CVE-2022-34912: Username not escaped in the contributions-title message

**

CVE-2022-34912: Username not escaped in the contributions-title message

Closed, ResolvedPublicSecurity

**

• Edit Task

• Edit Related Tasks…

• Edit Related Objects…

• Mute Notifications

• Protect as security issue

• Award Token

• Flag For Later

The contributions-title, used on Special:Contributions, is used as page title without escaping. Hence, if a username contains HTML entities (not possible by default, T308465), it won’t be escaped.

Risk Rating

Low

Author Affiliation

WMF Product

• Task Graph
• Mentions

Event Timeline

Mstyles changed Risk Rating from N/A to High.Fri, Jun 3, 11:13 PM

Comment Actions

Untested patch that should fix this issue, unless it garbles usernames in some way. But it shouldn’t. This is likely low risk enough to just go through gerrit, as similar patches have before (T2212).

sbassett triaged this task as Low priority.Tue, Jun 7, 2:32 AM

sbassett changed Author Affiliation from N/A to WMF Product.

sbassett changed Risk Rating from High to Low.

Reedy renamed this task from Username not escaped in the contributions-title message to CVE-2022-34912: Username not escaped in the contributions-title message.Sat, Jul 2, 7:40 PM

Content licensed under Creative Commons Attribution-ShareAlike 3.0 (CC-BY-SA) unless otherwise noted; code licensed under GNU General Public License (GPL) or other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL