Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2023-37251: ⚓ T333980 GoogleAnalyticsMetrics extension - XSS

An issue was discovered in the GoogleAnalyticsMetrics extension for MediaWiki through 1.39.3. The googleanalyticstrackurl parser function does not properly escape JavaScript in the onclick handler and does not prevent use of javascript: URLs.

CVE
Open in Source
#xss#google#js#java#perl#auth

**

GoogleAnalyticsMetrics extension - XSS

Closed, ResolvedPublicSecurity

**

  • Edit Task

  • Edit Related Tasks…

  • Edit Related Objects…

  • Mute Notifications

  • Protect as security issue

  • Award Token

  • Flag For Later

#googleanalyticstrackurl parser function in extension does not properly escape js in onclick handler and does not prevent using javascript urls.

Additionally it does not register external links in the parser (important for antispam).

Risk Rating

Medium

Author Affiliation

Wikimedia Communities

Event Timeline

Comment Actions

        return '<strong class="error">' .
            wfMessage( 'googleanalyticsmetrics-invalid-url' )->text() .
            '</strong>';

Doesn’t this need to be ->parse() or ->escaped() to prevent HTML injection from the googleanalyticsmetrics-invalid-url message?

Comment Actions

      return '<strong class="error">' .
          wfMessage( 'googleanalyticsmetrics-invalid-url' )->text() .
          '</strong>';

Doesn’t this need to be ->parse() or ->escaped() to prevent HTML injection from the googleanalyticsmetrics-invalid-url message?

No, because parser functions (unlike tag extensions) return wikitext if you return a string from them. So the return value is interpreted as being wikitext and does all normal wikitext escaping.

Comment Actions

@Mstyles Can this be added to next extension security supplement?

Yes, added: T333626. Also going to just make this public now.

sbassett triaged this task as Medium priority.

sbassett changed Author Affiliation from Other (Please specify in description) to Wikimedia Communities.

sbassett changed the visibility from “Custom Policy” to "Public (No Login Required)".

sbassett changed Risk Rating from N/A to Medium.

Content licensed under Creative Commons Attribution-ShareAlike 4.0 (CC-BY-SA) unless otherwise noted; code licensed under GNU General Public License (GPL) or other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE
CVE-2023-6905
CVE
CVE-2023-6903
CVE
CVE-2023-6904
CVE
CVE-2023-3907
CVE