CheckUser
+ (T394692 <https://phabricator.wikimedia.org/T394692>, CVE-2025-53478) -
Special:Investigate 'IPs and User agents' tab has i18n XSS vectors
https://gerrit.wikimedia.org/r/q/I3a1e21b6800ff4d813a33ee9fe9b7ccf070b6b2e
CheckUser
+ (T394693 <https://phabricator.wikimedia.org/T394693>, CVE-2025-53479) -
Special:CheckUser has i18n XSS vectors
https://gerrit.wikimedia.org/r/q/I159e14543912cb3bc7f4a00c3090c0285b154786
CheckUser
+ (T394700 <https://phabricator.wikimedia.org/T394700>, CVE-2025-53480) -
Special:Investigate 'Account information' tab has i18n XSS vectors
https://gerrit.wikimedia.org/r/q/I777fc55fef15c3b00df0db268af2b64cb2d6e381
MsUpload
+ (T394864 <https://phabricator.wikimedia.org/T394864>, CVE-2025-7362) -
Stored XSS through a system message in MsUpload
https://gerrit.wikimedia.org/r/q/Icf4c0a5a936926ea887ca2e48c3a7bd297201d9f
TitleIcon
+ (T394721 <https://phabricator.wikimedia.org/T394721>, CVE-2025-7363) -
XSS in TitleIcon
https://gerrit.wikimedia.org/r/q/I107ab638fecbf52b5bec3f02726ed24b1ae74429
TwoColConflict
+ (T394938 <https://phabricator.wikimedia.org/T394938>, CVE-2025-53494) -
Stored XSS in TwoColConflict
https://gerrit.wikimedia.org/r/c/mediawiki/extensions/TwoColConflict/+/1150011
MintyDocs
+ (T395376 <https://phabricator.wikimedia.org/T395376>, CVE-2025-53493) -
Stored XSS in MintyDocs
https://gerrit.wikimedia.org/r/c/mediawiki/extensions/MintyDocs/+/1151800
MintyDocs
+ (T395737 <https://phabricator.wikimedia.org/T395737>, CVE-2025-53492) -
Stored XSS in MintyDocs
https://gerrit.wikimedia.org/r/c/mediawiki/extensions/MintyDocs/+/1152771
FlaggedRevs
+ (T394397 <https://phabricator.wikimedia.org/T394397>, CVE-2025-53491) -
Stored XSS in FlaggedRevs
https://gerrit.wikimedia.org/r/c/mediawiki/extensions/FlaggedRevs/+/1165929
CampaignEvents
+ (T395622 <https://phabricator.wikimedia.org/T395622>, CVE-2025-53490) -
Multiple XSS in CampaignEvents
https://gerrit.wikimedia.org/r/c/mediawiki/extensions/CampaignEvents/+/1165949
GoogleDocs4MW
+ (T395949 <https://phabricator.wikimedia.org/T395949>, CVE-2025-53489) -
XSS in GoogleDocs4MW
https://gerrit.wikimedia.org/r/c/mediawiki/extensions/GoogleDocs4MW/+/1155269
wikihiero
+ (T396524 <https://phabricator.wikimedia.org/T396524>, CVE-2025-53488) -
Stored XSS in WikiHiero
https://gerrit.wikimedia.org/r/c/mediawiki/extensions/wikihiero/+/1166018
RelatedArticles
+ (T396413 <https://phabricator.wikimedia.org/T396413>, CVE-2025-53497) -
Stored XSS in RelatedArticles
https://gerrit.wikimedia.org/r/c/mediawiki/extensions/RelatedArticles/+/1166024
MediaSearch
+ (T396946 <https://phabricator.wikimedia.org/T396946>, CVE-2025-53496) -
Stored XSS in MediaSearch
https://gerrit.wikimedia.org/r/c/mediawiki/extensions/MediaSearch/+/1166030
AbuseFilter
+ (T396750 <https://phabricator.wikimedia.org/T396750>, CVE-2025-53495) -
Unauthorized Disclosure of IP Reputation in AbuseFilter
https://gerrit.wikimedia.org/r/c/mediawiki/extensions/AbuseFilter/+/1166040
AbuseFilter
+ (T397196 <https://phabricator.wikimedia.org/T397196>, CVE-2025-53499) -
Unauthorized Inspection of Protected Variables in AbuseFilter
https://gerrit.wikimedia.org/r/c/mediawiki/extensions/AbuseFilter/+/1166045
AbuseFilter
+ (T397221 <https://phabricator.wikimedia.org/T397221>, CVE-2025-53498) -
Lack of Audit Logging in AbuseFilter
https://gerrit.wikimedia.org/r/c/mediawiki/extensions/AbuseFilter/+/1166844
FeaturedFeeds
+ (T392279 <https://phabricator.wikimedia.org/T392279>, CVE-2025-53502) -
HTML injection in FeaturedFeeds
https://gerrit.wikimedia.org/r/c/mediawiki/extensions/FeaturedFeeds/+/1149742
Scribunto
+ (T397524 <https://phabricator.wikimedia.org/T397524>, CVE-2025-53501) -
Content Access Bypass in Scribunto
https://gerrit.wikimedia.org/r/c/mediawiki/extensions/Scribunto/+/1164541
MassEditRegex
+ (T397334 <https://phabricator.wikimedia.org/T397334>, CVE-2025-53500) -
Stored XSS in MassEditRegex
https://gerrit.wikimedia.org/r/c/mediawiki/extensions/MassEditRegex/+/1163878
CentralAuth
+ (T389010 <https://phabricator.wikimedia.org/T389010>, CVE-2025-6926) -
Security Authentication Bypass in CentralAuth
https://gerrit.wikimedia.org/r/c/mediawiki/core/+/1165117
ManageWiki
+ (
https://github.com/miraheze/ManageWiki/security/advisories/GHSA-ccrf-x5rp-gppr,
CVE-2025-32964) - ManageWiki Vulnerable To Permission Bypass When Disabling
Extensions Requiring Certain Permissions In Special:ManageWiki/Extensions
https://github.com/miraheze/ManageWiki/commit/00bebea43a3e3ff0157b5f04df17c1d1e88a9acd
ManageWiki
+ (
https://github.com/miraheze/ManageWiki/security/advisories/GHSA-859x-46h8-vcrv,
CVE-2025-43861) - ManageWiki Vulnerable to Self-XSS in review dialog via
unsanitized field reflection
https://github.com/miraheze/ManageWiki/commit/2f177dc83b28b727613215b835d4036cb179e4ab
Citizen
+ (
https://github.com/StarCitizenTools/mediawiki-skins-Citizen/security/advisories/GHSA-4c2h-67qq-vm87,
CVE-2025-49575) - Citizen Allows Stored XSS In Command Palette Tip Messages
https://github.com/StarCitizenTools/mediawiki-skins-Citizen/commit/4fa69e1d062dca7e407cc0530cf1da3e2baaf0b5
Citizen
+ (
https://github.com/StarCitizenTools/mediawiki-skins-Citizen/security/advisories/GHSA-86xf-2mgp-gv3g,
CVE-2025-49576) - Citizen Allows Stored XSS In Search No Result Messages
https://github.com/StarCitizenTools/mediawiki-skins-Citizen/commit/93c36ac778397e0e7c46cf7adb1e5d848265f1bd
Citizen
+ (
https://github.com/StarCitizenTools/mediawiki-skins-Citizen/security/advisories/GHSA-jwr7-992g-68mh,
CVE-2025-49577) - Citizen Allows Stored XSS In Preference Menu Headings
https://github.com/StarCitizenTools/mediawiki-skins-Citizen/commit/93c36ac778397e0e7c46cf7adb1e5d848265f1bd
Citizen
+ (
https://github.com/StarCitizenTools/mediawiki-skins-Citizen/security/advisories/GHSA-2v3v-3whp-953h,
CVE-2025-49578) - Citizen Allows Stored XSS In User Registration Date
Message
https://github.com/StarCitizenTools/mediawiki-skins-Citizen/commit/64cb5d7ab3a6dc0381fae54b31e8fc4afadc8beb
Citizen
+ (
https://github.com/StarCitizenTools/mediawiki-skins-Citizen/security/advisories/GHSA-g3cp-pq72-hjpv,
CVE-2025-49579) - Citizen Allows Stored XSS In Menu Heading Message
https://github.com/StarCitizenTools/mediawiki-skins-Citizen/commit/54c8717d45ce1594918f11cb9ce5d0ccd8dfee65
TabberNeue
+ (
https://github.com/StarCitizenTools/mediawiki-extensions-TabberNeue/security/advisories/GHSA-jfj7-249r-7j2m,
CVE-2025-53093) - TabberNeue Vulnerable To Stored XSS Through Wikitext
https://github.com/StarCitizenTools/mediawiki-extensions-TabberNeue/commit/4cdf217ef96da74a1503d1dd0bb0ed898fc2a612
ShortDescription
+ (
https://github.com/StarCitizenTools/mediawiki-extensions-ShortDescription/security/advisories/GHSA-p85q-mww9-gwqf,
CVE-2025-53369) - Citizen Short Description Stored XSS Vulnerability
Through Wikitext
https://github.com/StarCitizenTools/mediawiki-extensions-ShortDescription/commit/bc4fdbaeb1dff127fb6d08c0d385b64aa128c8f8
Citizen
+ (
https://github.com/StarCitizenTools/mediawiki-skins-Citizen/security/advisories/GHSA-rq6g-6g94-jfr4,
CVE-2025-53368) - Citizen Is Vulnerable To Stored XSS Attack In The Legacy
Search Bar
https://github.com/StarCitizenTools/mediawiki-skins-Citizen/commit/aedbceb3380bb48db6b59e272fc187529c71c8ca
Citizen
+ (
https://github.com/StarCitizenTools/mediawiki-skins-Citizen/security/advisories/GHSA-prmv-7r8c-794g,
CVE-2025-53370) - Citizen Stored XSS Vulnerability Through Short
Descriptions
https://github.com/StarCitizenTools/mediawiki-skins-Citizen/commit/c85a40bddc8651fff66df83a72debddcb34f0521
UrlShortener
+ (T394869 <https://phabricator.wikimedia.org/T394869>, CVE-2025-7056) -
Stored XSS in UrlShortener
https://gerrit.wikimedia.org/r/c/mediawiki/extensions/UrlShortener/+/1166268
Quiz
+ (T394612 <https://phabricator.wikimedia.org/T394612>, CVE-2025-7057) -
Stored XSS in Quiz
https://gerrit.wikimedia.org/r/c/mediawiki/extensions/Quiz/+/1166274
The Wikimedia Security Team recommends updating these extensions and/or
skins to the current master branch or relevant, supported release branch
[2] as soon as possible. Some of the referenced Phabricator tasks above
_may_ still be private. Unfortunately, when security issues are reported,
sometimes sensitive information is exposed and since Phabricator is
historical, we cannot make these tasks public without exposing this
sensitive information. If you have any additional questions or concerns
regarding this update, please feel free to contact security AT wikimedia.org
or file a security task within Phabricator [3].
[1] https://phabricator.wikimedia.org/T389312
[2] https://www.mediawiki.org/wiki/Version_lifecycle
[3] https://www.mediawiki.org/wiki/Reporting_security_bugs
_______________________________________________
MediaWiki-announce mailing list -- mediawiki-announce AT lists.wikimedia.org
To unsubscribe send an email to mediawiki-announce-leave AT lists.wikimedia.org
- [IT-SecNots] [MediaWiki-announce] MediaWiki Extensions and Skins Security Release Supplement (1.39.13/1.42.7/1.43.2), Manfredi Martorana, 09.07.2025
Archiv bereitgestellt durch MHonArc 2.6.19+.