151 行
11 KiB
JSON
151 行
11 KiB
JSON
{
|
|
"canonical_id": "mediawiki--31d957bc6b",
|
|
"system_id": "mediawiki",
|
|
"display_name": "MediaWiki",
|
|
"category": "cms",
|
|
"advisory_mode": "core",
|
|
"title": "[MediaWiki-announce] MediaWiki Extensions and Skins Security Release Supplement (1.39.12/1.42.6/1.43.1)",
|
|
"summary": "Greetings-\n\n...and hopefully one last round of apologies. It was pointed out that the\n_contents_ of the previous release emails were _also_ incorrect, as opposed\nto just the relevant versions of MediaWiki. The following is both the\ncorrect content (released security issues) and relevant MediaWiki versions.\n\nWith the security/maintenance release of MediaWiki 1.39.12/1.42.6/1.43.1,\nwe would also like to provide this supplementary announcement of MediaWiki\nextensions and skins with now-public Phabricator tasks, security patches\nand backports [1]:\n\nSimpleCalendar\n+ (T383472, CVE-2025-32077) - XSSes in Extension:SimpleCalendar\nhttps://gerrit.wikimedia.org/r/q/Ic5b5ce8f7791026eff1aafffb32a68f3aab119be\n\nVersionCompare\n+ (T384269, CVE-2025-32078) - XSSes and potential RCE in\nSpecial:VersionCompare\nhttps://gerrit.wikimedia.org/r/q/If901b3b98e615e1a4f4034d932d2d592000b51d0\n\nGrowthExperiments\n+ (T384244, CVE-2025-32079) - Saving the right content to\nMediaWiki:GrowthMentors.json can take down the site\nhttps://gerrit.wikimedia.org/r/c/mediawiki/extensions/GrowthExperiments/+/1114020\n\nMobileFrontend\n+ (T366402, CVE-2025-32080) - Cross-origin data leak in mobilefrontend via\nlazy load images\nhttps://gerrit.wikimedia.org/r/c/mediawiki/extensions/MobileFrontend/+/1123392\n\nVisualData\n+ (T385935, CVE-2025-32076) - Evil regex used to process user-provided data\nin VisualData\nhttps://gerrit.wikimedia.org/r/c/mediawiki/extensions/VisualData/+/1121732\n\nFeedUtils\n+ (T386175, CVE-2025-32072) - HTML injection in feed output from i18n\nmessage\nhttps://gerrit.wikimedia.org/r/c/mediawiki/core/+/1120134\n\nHTMLTags\n+ (T386337, CVE-2025-32073) - System message XSS in HTMLTags\nhttps://gerrit.wikimedia.org/r/c/mediawiki/extensions/HTMLTags/+/1121056\n\nConfirmAccount\n+ (T386908, CVE-2025-32074) - XSSes in Extension:ConfirmAccount\nhttps://gerrit.wikimedia.org/r/q/I86f47103ffb78c671890b44ccd59fcff6613975f\n\nTabs\n+ (T386887, CVE-2025-32075) - IP and user agent leaks in Extension:Tabs\nhttps://gerrit.wikimedia.org/r/q/I03bec9528ee3ed05f35187458cde4e2fc4b51092\n\nGrowthExperiments\n+ (T386963, CVE-2025-32067) - i18n XSS vulnerability in message\ngrowthexperiments\nhttps://gerrit.wikimedia.org/r/c/mediawiki/extensions/GrowthExperiments/+/1122163\n\nOAuth\n+ (T336113, CVE-2025-32068) - Revoking authorization of OAuth2 consumer\ndoes not invalidate refresh tokens\nhttps://gerrit.wikimedia.org/r/q/I27b61af2cdfb862a42432e7a87b863033d540cfc\n\nWikibaseMediaInfo\n+ (T387691, CVE-2025-32069) - Wikitext stored XSS on filepages due to\ndangerous WBMI serialization\nhttps://gerrit.wikimedia.org/r/q/Ie969a8cfeab0d4457417773fa884e271968e5657\n\nAJAXPoll\n+ (T389590, CVE-2025-32070) - XSSes in AJAXPoll\nhttps://gerrit.wikimedia.org/r/q/Ib59c59b2cd36928ab200149c851e2bfcf5cf920c\n\nWikibbase\n+ (T389369, CVE-2025-32071) - Wikibase CommonsInlineImageFormatter: i18n XSS\nhttps://gerrit.wikimedia.org/r/q/Iac1f1c27054bfd1a4a4251281ab8c72f59204a90\n\nThe Wikimedia Security Team recommends updating these extensions and/or\nskins to the current master branch or relevant, supported release branch\n[2] as soon as possible. Some of the referenced Phabricator tasks above\n_may_ still be private. Unfortunately, when security issues are reported,\nsometimes sensitive information is exposed and since Phabricator is\nhistorical, we cannot make these tasks public without exposing this\nsensitive information. If you have any additional questions or concerns\nregarding this update, please feel free to contact security\uff20wikimedia.org\nor file a security task within Phabricator [3].\n\n[1] https://phabricator.wikimedia.org/T382326\n[2] https://www.mediawiki.org/wiki/Version_lifecycle\n[3] https://www.mediawiki.org/wiki/Reporting_security_bugs\n\n-- \nScott Bassett\nsbassett\uff20wikimedia.org",
|
|
"published_at": "Fri, 11 Apr 2025 20:47:11 +0000",
|
|
"updated_at": "Fri, 11 Apr 2025 20:47:11 +0000",
|
|
"severity": "unknown",
|
|
"cvss_score": null,
|
|
"exploit_status": "unknown",
|
|
"source_confidence": "official",
|
|
"official_source_url": "https://lists.wikimedia.org/hyperkitty/list/mediawiki-announce@lists.wikimedia.org/message/OXIGQIHBL26HFKG6TT5SWSH7K7W6RO4H/",
|
|
"secondary_source_urls": [],
|
|
"aliases": [],
|
|
"cve_ids": [],
|
|
"ghsa_ids": [],
|
|
"osv_ids": [],
|
|
"affected_versions": [],
|
|
"fixed_versions": [],
|
|
"package_name": null,
|
|
"render_markdown": false,
|
|
"case_path": null,
|
|
"secure_code_topics": [
|
|
"xss-output-encoding",
|
|
"authz-server-side-recheck",
|
|
"file-upload-validation",
|
|
"token-cookie-storage",
|
|
"plugin-extension-trust-policy",
|
|
"deserialization-safety"
|
|
],
|
|
"status": "triage",
|
|
"triage_reasons": [
|
|
"missing affected/fixed version details"
|
|
],
|
|
"entity_refs": [
|
|
{
|
|
"entity_id": "mediawiki",
|
|
"entity_type": "system",
|
|
"relation": "root-system",
|
|
"root_system_id": "mediawiki",
|
|
"official": true
|
|
}
|
|
],
|
|
"affected_components": [
|
|
{
|
|
"name": "MediaWiki",
|
|
"entity_id": "mediawiki",
|
|
"scope": "core",
|
|
"package_name": null,
|
|
"official": true
|
|
}
|
|
],
|
|
"affected_version_ranges": [],
|
|
"fixed_version_ranges": [],
|
|
"introduced_version": null,
|
|
"patched_version": null,
|
|
"version_evidence_sources": [
|
|
"https://lists.wikimedia.org/hyperkitty/list/mediawiki-announce@lists.wikimedia.org/message/OXIGQIHBL26HFKG6TT5SWSH7K7W6RO4H/"
|
|
],
|
|
"affected_version_refs": [],
|
|
"fixed_version_refs": [],
|
|
"patched_version_refs": [],
|
|
"version_sync_confidence": "low",
|
|
"advisory_scope": "core",
|
|
"version_confidence": "low",
|
|
"version_gap_reason": "official bulletin or aggregated source did not expose explicit affected/fixed versions",
|
|
"version_resolution_needed": true,
|
|
"workflow": {
|
|
"workflow_id": "mediawiki--31d957bc6b--workflow",
|
|
"vuln_family": "xss",
|
|
"entry_surface": "web-ui-render-path",
|
|
"preconditions": [
|
|
"\u4ec5\u5728 lab-local\u3001lab-public \u6216\u660e\u786e\u6388\u6743\u76ee\u6807\u4e2d\u6267\u884c\u3002",
|
|
"\u786e\u8ba4\u76ee\u6807\u547d\u4e2d\u7248\u672c\u65ad\u8a00: \u9700\u8981\u4ece\u516c\u544a\u3001\u9501\u6587\u4ef6\u3001\u7248\u672c\u9875\u6216\u5173\u4e8e\u9875\u9762\u4eba\u5de5\u786e\u8ba4\u7248\u672c\u547d\u4e2d",
|
|
"\u82e5\u5bf9\u8c61\u5c5e\u4e8e `core`\uff0c\u5148\u786e\u8ba4\u6269\u5c55/\u4ed3\u5e93/\u5305\u5df2\u542f\u7528\u5e76\u5904\u4e8e\u53d7\u5f71\u54cd\u7248\u672c\u3002"
|
|
],
|
|
"required_role": "editor-or-admin",
|
|
"affected_version_assertion": [
|
|
"\u9700\u8981\u4ece\u516c\u544a\u3001\u9501\u6587\u4ef6\u3001\u7248\u672c\u9875\u6216\u5173\u4e8e\u9875\u9762\u4eba\u5de5\u786e\u8ba4\u7248\u672c\u547d\u4e2d"
|
|
],
|
|
"trigger_vector": "\u5bf9 `xss` \u5bb6\u65cf\u5165\u53e3\u6295\u9012\u6700\u5c0f\u5316\u3001\u53ef\u5ba1\u8ba1\u3001\u53ef\u56de\u6eda\u7684\u53d7\u63a7\u8f93\u5165\uff0c\u6bd4\u8f83\u4fee\u590d\u524d\u540e\u5dee\u5f02\u3002",
|
|
"request_or_ui_path": [
|
|
"/admin/editor",
|
|
"/preview",
|
|
"/rendered-content"
|
|
],
|
|
"input_shape": "\u53d7\u63a7 HTML/Markdown/\u5bcc\u6587\u672c\u8f93\u5165\uff0c\u89c2\u5bdf\u6e32\u67d3\u4e0a\u4e0b\u6587\u662f\u5426\u5931\u53bb\u7f16\u7801\u6216\u51c0\u5316\u3002",
|
|
"expected_unsafe_behavior": "\u8f93\u5165\u5728\u76ee\u6807\u4e0a\u4e0b\u6587\u6267\u884c\u6216\u88ab\u6d4f\u89c8\u5668\u89e3\u91ca\u4e3a\u4e3b\u52a8\u5185\u5bb9\u3002",
|
|
"server_evidence_points": [
|
|
"\u5e94\u7528\u65e5\u5fd7\u4e2d\u7684\u547d\u4e2d\u8def\u5f84\u3001\u9274\u6743\u51b3\u7b56\u548c\u5f02\u5e38\u6808",
|
|
"\u53cd\u5411\u4ee3\u7406\u6216\u8fb9\u754c\u5c42\u65e5\u5fd7\u4e2d\u7684\u8bf7\u6c42\u5934\u3001\u6765\u6e90 IP \u4e0e\u8def\u7531\u51b3\u7b56"
|
|
],
|
|
"browser_evidence_points": [
|
|
"\u57fa\u7ebf\u622a\u56fe\u4e0e\u653b\u51fb\u540e\u622a\u56fe\u7684 DOM/\u89c6\u89c9\u5dee\u5f02",
|
|
"console\u3001network \u4e0e response metadata \u4e2d\u7684\u5f02\u5e38\u4fe1\u53f7"
|
|
],
|
|
"db_or_fs_evidence_points": [
|
|
"\u6570\u636e\u5e93\u4e2d\u65b0\u589e/\u8d8a\u6743\u8bfb\u53d6\u7684\u6d4b\u8bd5\u6570\u636e",
|
|
"\u6587\u4ef6\u7cfb\u7edf\u4e2d\u65b0\u589e\u4e0a\u4f20\u6837\u672c\u3001\u7f13\u5b58\u6761\u76ee\u6216\u8d8a\u6743\u8bfb\u53d6\u75d5\u8ff9"
|
|
],
|
|
"detection_signals": [
|
|
"WAF / reverse proxy \u5f02\u5e38\u65e5\u5fd7\u3001\u8bbf\u95ee\u65e5\u5fd7\u548c\u544a\u8b66",
|
|
"\u5e94\u7528\u5ba1\u8ba1\u65e5\u5fd7\u4e2d\u7684\u6743\u9650\u9519\u8bef\u3001\u91cd\u5b9a\u5411\u5f02\u5e38\u3001\u6a21\u677f\u6e32\u67d3\u6216\u4e0a\u4f20\u843d\u76d8\u4e8b\u4ef6"
|
|
],
|
|
"mitigation_summary": "\u4f18\u5148\u5347\u7ea7\u5230\u4fee\u590d\u7248\u672c\uff0c\u5e76\u540c\u65f6\u6536\u7d27\u8f93\u5165\u6821\u9a8c\u3001\u670d\u52a1\u7aef\u9274\u6743\u3001\u4ee3\u7406\u4fe1\u4efb\u8fb9\u754c\u3001\u6269\u5c55\u5b89\u88c5\u4fe1\u4efb\u548c\u5ba1\u8ba1\u65e5\u5fd7\u3002",
|
|
"patch_validation_steps": [
|
|
"\u786e\u8ba4\u76ee\u6807\u7248\u672c\u4ece `\u53d7\u5f71\u54cd\u7248\u672c\u533a\u95f4` \u5347\u7ea7\u6216\u56de\u79fb\u5230 `\u4fee\u590d\u7248\u672c`\u3002",
|
|
"\u4fdd\u7559\u540c\u4e00\u7ec4\u53d7\u63a7\u8f93\u5165\uff0c\u5728\u4fee\u590d\u524d\u540e\u5206\u522b\u6267\u884c\u5e76\u6bd4\u5bf9\u54cd\u5e94\u3001\u65e5\u5fd7\u4e0e\u6d4f\u89c8\u5668\u8bc1\u636e\u3002",
|
|
"\u786e\u8ba4\u4fee\u590d\u540e\u4ec5\u4fdd\u7559\u9884\u671f\u4e1a\u52a1\u884c\u4e3a\uff0c\u4e0d\u518d\u89e6\u53d1\u8d8a\u6743\u3001\u56de\u663e\u3001\u5f02\u5e38\u6e32\u67d3\u6216\u9519\u8bef\u8bf7\u6c42\u3002",
|
|
"\u8865\u5145 `xss` \u65cf\u81ea\u52a8\u5316\u56de\u5f52\uff0c\u907f\u514d\u540c\u7c7b\u8def\u5f84\u5728\u63d2\u4ef6\u3001\u4e3b\u9898\u6216\u4ee3\u7406\u94fe\u4e2d\u56de\u5f52\u3002"
|
|
],
|
|
"lab_safety_notes": [
|
|
"\u53ea\u4f7f\u7528\u56de\u73af\u5730\u5740\u3001\u54e8\u5175\u76ee\u6807\u3001\u65e0\u5bb3\u6837\u672c\u6216\u53ef\u56de\u6eda\u6d4b\u8bd5\u6570\u636e\u3002",
|
|
"\u7981\u6b62\u9020\u6210\u6301\u4e45\u7834\u574f\u3001\u8d8a\u6743\u4e0b\u8f7d\u771f\u5b9e\u6570\u636e\u6216\u4e0d\u53ef\u56de\u6eda side effect\u3002",
|
|
"\u5982\u9700\u6d4f\u89c8\u5668\u8bc1\u636e\uff0c\u4fdd\u7559 baseline / proof \u4e24\u4efd\u5feb\u7167\u4ee5\u53ca console / network \u8bb0\u5f55\u3002"
|
|
],
|
|
"review_state": "needs-version-gap-review"
|
|
},
|
|
"verification_status": "triage-manual",
|
|
"verification_mode": "synthetic",
|
|
"last_verified_at": null,
|
|
"last_run_id": null,
|
|
"evidence_bundle": null,
|
|
"historical_status": null,
|
|
"latest_status": null,
|
|
"browser_evidence": {
|
|
"required": false,
|
|
"present": false,
|
|
"refs": []
|
|
},
|
|
"repro_profile_id": "xss-generic",
|
|
"artifact_mode": "synthetic",
|
|
"blocked_reason": null,
|
|
"metadata": {
|
|
"source_names": [
|
|
"MediaWiki Announce RSS"
|
|
],
|
|
"source_kinds": [
|
|
"rss-feed"
|
|
],
|
|
"candidate_count": 1,
|
|
"entity_ref_count": 1,
|
|
"advisory_scope": "core",
|
|
"version_confidence": "low",
|
|
"workflow_id": "mediawiki--31d957bc6b--workflow"
|
|
}
|
|
}
|