CVE-2021-45473: ⚓ T294693 XSS on page information Wikibase central description

**

XSS on page information Wikibase central description

Closed, ResolvedPublicSecurity

**

• Edit Task

• Edit Related Tasks…

• Edit Related Objects…

• Mute Notifications

• Protect as security issue

• Award Token

• Flag For Later

Create an item with description <img src=x onerror=alert()> or change an existing item and add this description. Add a wiki sitelink or go to an existing wiki sitelink of that item. Click on the “page information” sidebar link, e.g. so you arrive at a page like https://en.wikipedia.org/w/index.php?title=Earth&action=info. View an alert box originating from the “Central description” row.

• Task Graph
• Mentions

Event Timeline

Comment Actions

As soon as this gets reviewed by someone else, the security team will be more than happy to deploy!

Comment Actions

Security patch deployed and added to /srv/patches.

Thanks for the deploys. Also tracking this issue at {T292236} and {T276237}.

Comment Actions

@sbassett @Reedy We’re not clear about the procedure, but we certainly owe you a heads up that the security patch for this was commited to Wikibase master branch (backporting to 1.35-1.37 either already done or pending). I guess the patch could be removed from /srv/patches/?

Comment Actions

We also intend to make this task public given the fix has landed in public git repository. Please stop us if there are some additional steps required (e.g. related to T292236)

Comment Actions

@sbassett @Reedy We’re not clear about the procedure, but we certainly owe you a heads up that the security patch for this was commited to Wikibase master branch (backporting to 1.35-1.37 either already done or pending). I guess the patch could be removed from /srv/patches/?

We also intend to make this task public given the fix has landed in public git repository. Please stop us if there are some additional steps required (e.g. related to T292236)

For non-bundled extensions like Wikibase, a task like this can be made public if mitigations have been deployed to Wikimedia production and there is no sensitive information on the task, which I do not believe there is. And yes, it’s fine to handle any relevant backports once the issue has been mitigated within Wikimedia production. The backport to master means the patch will be removed from Wikimedia production either today for wmf.11 (if it made the cut) or next week for wmf.12 (or whatever it will be). This issue will get a proper CVE once we get closer to processing the supplemental security release, again towards the end of the December 2021. I believe that’s pretty much everything left to do at this point.

Content licensed under Creative Commons Attribution-ShareAlike 3.0 (CC-BY-SA) unless otherwise noted; code licensed under GNU General Public License (GPL) or other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL