MediaWiki Extensions and Skins Security Release Supplement (1.39.12/1.42.6/1.43.1) - MediaWiki-announce

12 Apr 2025


      Greetings-
...and hopefully one last round of apologies.  It was pointed out that the
_contents_ of the previous release emails were _also_ incorrect, as opposed
to just the relevant versions of MediaWiki.  The following is both the
correct content (released security issues) and relevant MediaWiki versions.
With the security/maintenance release of MediaWiki 1.39.12/1.42.6/1.43.1,
we would also like to provide this supplementary announcement of MediaWiki
extensions and skins with now-public Phabricator tasks, security patches
and backports [1]:
SimpleCalendar
+ (T383472, CVE-2025-32077) - XSSes in Extension:SimpleCalendar
https://gerrit.wikimedia.org/r/q/Ic5b5ce8f7791026eff1aafffb32a68f3aab119be
VersionCompare
+ (T384269, CVE-2025-32078) - XSSes and potential RCE in
Special:VersionCompare
https://gerrit.wikimedia.org/r/q/If901b3b98e615e1a4f4034d932d2d592000b51d0
GrowthExperiments
+ (T384244, CVE-2025-32079) - Saving the right content to
MediaWiki:GrowthMentors.json can take down the site
https://gerrit.wikimedia.org/r/c/mediawiki/extensions/GrowthExperiments/+/11...
MobileFrontend
+ (T366402, CVE-2025-32080) - Cross-origin data leak in mobilefrontend via
lazy load images
https://gerrit.wikimedia.org/r/c/mediawiki/extensions/MobileFrontend/+/11233...
VisualData
+ (T385935, CVE-2025-32076) - Evil regex used to process user-provided data
in VisualData
https://gerrit.wikimedia.org/r/c/mediawiki/extensions/VisualData/+/1121732
FeedUtils
+ (T386175, CVE-2025-32072) - HTML injection in feed output from i18n
message
https://gerrit.wikimedia.org/r/c/mediawiki/core/+/1120134
HTMLTags
+ (T386337, CVE-2025-32073) - System message XSS in HTMLTags
https://gerrit.wikimedia.org/r/c/mediawiki/extensions/HTMLTags/+/1121056
ConfirmAccount
+ (T386908, CVE-2025-32074) - XSSes in Extension:ConfirmAccount
https://gerrit.wikimedia.org/r/q/I86f47103ffb78c671890b44ccd59fcff6613975f
Tabs
+ (T386887, CVE-2025-32075) - IP and user agent leaks in Extension:Tabs
https://gerrit.wikimedia.org/r/q/I03bec9528ee3ed05f35187458cde4e2fc4b51092
GrowthExperiments
+ (T386963, CVE-2025-32067) - i18n XSS vulnerability in message
growthexperiments
https://gerrit.wikimedia.org/r/c/mediawiki/extensions/GrowthExperiments/+/11...
OAuth
+ (T336113, CVE-2025-32068) - Revoking authorization of OAuth2 consumer
does not invalidate refresh tokens
https://gerrit.wikimedia.org/r/q/I27b61af2cdfb862a42432e7a87b863033d540cfc
WikibaseMediaInfo
+ (T387691, CVE-2025-32069) - Wikitext stored XSS on filepages due to
dangerous WBMI serialization
https://gerrit.wikimedia.org/r/q/Ie969a8cfeab0d4457417773fa884e271968e5657
AJAXPoll
+ (T389590, CVE-2025-32070) - XSSes in AJAXPoll
https://gerrit.wikimedia.org/r/q/Ib59c59b2cd36928ab200149c851e2bfcf5cf920c
Wikibbase
+ (T389369, CVE-2025-32071) - Wikibase CommonsInlineImageFormatter: i18n XSS
https://gerrit.wikimedia.org/r/q/Iac1f1c27054bfd1a4a4251281ab8c72f59204a90
The Wikimedia Security Team recommends updating these extensions and/or
skins to the current master branch or relevant, supported release branch
[2] as soon as possible. Some of the referenced Phabricator tasks above
_may_ still be private. Unfortunately, when security issues are reported,
sometimes sensitive information is exposed and since Phabricator is
historical, we cannot make these tasks public without exposing this
sensitive information. If you have any additional questions or concerns
regarding this update, please feel free to contact [email protected]
or file a security task within Phabricator [3].
[1] https://phabricator.wikimedia.org/T382326
[2] https://www.mediawiki.org/wiki/Version_lifecycle
[3] https://www.mediawiki.org/wiki/Reporting_security_bugs
-- 
Scott Bassett
[email protected]