Headline
CVE-2021-45473: ⚓ T294693 XSS on page information Wikibase central description
In MediaWiki through 1.37, Wikibase item descriptions allow XSS, which is triggered upon a visit to an action=info URL (aka a page-information sidebar).
**
XSS on page information Wikibase central description
Closed, ResolvedPublicSecurity
**
Edit Task
Edit Related Tasks…
Edit Related Objects…
Mute Notifications
Protect as security issue
Award Token
Flag For Later
Create an item with description <img src=x onerror=alert()> or change an existing item and add this description. Add a wiki sitelink or go to an existing wiki sitelink of that item. Click on the “page information” sidebar link, e.g. so you arrive at a page like https://en.wikipedia.org/w/index.php?title=Earth&action=info. View an alert box originating from the “Central description” row.
- Task Graph
- Mentions
Event Timeline
Comment Actions
As soon as this gets reviewed by someone else, the security team will be more than happy to deploy!
Comment Actions
Security patch deployed and added to /srv/patches.
Thanks for the deploys. Also tracking this issue at {T292236} and {T276237}.
Comment Actions
@sbassett @Reedy We’re not clear about the procedure, but we certainly owe you a heads up that the security patch for this was commited to Wikibase master branch (backporting to 1.35-1.37 either already done or pending). I guess the patch could be removed from /srv/patches/?
Comment Actions
We also intend to make this task public given the fix has landed in public git repository. Please stop us if there are some additional steps required (e.g. related to T292236)
Comment Actions
@sbassett @Reedy We’re not clear about the procedure, but we certainly owe you a heads up that the security patch for this was commited to Wikibase master branch (backporting to 1.35-1.37 either already done or pending). I guess the patch could be removed from /srv/patches/?
We also intend to make this task public given the fix has landed in public git repository. Please stop us if there are some additional steps required (e.g. related to T292236)
For non-bundled extensions like Wikibase, a task like this can be made public if mitigations have been deployed to Wikimedia production and there is no sensitive information on the task, which I do not believe there is. And yes, it’s fine to handle any relevant backports once the issue has been mitigated within Wikimedia production. The backport to master means the patch will be removed from Wikimedia production either today for wmf.11 (if it made the cut) or next week for wmf.12 (or whatever it will be). This issue will get a proper CVE once we get closer to processing the supplemental security release, again towards the end of the December 2021. I believe that’s pretty much everything left to do at this point.
Content licensed under Creative Commons Attribution-ShareAlike 3.0 (CC-BY-SA) unless otherwise noted; code licensed under GNU General Public License (GPL) or other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL