Headline
CVE-2023-37254: ⚓ T331065 Extension:Cargo XSS in Special:CargoQuery using default format
An issue was discovered in the Cargo extension for MediaWiki through 1.39.3. XSS can occur in Special:CargoQuery via a crafted page item when using the default format.
**
Extension:Cargo XSS in Special:CargoQuery using default format
Closed, ResolvedPublicSecurity
**
Edit Task
Edit Related Tasks…
Edit Related Objects…
Mute Notifications
Protect as security issue
Award Token
Flag For Later
Steps to reproduce:
Make a template Template:TextXSS:
<noinclude>{{#cargo_declare: _table=TestXSS |field1=String (mandatory) }} </noinclude><includeonly>
Field1 is {{{field1}}}
{{#cargo_store: _table=TestXSS |field1={{{field1}}} }} </includeonly>
And create the table.
Make a page Item:
{{TestXSS|field1=<script>alert(1)</script>}}
Go to Special:CargoQuery. Put table as TestXSS, field as TestXSS.field1. Keep format as (default). Hit submit, notice the popup box
Author Affiliation
Other (Please specify in description)
- Mentions
Event Timeline
Comment Actions
I tested the fix, and can confirm that it seems to fix the issue.
I filed T331311 for a second thing i noticed while looking at the code.
Content licensed under Creative Commons Attribution-ShareAlike 4.0 (CC-BY-SA) unless otherwise noted; code licensed under GNU General Public License (GPL) or other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL