Page MenuHomePhabricator
Projects Vuln-XSS

Vuln-XSSTag
ActivePublic
Watch Project

Members (1)

Watchers (4)

Details

Description

This tag is used to group security bugs by their general classification. These bugs allow an attacker to run JavaScript in another user's browser (Cross-site Scripting / XSS). See OWASP Top 10 2017 - A7

Parent project: Security-Team

Recent Activity
View All

Sat, Aug 10

Bawolff added a comment to T356971: Rename help key to help-raw in HTMLForm and deprecate old key name.

We also need a patch to phan-taint-check to make sure the bew keynane is marked as xss risk.

Sat, Aug 10, 12:27 AM · MW-1.43-notes (1.43.0-wmf.18; 2024-08-13), good first task, SecTeam-Processed, MediaWiki-HTMLForm, Vuln-XSS, Security

Fri, Aug 9

Maintenance_bot removed a project from T356971: Rename help key to help-raw in HTMLForm and deprecate old key name: Patch-For-Review.
Fri, Aug 9, 2:31 PM · MW-1.43-notes (1.43.0-wmf.18; 2024-08-13), good first task, SecTeam-Processed, MediaWiki-HTMLForm, Vuln-XSS, Security
ReleaseTaggerBot added a project to T356971: Rename help key to help-raw in HTMLForm and deprecate old key name: MW-1.43-notes (1.43.0-wmf.18; 2024-08-13).
Fri, Aug 9, 2:00 PM · MW-1.43-notes (1.43.0-wmf.18; 2024-08-13), good first task, SecTeam-Processed, MediaWiki-HTMLForm, Vuln-XSS, Security
Jdforrester-WMF updated the task description for T356971: Rename help key to help-raw in HTMLForm and deprecate old key name.
Fri, Aug 9, 1:38 PM · MW-1.43-notes (1.43.0-wmf.18; 2024-08-13), good first task, SecTeam-Processed, MediaWiki-HTMLForm, Vuln-XSS, Security
gerritbot added a comment to T356971: Rename help key to help-raw in HTMLForm and deprecate old key name.

Change #1055600 merged by jenkins-bot:

[mediawiki/core@master] Deprecate the 'help' key in form descriptors in favor of 'help-raw'

https://gerrit.wikimedia.org/r/1055600

Fri, Aug 9, 1:33 PM · MW-1.43-notes (1.43.0-wmf.18; 2024-08-13), good first task, SecTeam-Processed, MediaWiki-HTMLForm, Vuln-XSS, Security

Sun, Aug 4

Tgr added a comment to T45646: "MediaWiki:Copyright" message allows raw HTML.
In T45646#10028555, @cscott wrote:

Rather than convert the html to wikitext, one avenue here might be to pass the "raw html" through the sanitizer.

Sun, Aug 4, 3:22 PM · I18n, Security, MW-1.32-notes (WMF-deploy-2018-08-28 (1.32.0-wmf.19)), Vuln-XSS, MediaWiki-General

Thu, Aug 1

matmarex added a comment to T45646: "MediaWiki:Copyright" message allows raw HTML.
In T45646#10028555, @cscott wrote:
  • A variant of this would be to add a new message: MediaWiki:CopyrightWikitext. If that message is non-empty, it is used in place of MediaWiki:Copyright and rendered from wikitext. (Or vice-versa, maybe we'd want to use MediaWiki:CopyrightWikitext only if MediaWiki:Copyright was empty?) That would also allow wiki-by-wiki conversions so that only those wikis which actually need raw html use it.
Thu, Aug 1, 8:30 PM · I18n, Security, MW-1.32-notes (WMF-deploy-2018-08-28 (1.32.0-wmf.19)), Vuln-XSS, MediaWiki-General

Wed, Jul 31

TTO added a comment to T45646: "MediaWiki:Copyright" message allows raw HTML.
In T45646#10028555, @cscott wrote:
  • We could also make a site-wide configuration variable for "copyright is raw html", and default it to false, and set it to true only for german wikipedia.
Wed, Jul 31, 11:46 PM · I18n, Security, MW-1.32-notes (WMF-deploy-2018-08-28 (1.32.0-wmf.19)), Vuln-XSS, MediaWiki-General
sbassett added a comment to T45646: "MediaWiki:Copyright" message allows raw HTML.
In T45646#10028555, @cscott wrote:
  • We could also make a site-wide configuration variable for "copyright is raw html", and default it to false, and set it to true only for german wikipedia. That would allow us to incrementally improve our security footing without necessarily breaking german wiki or third parties which might rely on this.
Wed, Jul 31, 10:13 PM · I18n, Security, MW-1.32-notes (WMF-deploy-2018-08-28 (1.32.0-wmf.19)), Vuln-XSS, MediaWiki-General

Tue, Jul 30

cscott added a comment to T45646: "MediaWiki:Copyright" message allows raw HTML.

Two ideas for making progress on this:

  • Rather than convert the html to wikitext, one avenue here might be to pass the "raw html" through the sanitizer. Sanitizer::removeSomeTags() will prevent many bad things, while still allowing the external links that German wiki wants. It would be able to block the <img> tag of the original bug report. If third party wikis wanted to embed images in the footer they could do that with CSS rather than embedded <img> tags.
  • We could also make a site-wide configuration variable for "copyright is raw html", and default it to false, and set it to true only for german wikipedia. That would allow us to incrementally improve our security footing without necessarily breaking german wiki or third parties which might rely on this.
    • A variant of this would be to add a new message: MediaWiki:CopyrightWikitext. If that message is non-empty, it is used in place of MediaWiki:Copyright and rendered from wikitext. (Or vice-versa, maybe we'd want to use MediaWiki:CopyrightWikitext only if MediaWiki:Copyright was empty?) That would also allow wiki-by-wiki conversions so that only those wikis which actually need raw html use it.
Tue, Jul 30, 4:20 PM · I18n, Security, MW-1.32-notes (WMF-deploy-2018-08-28 (1.32.0-wmf.19)), Vuln-XSS, MediaWiki-General

Mon, Jul 29

sbassett closed T336556: XSS via Graph extension (still) as Invalid.
Mon, Jul 29, 11:48 PM · SecTeam-Processed, MediaWiki-extensions-Graph, Vuln-XSS, Security, Security-Team
sbassett moved T336556: XSS via Graph extension (still) from In Progress to Our Part Is Done on the Security-Team board.
Mon, Jul 29, 11:48 PM · SecTeam-Processed, MediaWiki-extensions-Graph, Vuln-XSS, Security, Security-Team
sbassett updated subscribers of T336556: XSS via Graph extension (still).
In T336556#10016164, @Bawolff wrote:

Can this be public? It sounds like these issues were fixed, and in any case, the graph extension is dead at this point.

Mon, Jul 29, 11:47 PM · SecTeam-Processed, MediaWiki-extensions-Graph, Vuln-XSS, Security, Security-Team

Thu, Jul 25

Bawolff added a comment to T336556: XSS via Graph extension (still).

Can this be public? It sounds like these issues were fixed, and in any case, the graph extension is dead at this point.

Thu, Jul 25, 8:21 PM · SecTeam-Processed, MediaWiki-extensions-Graph, Vuln-XSS, Security, Security-Team
CCiufo-WMF closed T165118: Support Vega 5.0+, a subtask of T334895: XSS via Graph extension, as Declined.
Thu, Jul 25, 3:31 PM · SecTeam-wikimedia-project-event, SecTeam-Processed, WMDE-TechWish-Sprint-2023-04-05, Editing-team, Vuln-XSS, MediaWiki-extensions-Graph, Security, Security-Team

Sun, Jul 21

gerritbot added a project to T356971: Rename help key to help-raw in HTMLForm and deprecate old key name: Patch-For-Review.
Sun, Jul 21, 4:16 PM · MW-1.43-notes (1.43.0-wmf.18; 2024-08-13), good first task, SecTeam-Processed, MediaWiki-HTMLForm, Vuln-XSS, Security
gerritbot added a comment to T356971: Rename help key to help-raw in HTMLForm and deprecate old key name.

Change #1055600 had a related patch set uploaded (by Alejandro Alcaide; author: Alejandro Alcaide):

[mediawiki/core@master] Deprecate the 'help' key in form descriptors in favor of 'help-raw'

https://gerrit.wikimedia.org/r/1055600

Sun, Jul 21, 4:16 PM · MW-1.43-notes (1.43.0-wmf.18; 2024-08-13), good first task, SecTeam-Processed, MediaWiki-HTMLForm, Vuln-XSS, Security

Jul 10 2024

Aklapper added a comment to T356971: Rename help key to help-raw in HTMLForm and deprecate old key name.

@GauriGupta: Please always go to the code project listed under "Tags" in the sidebar of a task, that page links the code repository.

Jul 10 2024, 3:52 PM · MW-1.43-notes (1.43.0-wmf.18; 2024-08-13), good first task, SecTeam-Processed, MediaWiki-HTMLForm, Vuln-XSS, Security
AllUsernamesArePicked added a comment to T356971: Rename help key to help-raw in HTMLForm and deprecate old key name.
In T356971#9969736, @GauriGupta wrote:

@AllUsernamesArePicked Can you plz share me the repo for this issue as i am new to this community answer i want to to contribute eagerly

HTMLForm is part of MediaWiki core.

Jul 10 2024, 3:27 PM · MW-1.43-notes (1.43.0-wmf.18; 2024-08-13), good first task, SecTeam-Processed, MediaWiki-HTMLForm, Vuln-XSS, Security
GauriGupta added a comment to T356971: Rename help key to help-raw in HTMLForm and deprecate old key name.

@AllUsernamesArePicked Can you plz share me the repo for this issue as i am new to this community answer i want to to contribute eagerly

Jul 10 2024, 2:59 PM · MW-1.43-notes (1.43.0-wmf.18; 2024-08-13), good first task, SecTeam-Processed, MediaWiki-HTMLForm, Vuln-XSS, Security
mmartorana closed T361453: CVE-2024-40612: BlueLL skin: stored XSS via MediaWiki:Sidebar as Resolved.
Jul 10 2024, 8:51 AM · security-bug, SecTeam-Processed, Lingua-Libre, Vuln-XSS, Security

Jul 9 2024

Maintenance_bot removed a project from T361452: CVE-2024-40605: Foreground skin: stored XSS via MediaWiki:Sidebar: Patch-For-Review.
Jul 9 2024, 8:00 PM · security-bug, SecTeam-Processed, MediaWiki-skins-Foreground, Vuln-XSS, Security
Maintenance_bot removed a project from T361448: CVE-2024-40599: GuMaxDD skin: stored XSS via MediaWiki:Sidebar: Patch-For-Review.
Jul 9 2024, 7:52 PM · security-bug, SecTeam-Processed, MediaWiki-skins-GuMaxDD, Vuln-XSS, Security
Maintenance_bot removed a project from T361450: CVE-2024-40604: Nimbus skin: stored XSS via MediaWiki:Nimbus-sidebar: Patch-For-Review.
Jul 9 2024, 7:52 PM · security-bug, SecTeam-Processed, Nimbus, Vuln-XSS, Security
Maintenance_bot removed a project from T361451: CVE-2024-40602: Tempo skin: stored XSS via MediaWiki:Sidebar: Patch-For-Review.
Jul 9 2024, 7:52 PM · security-bug, SecTeam-Processed, Other-skins, Vuln-XSS, Security
mmartorana added a comment to T361453: CVE-2024-40612: BlueLL skin: stored XSS via MediaWiki:Sidebar.

A pull request for this patch has been submitted on github: https://github.com/lingua-libre/BlueLL/pull/18

Jul 9 2024, 8:17 AM · security-bug, SecTeam-Processed, Lingua-Libre, Vuln-XSS, Security

Jul 8 2024

mmartorana renamed T361449: CVE-2024-40600: Metrolook skin: stored XSS via MediaWiki:Sidebar from Metrolook skin: stored XSS via MediaWiki:Sidebar to CVE-2024-40600: Metrolook skin: stored XSS via MediaWiki:Sidebar.
Jul 8 2024, 5:37 PM · SecTeam-Processed, security-bug, Metrolook, Vuln-XSS, Security, Security-Team
mmartorana renamed T361453: CVE-2024-40612: BlueLL skin: stored XSS via MediaWiki:Sidebar from BlueLL skin: stored XSS via MediaWiki:Sidebar to CVE-2024-40612: BlueLL skin: stored XSS via MediaWiki:Sidebar.
Jul 8 2024, 5:37 PM · security-bug, SecTeam-Processed, Lingua-Libre, Vuln-XSS, Security
mmartorana renamed T361452: CVE-2024-40605: Foreground skin: stored XSS via MediaWiki:Sidebar from Foreground skin: stored XSS via MediaWiki:Sidebar to CVE-2024-40605: Foreground skin: stored XSS via MediaWiki:Sidebar.
Jul 8 2024, 5:36 PM · security-bug, SecTeam-Processed, MediaWiki-skins-Foreground, Vuln-XSS, Security
mmartorana renamed T361451: CVE-2024-40602: Tempo skin: stored XSS via MediaWiki:Sidebar from Tempo skin: stored XSS via MediaWiki:Sidebar to CVE-2024-40602: Tempo skin: stored XSS via MediaWiki:Sidebar.
Jul 8 2024, 5:36 PM · security-bug, SecTeam-Processed, Other-skins, Vuln-XSS, Security
mmartorana renamed T361450: CVE-2024-40604: Nimbus skin: stored XSS via MediaWiki:Nimbus-sidebar from Nimbus skin: stored XSS via MediaWiki:Nimbus-sidebar to CVE-2024-40604: Nimbus skin: stored XSS via MediaWiki:Nimbus-sidebar.
Jul 8 2024, 5:36 PM · security-bug, SecTeam-Processed, Nimbus, Vuln-XSS, Security
mmartorana renamed T361448: CVE-2024-40599: GuMaxDD skin: stored XSS via MediaWiki:Sidebar from GuMaxDD skin: stored XSS via MediaWiki:Sidebar to CVE-2024-40599: GuMaxDD skin: stored XSS via MediaWiki:Sidebar.
Jul 8 2024, 5:36 PM · security-bug, SecTeam-Processed, MediaWiki-skins-GuMaxDD, Vuln-XSS, Security

Jul 5 2024

gerritbot added a comment to T361448: CVE-2024-40599: GuMaxDD skin: stored XSS via MediaWiki:Sidebar.

Change #1051769 merged by jenkins-bot:

[mediawiki/skins/GuMaxDD@REL1_41] SECURITY: avoid stored XSS via MediaWiki:Sidebar

https://gerrit.wikimedia.org/r/1051769

Jul 5 2024, 7:49 PM · security-bug, SecTeam-Processed, MediaWiki-skins-GuMaxDD, Vuln-XSS, Security
gerritbot added a comment to T361448: CVE-2024-40599: GuMaxDD skin: stored XSS via MediaWiki:Sidebar.

Change #1051771 merged by jenkins-bot:

[mediawiki/skins/GuMaxDD@REL1_39] SECURITY: avoid stored XSS via MediaWiki:Sidebar

https://gerrit.wikimedia.org/r/1051771

Jul 5 2024, 7:49 PM · security-bug, SecTeam-Processed, MediaWiki-skins-GuMaxDD, Vuln-XSS, Security
gerritbot added a comment to T361450: CVE-2024-40604: Nimbus skin: stored XSS via MediaWiki:Nimbus-sidebar.

Change #1051773 merged by jenkins-bot:

[mediawiki/skins/Nimbus@REL1_42] [SECURITY] Avoid stored XSS via MediaWiki:Nimbus-sidebar

https://gerrit.wikimedia.org/r/1051773

Jul 5 2024, 7:43 PM · security-bug, SecTeam-Processed, Nimbus, Vuln-XSS, Security
gerritbot added a comment to T361450: CVE-2024-40604: Nimbus skin: stored XSS via MediaWiki:Nimbus-sidebar.

Change #1051774 merged by jenkins-bot:

[mediawiki/skins/Nimbus@REL1_41] [SECURITY] Avoid stored XSS via MediaWiki:Nimbus-sidebar

https://gerrit.wikimedia.org/r/1051774

Jul 5 2024, 7:42 PM · security-bug, SecTeam-Processed, Nimbus, Vuln-XSS, Security
gerritbot added a comment to T361451: CVE-2024-40602: Tempo skin: stored XSS via MediaWiki:Sidebar.

Change #1051776 merged by jenkins-bot:

[mediawiki/skins/Tempo@REL1_41] SECURITY: avoid stored XSS via MediaWiki:Sidebar

https://gerrit.wikimedia.org/r/1051776

Jul 5 2024, 7:40 PM · security-bug, SecTeam-Processed, Other-skins, Vuln-XSS, Security
gerritbot added a comment to T361451: CVE-2024-40602: Tempo skin: stored XSS via MediaWiki:Sidebar.

Change #1051778 merged by jenkins-bot:

[mediawiki/skins/Tempo@REL1_39] SECURITY: avoid stored XSS via MediaWiki:Sidebar

https://gerrit.wikimedia.org/r/1051778

Jul 5 2024, 7:39 PM · security-bug, SecTeam-Processed, Other-skins, Vuln-XSS, Security
gerritbot added a comment to T361448: CVE-2024-40599: GuMaxDD skin: stored XSS via MediaWiki:Sidebar.

Change #1051770 abandoned by Umherirrender:

[mediawiki/skins/GuMaxDD@REL1_40] SECURITY: avoid stored XSS via MediaWiki:Sidebar

Reason:

REL1_40 is end of life

https://gerrit.wikimedia.org/r/1051770

Jul 5 2024, 7:38 PM · security-bug, SecTeam-Processed, MediaWiki-skins-GuMaxDD, Vuln-XSS, Security
gerritbot added a comment to T361450: CVE-2024-40604: Nimbus skin: stored XSS via MediaWiki:Nimbus-sidebar.

Change #1051775 abandoned by Umherirrender:

[mediawiki/skins/Nimbus@REL1_40] [SECURITY] Avoid stored XSS via MediaWiki:Nimbus-sidebar

Reason:

REL1_40 is end of life

https://gerrit.wikimedia.org/r/1051775

Jul 5 2024, 7:38 PM · security-bug, SecTeam-Processed, Nimbus, Vuln-XSS, Security
gerritbot added a comment to T361451: CVE-2024-40602: Tempo skin: stored XSS via MediaWiki:Sidebar.

Change #1051777 abandoned by Umherirrender:

[mediawiki/skins/Tempo@REL1_40] SECURITY: avoid stored XSS via MediaWiki:Sidebar

Reason:

REL1_40 is end of life

https://gerrit.wikimedia.org/r/1051777

Jul 5 2024, 7:38 PM · security-bug, SecTeam-Processed, Other-skins, Vuln-XSS, Security
Samwilson closed T361452: CVE-2024-40605: Foreground skin: stored XSS via MediaWiki:Sidebar as Resolved.

That makes sense.

Jul 5 2024, 5:54 AM · security-bug, SecTeam-Processed, MediaWiki-skins-Foreground, Vuln-XSS, Security

Jul 4 2024

Urbanecm_WMF added a project to T289408: Mentor dashboard: Permanent XSS exploitable by wiki admins (client-side part) (CVE-2021-42044): GrowthExperiments-Mentorship.
Jul 4 2024, 5:59 PM · GrowthExperiments-Mentorship, MW-1.37-notes (1.37.0-wmf.23; 2021-09-13), SecTeam-Processed, Vuln-XSS, Patch-For-Review, User-Urbanecm_WMF (Engineering), Growth-Team (Sprint 0 (Growth Team)), GrowthExperiments-MentorDashboard, Security, Security-Team
Urbanecm_WMF added a project to T289063: Mentor dashboard: Permanent XSS exploitable by wiki admins (server-side part) (CVE-2021-42047): GrowthExperiments-Mentorship.
Jul 4 2024, 5:59 PM · GrowthExperiments-Mentorship, MW-1.37-notes (1.37.0-wmf.23; 2021-09-13), SecTeam-Processed, user-sbassett, User-Urbanecm_WMF (Engineering), Patch-For-Review, Vuln-XSS, Growth-Team (Sprint 0 (Growth Team)), GrowthExperiments-MentorDashboard, Security, Security-Team
Bawolff added a comment to T361452: CVE-2024-40605: Foreground skin: stored XSS via MediaWiki:Sidebar.
In T361452#9686743, @Samwilson wrote:

Also, why is escapeIdForAttribute() "not guaranteed to be HTML safe"? What other ID attribute is it intended for, that needs to be able to contain angle brackets etc.? Is it because some XML dialects permit more characters in IDs than HTML does? It looks like a bunch of skins are doing similar things to Foreground here, so it does seem a confusingly named function.

Jul 4 2024, 5:55 AM · security-bug, SecTeam-Processed, MediaWiki-skins-Foreground, Vuln-XSS, Security
gerritbot added a comment to T361452: CVE-2024-40605: Foreground skin: stored XSS via MediaWiki:Sidebar.

Change #1051779 merged by jenkins-bot:

[mediawiki/skins/Foreground@REL1_41] Escape id attribute in sidebar headers

https://gerrit.wikimedia.org/r/1051779

Jul 4 2024, 1:44 AM · security-bug, SecTeam-Processed, MediaWiki-skins-Foreground, Vuln-XSS, Security

Jul 3 2024

gerritbot added a project to T361452: CVE-2024-40605: Foreground skin: stored XSS via MediaWiki:Sidebar: Patch-For-Review.
Jul 3 2024, 2:49 PM · security-bug, SecTeam-Processed, MediaWiki-skins-Foreground, Vuln-XSS, Security
gerritbot added a comment to T361452: CVE-2024-40605: Foreground skin: stored XSS via MediaWiki:Sidebar.

Change #1051779 had a related patch set uploaded (by Mmartorana; author: Samwilson):

[mediawiki/skins/Foreground@REL1_41] Escape id attribute in sidebar headers

https://gerrit.wikimedia.org/r/1051779

Jul 3 2024, 2:49 PM · security-bug, SecTeam-Processed, MediaWiki-skins-Foreground, Vuln-XSS, Security
gerritbot added a comment to T361451: CVE-2024-40602: Tempo skin: stored XSS via MediaWiki:Sidebar.

Change #1051778 had a related patch set uploaded (by Mmartorana; author: Jack Phoenix):

[mediawiki/skins/Tempo@REL1_39] SECURITY: avoid stored XSS via MediaWiki:Sidebar

https://gerrit.wikimedia.org/r/1051778

Jul 3 2024, 2:48 PM · security-bug, SecTeam-Processed, Other-skins, Vuln-XSS, Security
gerritbot added a comment to T361451: CVE-2024-40602: Tempo skin: stored XSS via MediaWiki:Sidebar.

Change #1051777 had a related patch set uploaded (by Mmartorana; author: Jack Phoenix):

[mediawiki/skins/Tempo@REL1_40] SECURITY: avoid stored XSS via MediaWiki:Sidebar

https://gerrit.wikimedia.org/r/1051777

Jul 3 2024, 2:48 PM · security-bug, SecTeam-Processed, Other-skins, Vuln-XSS, Security
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits