MediaWiki Extensions and Skins Security Release Supplement (1.39.7/1.40.3/1.41.1) - MediaWiki-announce

6 May 2024


      Greetings-
There was a delay in CVE assignment due to a backlog with Mitre. With the
security/maintenance release of MediaWiki .39.7/1.40.3/1.41.1, we would
also like to provide this supplementary announcement of MediaWiki
extensions and skins with now-public Phabricator tasks, security patches
and backports [1]:
CheckUser
+ (T355434, CVE-2024-34505) - Temporary account IP reveal does not check
the deleted status
https://gerrit.wikimedia.org/r/c/mediawiki/extensions/CheckUser/+/992795/
CheckUser
+ (T356226, CVE-2024-34501) - CheckUser Client Hints REST API does not use
a CSRF token
https://gerrit.wikimedia.org/r/q/Idc776c7c7612c8b9e2c134706c9e2ebc2f5b655f
ReportIncident
+ (T356190, CVE-2024-34503) - ReportIncident REST API does not use a CSRF
token
https://gerrit.wikimedia.org/r/q/I27b5899cf69837c9ab8fee2b5bc9b2e788e69f9e
IPInfo
+ (T356183, CVE-2024-34504) - IPInfo REST APIs are not safe from CSRF
attacks
https://gerrit.wikimedia.org/r/q/I5974c1e71286f5f920ace51ba064e96c88296a4e
WikiDiscover
+ (GHSA-cfcf-94jv-455f, CVE-2024-25107) - Cross-Site Scripting on
Special:WikiDiscover
https://github.com/miraheze/WikiDiscover/security/advisories/GHSA-cfcf-94jv-...
UnlinkedWikibase
+ (T357203, CVE-2024-34500) - XSS through interface message in
UnlinkedWikibase
https://gerrit.wikimedia.org/r/c/mediawiki/extensions/UnlinkedWikibase/+/100...
WikibaseLexeme
+ (T357101, CVE-2024-34502) - Special:MergeLexemes makes edits on GET
requests without edit tokens
https://gerrit.wikimedia.org/r/q/Iae0c7c3b979118559c9ce2276618c6cdec11e63d
Cargo
+ (T331362, CVE-2023-29134) - SQL injection in Cargo handling of quotes
inside backticks
https://gerrit.wikimedia.org/r/c/mediawiki/extensions/Cargo/+/1005478
ManageWiki
+ (GHSA-cfcf-94jv-455f, CVE-2024-25109) - Special:ManageWiki does not
escape escape interface messages
https://github.com/miraheze/ManageWiki/security/advisories/GHSA-4jr2-jhfm-2r...
CreateWiki
+ (GHSA-8wjf-mxjg-j8p9, CVE-2024-29883) - Special:ManageWiki does not
escape escape interface messages
https://github.com/miraheze/CreateWiki/security/advisories/GHSA-8wjf-mxjg-j8...
[1] https://phabricator.wikimedia.org/T353904
[2] https://www.mediawiki.org/wiki/Version_lifecycle
[3] https://www.mediawiki.org/wiki/Reporting_security_bugs