Page MenuHomePhabricator
Projects Vuln-XSS

Vuln-XSSBugs
ActivePublic
Watch Project

Members (1)

Watchers (5)

Details

Description

This tag is used to group security bugs by their general classification. These bugs allow an attacker to run JavaScript in another user's browser (Cross-site Scripting / XSS). See OWASP Top 10 2017 - A7

Parent project: Security-Team

Recent Activity
View All

Tue, Aug 19

Dreamy_Jazz closed T394393: CVE-2025-53482: IPInfo: Message key XSS through several IPInfo messages in infobox and popup as Resolved.

I think we can skip QA on this given that it's not happened in around a month.

Tue, Aug 19, 2:49 PM · Trust and Safety Product Sprint (Sprint Princess Tarta (August 18 - September 5)), Essential-Work, affects-Miraheze, MW-1.45-notes (1.45.0-wmf.2; 2025-05-20), SecTeam-Processed, Patch-For-Review, Vuln-XSS, IP Info, Trust and Safety Product Team, Security, Security-Team
Dreamy_Jazz moved T394393: CVE-2025-53482: IPInfo: Message key XSS through several IPInfo messages in infobox and popup from Needs QA to Done on the Trust and Safety Product Sprint (Sprint Princess Tarta (August 18 - September 5)) board.
Tue, Aug 19, 2:49 PM · Trust and Safety Product Sprint (Sprint Princess Tarta (August 18 - September 5)), Essential-Work, affects-Miraheze, MW-1.45-notes (1.45.0-wmf.2; 2025-05-20), SecTeam-Processed, Patch-For-Review, Vuln-XSS, IP Info, Trust and Safety Product Team, Security, Security-Team
sbassett moved T392341: CVE-2025-53483, CVE-2025-53484, CVE-2025-53485: SecurePoll is vulnerable to XSS, CSRF, and lack of authorisation from Watching to Our Part Is Done on the Security-Team board.
Tue, Aug 19, 1:56 PM · Trust and Safety Product Sprint (Sprint Princess Tarta (August 18 - September 5)), Essential-Work, Patch-For-Review, Trust and Safety Product Team, Vuln-BrokenAccessControl, affects-Miraheze, Vuln-CSRF, Vuln-XSS, MediaWiki-extensions-SecurePoll, Security, Security-Team
STran closed T392341: CVE-2025-53483, CVE-2025-53484, CVE-2025-53485: SecurePoll is vulnerable to XSS, CSRF, and lack of authorisation as Resolved.

Closing this as there seems to be no other action needed on our part. @jrbs please re-open if there's a problem.

Tue, Aug 19, 12:00 PM · Trust and Safety Product Sprint (Sprint Princess Tarta (August 18 - September 5)), Essential-Work, Patch-For-Review, Trust and Safety Product Team, Vuln-BrokenAccessControl, affects-Miraheze, Vuln-CSRF, Vuln-XSS, MediaWiki-extensions-SecurePoll, Security, Security-Team
OKryva-WMF moved T394393: CVE-2025-53482: IPInfo: Message key XSS through several IPInfo messages in infobox and popup from Priority Backlog to Needs QA on the Trust and Safety Product Sprint (Sprint Princess Tarta (August 18 - September 5)) board.
Tue, Aug 19, 10:30 AM · Trust and Safety Product Sprint (Sprint Princess Tarta (August 18 - September 5)), Essential-Work, affects-Miraheze, MW-1.45-notes (1.45.0-wmf.2; 2025-05-20), SecTeam-Processed, Patch-For-Review, Vuln-XSS, IP Info, Trust and Safety Product Team, Security, Security-Team
OKryva-WMF moved T392341: CVE-2025-53483, CVE-2025-53484, CVE-2025-53485: SecurePoll is vulnerable to XSS, CSRF, and lack of authorisation from Priority Backlog to Needs QA on the Trust and Safety Product Sprint (Sprint Princess Tarta (August 18 - September 5)) board.
Tue, Aug 19, 10:29 AM · Trust and Safety Product Sprint (Sprint Princess Tarta (August 18 - September 5)), Essential-Work, Patch-For-Review, Trust and Safety Product Team, Vuln-BrokenAccessControl, affects-Miraheze, Vuln-CSRF, Vuln-XSS, MediaWiki-extensions-SecurePoll, Security, Security-Team
OKryva-WMF edited projects for T394393: CVE-2025-53482: IPInfo: Message key XSS through several IPInfo messages in infobox and popup, added: Trust and Safety Product Sprint (Sprint Princess Tarta (August 18 - September 5)); removed Trust and Safety Product Sprint (Sprint Rum baba (July 28 - August 15)).
Tue, Aug 19, 10:28 AM · Trust and Safety Product Sprint (Sprint Princess Tarta (August 18 - September 5)), Essential-Work, affects-Miraheze, MW-1.45-notes (1.45.0-wmf.2; 2025-05-20), SecTeam-Processed, Patch-For-Review, Vuln-XSS, IP Info, Trust and Safety Product Team, Security, Security-Team
OKryva-WMF edited projects for T392341: CVE-2025-53483, CVE-2025-53484, CVE-2025-53485: SecurePoll is vulnerable to XSS, CSRF, and lack of authorisation, added: Trust and Safety Product Sprint (Sprint Princess Tarta (August 18 - September 5)); removed Trust and Safety Product Sprint (Sprint Rum baba (July 28 - August 15)).
Tue, Aug 19, 10:27 AM · Trust and Safety Product Sprint (Sprint Princess Tarta (August 18 - September 5)), Essential-Work, Patch-For-Review, Trust and Safety Product Team, Vuln-BrokenAccessControl, affects-Miraheze, Vuln-CSRF, Vuln-XSS, MediaWiki-extensions-SecurePoll, Security, Security-Team

Thu, Aug 14

Dreamy_Jazz added a project to T394393: CVE-2025-53482: IPInfo: Message key XSS through several IPInfo messages in infobox and popup: Essential-Work.
Thu, Aug 14, 10:31 AM · Trust and Safety Product Sprint (Sprint Princess Tarta (August 18 - September 5)), Essential-Work, affects-Miraheze, MW-1.45-notes (1.45.0-wmf.2; 2025-05-20), SecTeam-Processed, Patch-For-Review, Vuln-XSS, IP Info, Trust and Safety Product Team, Security, Security-Team
Dreamy_Jazz added a project to T392341: CVE-2025-53483, CVE-2025-53484, CVE-2025-53485: SecurePoll is vulnerable to XSS, CSRF, and lack of authorisation: Essential-Work.
Thu, Aug 14, 10:30 AM · Trust and Safety Product Sprint (Sprint Princess Tarta (August 18 - September 5)), Essential-Work, Patch-For-Review, Trust and Safety Product Team, Vuln-BrokenAccessControl, affects-Miraheze, Vuln-CSRF, Vuln-XSS, MediaWiki-extensions-SecurePoll, Security, Security-Team

Wed, Aug 13

Maintenance_bot removed a project from T395730: Stored XSS through system messages in TemplateData: Patch-For-Review.
Wed, Aug 13, 1:31 PM · VisualEditor, Community-Tech, Template-Discovery-And-Recall, SecTeam-Processed, TemplateData, affects-Miraheze, Vuln-XSS, Security, Security-Team
Maintenance_bot added a project to T395730: Stored XSS through system messages in TemplateData: VisualEditor.
Wed, Aug 13, 1:30 PM · VisualEditor, Community-Tech, Template-Discovery-And-Recall, SecTeam-Processed, TemplateData, affects-Miraheze, Vuln-XSS, Security, Security-Team
sbassett set Author Affiliation to community on T395730: Stored XSS through system messages in TemplateData.
Wed, Aug 13, 1:03 PM · VisualEditor, Community-Tech, Template-Discovery-And-Recall, SecTeam-Processed, TemplateData, affects-Miraheze, Vuln-XSS, Security, Security-Team
SomeRandomDeveloper closed T395730: Stored XSS through system messages in TemplateData as Resolved.

All three XSSs appear to be fixed, so I don't think there's anything left to do here

Wed, Aug 13, 10:07 AM · VisualEditor, Community-Tech, Template-Discovery-And-Recall, SecTeam-Processed, TemplateData, affects-Miraheze, Vuln-XSS, Security, Security-Team
Samwilson added a comment to T395730: Stored XSS through system messages in TemplateData.

Is there more to do here, or can this be closed?

Wed, Aug 13, 6:11 AM · VisualEditor, Community-Tech, Template-Discovery-And-Recall, SecTeam-Processed, TemplateData, affects-Miraheze, Vuln-XSS, Security, Security-Team

Mon, Aug 11

sbassett triaged T401046: Stored XSS through system messages in Skin:BlueSky as Low priority.
Mon, Aug 11, 3:24 PM · SecTeam-Processed, Vuln-XSS, affects-Miraheze, BlueSky, Security

Mon, Aug 4

Jly closed T401046: Stored XSS through system messages in Skin:BlueSky as Resolved.

Thanks for sorting this one out. I will resolve it since there are no more actionable items.

Mon, Aug 4, 11:09 AM · SecTeam-Processed, Vuln-XSS, affects-Miraheze, BlueSky, Security

Sun, Aug 3

gerritbot added a comment to T401046: Stored XSS through system messages in Skin:BlueSky.

Change #1175227 merged by jenkins-bot:

[mediawiki/skins/BlueSky@REL1_43] SECURITY: Properly escape system messages when creating links

https://gerrit.wikimedia.org/r/1175227

Sun, Aug 3, 1:22 AM · SecTeam-Processed, Vuln-XSS, affects-Miraheze, BlueSky, Security
gerritbot added a comment to T401046: Stored XSS through system messages in Skin:BlueSky.

Change #1175226 merged by jenkins-bot:

[mediawiki/skins/BlueSky@REL1_44] SECURITY: Properly escape system messages when creating links

https://gerrit.wikimedia.org/r/1175226

Sun, Aug 3, 1:22 AM · SecTeam-Processed, Vuln-XSS, affects-Miraheze, BlueSky, Security
gerritbot added a comment to T401046: Stored XSS through system messages in Skin:BlueSky.

Change #1175228 merged by jenkins-bot:

[mediawiki/skins/BlueSky@REL1_39] SECURITY: Properly escape system messages when creating links

https://gerrit.wikimedia.org/r/1175228

Sun, Aug 3, 1:20 AM · SecTeam-Processed, Vuln-XSS, affects-Miraheze, BlueSky, Security
gerritbot added a comment to T401046: Stored XSS through system messages in Skin:BlueSky.

Change #1175210 merged by jenkins-bot:

[mediawiki/skins/BlueSky@master] SECURITY: Properly escape system messages when creating links

https://gerrit.wikimedia.org/r/1175210

Sun, Aug 3, 1:20 AM · SecTeam-Processed, Vuln-XSS, affects-Miraheze, BlueSky, Security
gerritbot added a comment to T401046: Stored XSS through system messages in Skin:BlueSky.

Change #1175228 had a related patch set uploaded (by SomeRandomDeveloper; author: SomeRandomDeveloper):

[mediawiki/skins/BlueSky@REL1_39] SECURITY: Properly escape system messages when creating links

https://gerrit.wikimedia.org/r/1175228

Sun, Aug 3, 1:17 AM · SecTeam-Processed, Vuln-XSS, affects-Miraheze, BlueSky, Security
gerritbot added a comment to T401046: Stored XSS through system messages in Skin:BlueSky.

Change #1175227 had a related patch set uploaded (by SomeRandomDeveloper; author: SomeRandomDeveloper):

[mediawiki/skins/BlueSky@REL1_43] SECURITY: Properly escape system messages when creating links

https://gerrit.wikimedia.org/r/1175227

Sun, Aug 3, 1:17 AM · SecTeam-Processed, Vuln-XSS, affects-Miraheze, BlueSky, Security
gerritbot added a comment to T401046: Stored XSS through system messages in Skin:BlueSky.

Change #1175226 had a related patch set uploaded (by SomeRandomDeveloper; author: SomeRandomDeveloper):

[mediawiki/skins/BlueSky@REL1_44] SECURITY: Properly escape system messages when creating links

https://gerrit.wikimedia.org/r/1175226

Sun, Aug 3, 1:17 AM · SecTeam-Processed, Vuln-XSS, affects-Miraheze, BlueSky, Security
gerritbot added a project to T401046: Stored XSS through system messages in Skin:BlueSky: Patch-For-Review.
Sun, Aug 3, 1:13 AM · SecTeam-Processed, Vuln-XSS, affects-Miraheze, BlueSky, Security
gerritbot added a comment to T401046: Stored XSS through system messages in Skin:BlueSky.

Change #1175210 had a related patch set uploaded (by SomeRandomDeveloper; author: SomeRandomDeveloper):

[mediawiki/skins/BlueSky@master] SECURITY: Properly escape system messages when creating links

https://gerrit.wikimedia.org/r/1175210

Sun, Aug 3, 1:13 AM · SecTeam-Processed, Vuln-XSS, affects-Miraheze, BlueSky, Security
SomeRandomDeveloper updated subscribers of T401046: Stored XSS through system messages in Skin:BlueSky.
Sun, Aug 3, 1:12 AM · SecTeam-Processed, Vuln-XSS, affects-Miraheze, BlueSky, Security

Sat, Aug 2

SomeRandomDeveloper added a comment to T401046: Stored XSS through system messages in Skin:BlueSky.

Patch:

T401046.patch6 KBDownload

Sat, Aug 2, 9:11 PM · SecTeam-Processed, Vuln-XSS, affects-Miraheze, BlueSky, Security
SomeRandomDeveloper added a comment to T401046: Stored XSS through system messages in Skin:BlueSky.

I was working on T279315: Replace usages of Linker::link() and Linker::linkKnown() in BlueSky skin, and accidentally fixed some of these vulnerabilities in a public non-security patch (https://gerrit.wikimedia.org/r/c/mediawiki/skins/BlueSky/+/1175210) before even realizing that there were i18n XSSs in the skin, so I'm going to update that patch so it fixes all vulnerabilities and mentions this task.

Sat, Aug 2, 8:50 PM · SecTeam-Processed, Vuln-XSS, affects-Miraheze, BlueSky, Security
SomeRandomDeveloper claimed T401046: Stored XSS through system messages in Skin:BlueSky.
Sat, Aug 2, 8:43 PM · SecTeam-Processed, Vuln-XSS, affects-Miraheze, BlueSky, Security

Mon, Jul 28

sbassett added a comment to T400501: Stored XSS through system messages in WMF's mediawiki-config.

No CVE or security release will be necessary here, as this issue only lived within Wikimedia's production configuration.

Mon, Jul 28, 10:42 PM · SecTeam-Processed, Wikimedia-Site-requests, Vuln-XSS, Security, Security-Team
sbassett changed the visibility for T400501: Stored XSS through system messages in WMF's mediawiki-config.
Mon, Jul 28, 10:41 PM · SecTeam-Processed, Wikimedia-Site-requests, Vuln-XSS, Security, Security-Team
sbassett closed T400501: Stored XSS through system messages in WMF's mediawiki-config as Resolved.
Mon, Jul 28, 10:41 PM · SecTeam-Processed, Wikimedia-Site-requests, Vuln-XSS, Security, Security-Team
SomeRandomDeveloper added a comment to T400501: Stored XSS through system messages in WMF's mediawiki-config.
In T400501#11041416, @sbassett wrote:

I think we can probably just open up this bug now? This shouldn't ever be included within a security release.

Mon, Jul 28, 10:39 PM · SecTeam-Processed, Wikimedia-Site-requests, Vuln-XSS, Security, Security-Team
sbassett moved T400501: Stored XSS through system messages in WMF's mediawiki-config from Security Patch To Deploy to Our Part Is Done on the Security-Team board.

I think we can probably just open up this bug now? This shouldn't ever be included within a security release.

Mon, Jul 28, 10:34 PM · SecTeam-Processed, Wikimedia-Site-requests, Vuln-XSS, Security, Security-Team
SomeRandomDeveloper added a comment to T400501: Stored XSS through system messages in WMF's mediawiki-config.

Looks like I forgot to mention the task in the commit message. For those reading this task after it was made public, this was uploaded to gerrit and merged: https://gerrit.wikimedia.org/r/c/operations/mediawiki-config/+/1173481

Mon, Jul 28, 9:41 PM · SecTeam-Processed, Wikimedia-Site-requests, Vuln-XSS, Security, Security-Team
Dreamy_Jazz moved T392341: CVE-2025-53483, CVE-2025-53484, CVE-2025-53485: SecurePoll is vulnerable to XSS, CSRF, and lack of authorisation from Priority Backlog to Needs QA on the Trust and Safety Product Sprint (Sprint Rum baba (July 28 - August 15)) board.
Mon, Jul 28, 6:20 PM · Trust and Safety Product Sprint (Sprint Princess Tarta (August 18 - September 5)), Essential-Work, Patch-For-Review, Trust and Safety Product Team, Vuln-BrokenAccessControl, affects-Miraheze, Vuln-CSRF, Vuln-XSS, MediaWiki-extensions-SecurePoll, Security, Security-Team
Dreamy_Jazz moved T394393: CVE-2025-53482: IPInfo: Message key XSS through several IPInfo messages in infobox and popup from Priority Backlog to Needs QA on the Trust and Safety Product Sprint (Sprint Rum baba (July 28 - August 15)) board.
Mon, Jul 28, 6:20 PM · Trust and Safety Product Sprint (Sprint Princess Tarta (August 18 - September 5)), Essential-Work, affects-Miraheze, MW-1.45-notes (1.45.0-wmf.2; 2025-05-20), SecTeam-Processed, Patch-For-Review, Vuln-XSS, IP Info, Trust and Safety Product Team, Security, Security-Team
sbassett updated subscribers of T400501: Stored XSS through system messages in WMF's mediawiki-config.
Mon, Jul 28, 6:08 PM · SecTeam-Processed, Wikimedia-Site-requests, Vuln-XSS, Security, Security-Team
sbassett added a comment to T400501: Stored XSS through system messages in WMF's mediawiki-config.

Note: the plan here is to do a very quick config deploy via a public gerrit patch.

Mon, Jul 28, 6:08 PM · SecTeam-Processed, Wikimedia-Site-requests, Vuln-XSS, Security, Security-Team
sbassett changed the status of T400501: Stored XSS through system messages in WMF's mediawiki-config from Open to In Progress.
Mon, Jul 28, 5:34 PM · SecTeam-Processed, Wikimedia-Site-requests, Vuln-XSS, Security, Security-Team
Mstyles added a comment to T400501: Stored XSS through system messages in WMF's mediawiki-config.
In T400501#11036460, @SomeRandomDeveloper wrote:

Thanks @matmarex!
I've made use of that function in my patch:

T400501.patch1 KBDownload

Mon, Jul 28, 5:31 PM · SecTeam-Processed, Wikimedia-Site-requests, Vuln-XSS, Security, Security-Team
gerritbot added a comment to T387130: CVE-2025-32699: Potential javascript injection attack enabled by Unicode normalization in Action API.

Change #1163476 merged by jenkins-bot:

[utfnormal@master] Replace isolated combining characters

https://gerrit.wikimedia.org/r/1163476

Mon, Jul 28, 4:49 PM · Patch-For-Review, MW-Interfaces-Team, Essential-Work, Content-Transform-Team (Work In Progress), SecTeam-Processed, Vuln-Inject, Vuln-XSS, MediaWiki-Action-API, Security, Security-Team

Fri, Jul 25

SomeRandomDeveloper added a comment to T400501: Stored XSS through system messages in WMF's mediawiki-config.

Thanks @matmarex!
I've made use of that function in my patch:

T400501.patch1 KBDownload

Fri, Jul 25, 11:57 PM · SecTeam-Processed, Wikimedia-Site-requests, Vuln-XSS, Security, Security-Team
SomeRandomDeveloper claimed T400501: Stored XSS through system messages in WMF's mediawiki-config.
Fri, Jul 25, 11:48 PM · SecTeam-Processed, Wikimedia-Site-requests, Vuln-XSS, Security, Security-Team
SomeRandomDeveloper updated the task description for T400501: Stored XSS through system messages in WMF's mediawiki-config.
Fri, Jul 25, 11:15 PM · SecTeam-Processed, Wikimedia-Site-requests, Vuln-XSS, Security, Security-Team
matmarex added a comment to T400501: Stored XSS through system messages in WMF's mediawiki-config.

Skin::makeInternalOrExternalUrl() is commonly used in MW code to prevent this (a 'javascript:' URL will instead be treated as an internal link to a wiki page by that title, instead of an external link to a full URL).

Fri, Jul 25, 10:32 PM · SecTeam-Processed, Wikimedia-Site-requests, Vuln-XSS, Security, Security-Team
Reedy added a project to T400501: Stored XSS through system messages in WMF's mediawiki-config: Wikimedia-Site-requests.
Fri, Jul 25, 10:18 PM · SecTeam-Processed, Wikimedia-Site-requests, Vuln-XSS, Security, Security-Team
SomeRandomDeveloper added a project to T400501: Stored XSS through system messages in WMF's mediawiki-config: Vuln-XSS.
Fri, Jul 25, 6:15 PM · SecTeam-Processed, Wikimedia-Site-requests, Vuln-XSS, Security, Security-Team
Niharika edited projects for T394393: CVE-2025-53482: IPInfo: Message key XSS through several IPInfo messages in infobox and popup, added: Trust and Safety Product Sprint (Sprint Rum baba (July 28 - August 15)); removed Trust and Safety Product Sprint (Sprint Cannoli (July 7 - July 25)).
Fri, Jul 25, 3:27 PM · Trust and Safety Product Sprint (Sprint Princess Tarta (August 18 - September 5)), Essential-Work, affects-Miraheze, MW-1.45-notes (1.45.0-wmf.2; 2025-05-20), SecTeam-Processed, Patch-For-Review, Vuln-XSS, IP Info, Trust and Safety Product Team, Security, Security-Team
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits