An issue was discovered in Joomla! 4.0.0 through 4.1.0. Possible XSS atack vector through SVG embedding in com_media.

**Security Announcements**

**\[20220309\] - Core - XSS attack vector through SVG**

*   **Project:** Joomla!
*   **SubProject:** CMS
*   **Impact:** Moderate
*   **Severity:** Low
*   **Probability:** Low
*   **Versions:** 4.0.0 - 4.1.0
*   **Exploit type:** XSS
*   **Reported Date:** 2021-08-25
*   **Fixed Date:** 2022-03-29
*   **CVE Number:** CVE-2022-23801

**Description**

Possible XSS attack vector through SVG embedding in com\_media.

**Affected Installs**

Joomla! CMS versions 4.0.0 - 4.1.0

**Solution**

Upgrade to version 4.1.1

**Contact**

The JSST at the Joomla! Security Centre.

**Reported By:** Julia Polner, Simon Stockhause

*   
*

CVE-2022-23801: Joomla! Developer Network

An issue was discovered in Joomla! 4.0.0 through 4.1.0. Inadequate content filtering leads to XSS vulnerabilities in various components.

**Security Announcements**

**\[20220308\] - Core - Inadequate content filtering within the filter code**

*   **Project:** Joomla! / Joomla! Framework
*   **SubProject:** CMS / filter
*   **Impact:** Moderate
*   **Severity:** Low
*   **Probability:** Low
*   **Versions:** 4.0.0 - 4.1.0
*   **Exploit type:** XSS
*   **Reported Date:** 2022-01-19
*   **Fixed Date:** 2022-03-29
*   **CVE Number:** CVE-2022-23800

**Description**

Inadequate content filtering leads to XSS vulnerabilities in various components.

**Affected Installs**

Joomla! CMS versions 4.0.0 - 4.1.0

**Solution**

Upgrade to version 4.1.1

**Contact**

The JSST at the Joomla! Security Centre.

**Reported By:** Sebastian Morris, pwnCTRL

*   
*

CVE-2022-23800: Joomla! Developer Network

An issue was discovered in Joomla! 3.7.0 through 3.10.6. Lack of input validation could allow an XSS attack using com_fields.

**Security Announcements**

**\[20220304\] - Core - Missing input validation within com\_fields class inputs**

*   **Project:** Joomla!
*   **SubProject:** CMS
*   **Impact:** Moderate
*   **Severity:** Low
*   **Probability:** Low
*   **Versions:** 3.7.0 - 3.10.6
*   **Exploit type:** XSS
*   **Reported Date:** 2021-05-06
*   **Fixed Date:** 2022-03-29
*   **CVE Number:** CVE-2022-23796

**Description**

Lack of input validation could allow an XSS attack using com\_fields

**Affected Installs**

Joomla! CMS versions 3.7.0 - 3.10.6

**Solution**

Upgrade to version 3.10.7

**Contact**

The JSST at the Joomla! Security Centre.

**Reported By:** Hoàng Nguyễn

*   
*

CVE-2022-23796: Joomla! Developer Network

There is a stored XSS vulnerability in ZTE home gateway product. An attacker could modify the gateway name by inserting special characters and trigger an XSS attack when the user views the current topology of the device through the management page.

**Original release date****:** March 30, 2022

**CVE ID**

CVE-2022-23136

**CVSS 3.****1** **Base Score**

4.3  Medium (AV:A/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N)

**Description**

There is a stored XSS vulnerability in ZTE home gateway product. An attacker could modify the gateway name by inserting special characters and trigger an XSS attack when the user views the current topology of the device through the management page.

**Affected Products and Fixes**

Product Name

Affected Version

Resolved Version

ZXHN F680

 V6.0.10P3N20

 V6.0.10P1N34

**Source**

The vulnerability was found by ZTE's internal test.

**Update Records**

 March 30, 2022, initial. 

**Version Update Method**

Please contact ZTE Global Customer Support Center to obtain the upgraded version.

**Global Customer Support Center**

http://support.zte.com.cn/support/web/Contact.aspx?\_langType=en

**ZTE PSIRT**

https://www.zte.com.cn/global/cybersecurity/ztepsirt.html

CVE-2022-23136: Security Bulletin Details

A specially crafted TCP/IP packet may cause a camera recovery image telnet interface to crash. It may also cause a buffer overflow which could enable remote code execution. The recovery image can only be booted with administrative rights or with physical access to the camera and allows the upload of a new firmware in case of a damaged firmware.

**Advisory Information**

*   **Advisory ID:** BOSCH-SA-478243-BT
*   **CVE Numbers and CVSS v3.1 Scores:**
    *   CVE-2021-23847
        *   Base Score: 9.8 (Critical)
    *   CVE-2021-23848
        *   Base Score: 8.3 (High)
    *   CVE-2021-23852
        *   Base Score: 4.9 (Medium)
    *   CVE-2021-23853
        *   Base Score: 8.3 (High)
    *   CVE-2021-23854
        *   Base Score: 8.3 (High)
*   **Published:** 09 Jun 2021
*   **Last Updated:** 09 Jun 2021

**Summary**

Multiple vulnerabilities for Bosch IP cameras have been discovered in a Penetration Test from Kaspersky ICS CERT during a certification effort from Bosch.

Bosch rates these vulnerabilities with CVSSv3.1 base scores from 9.8 (Critical) to 4.9 (Medium), where the actual rating depends on the individual vulnerability and the final rating on the customer’s environment.

Customers are strongly advised to upgrade to the fixed versions.

These vulnerabilities were discovered by Alexander Nochvay and Andrey Muravitsky from Kaspersky ICS CERT.

**Affected Products**

*   Bosch CPP Firmware on: CPP4, CPP6, CPP7, CPP7.3, CPP13
    *   CVE-2021-23848
    *   CVE-2021-23852
    *   CVE-2021-23853
*   Bosch CPP Firmware 7.62 on: CPP6, CPP7, CPP7.3
    *   CVE-2021-23854
*   Bosch CPP Firmware 7.70 on: CPP6, CPP7, CPP7.3
    *   CVE-2021-23847
    *   CVE-2021-23854
*   Bosch CPP Firmware 7.72 on: CPP6, CPP7, CPP7.3
    *   CVE-2021-23847
    *   CVE-2021-23854
*   Bosch CPP Firmware 7.75 on: CPP13
    *   CVE-2021-23854
*   Bosch CPP Firmware 7.76 on: CPP13
    *   CVE-2021-23854
*   Bosch CPP Firmware < 7.80 B128 on: CPP6, CPP7, CPP7.3
    *   CVE-2021-23847

**Solution and Mitigations****Software Updates**

The recommended approach is to update the affected Bosch firmware to a fixed version. If an update is not possible in timely manner, users are recommended to follow the mitigations and workarounds described in the following section.

Platform

Affected/revoked firmware

Fixed firmware

CPP4

7.10

7.10.0095

CPP6

7.60, 7.61

7.62.0005

7.70, 7.80

7.80.0129

AVIOTEC

7.61, 7.72

7.72.0013

CPP7

7.60, 7.61

7.62.0005

7.70, 7.72, 7.80

7.80.0129

CPP7.3

7.60, 7.61, 7.62

7.62.0005

7.70, 7.72, 7.73, 7.80

7.80.0129

CPP13

7.75

7.75.0008

**Firewalling**

Disallowing connections from insecure networks to the camera by means of a firewall prevents the attacker from accessing the vulnerable interface.

**IP Filtering**

The camera has the possibility to whitelist networks or IP addresses to only allow access from trusted networks or IPs, preventing an attacker from accessing the camera.

**Using certificate based authentication**

To mitigate the critical vulnerability CVE-2021-23847, certificate based user authentication for the camera can be used as the SSL based authentication happens, before the vulnerable component can be accessed. This prevents an unauthenticated attacker from accessing the interface.

**Secure Configuration Environment**

It is advised to use a Bosch tool like the Configuration Manager to configure the camera, that does not allow for issues like XSS.

When using the web based configuration interface and currently being logged in as administrator, some security precautions can be taken to mitigate XSS vulnerabilities:

*   No other websites or email content should be opened as long as the session to the camera is active
    
*   No links should be clicked from an untrusted external source that link back to the camera.
    
*   Use a different browser than the system default browser to open a session to the camera as there is no XSS between browsers.
    
*   Always log out and/or close the browser (not only the tab) to clear any session data
    

**Vulnerability Details****CVE-2021-23847**

CVE description: A Missing Authentication in Critical Function in Bosch IP cameras allows an unauthenticated remote attacker to extract sensitive information or change settings of the camera by sending crafted requests to the device.

Only devices of the CPP6, CPP7 and CPP7.3 family with firmware 7.70, 7.72, and 7.80 prior to B128 are affected by this vulnerability. Versions 7.62 or lower and INTEOX cameras are not affected.

*   Problem Type:
    *   CWE-287 Improper Authentication
*   CVSS Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    *   Base Score: 9.8 (Critical)

**CVE-2021-23848**

CVE description: An error in the URL handler may lead to a reflected cross site scripting (XSS) in the web-based interface. An attacker with knowledge of the camera address can send a crafted link to a user, which will execute javascript code in the context of the user.

*   Problem Type:
    *   CWE-79 Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
*   CVSS Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
    *   Base Score: 8.3 (High)

**CVE-2021-23852**

CVE description: An authenticated attacker with administrator rights can call an URL with an invalid parameter that causes the camera to become unresponsive for a few seconds and cause a Denial of Service (DoS).

*   Problem Type:
    *   CWE-400 Uncontrolled Resource Consumption
*   CVSS Vector String: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H
    *   Base Score: 4.9 (Medium)

**CVE-2021-23853**

CVE description: Improper validation of the HTTP header allows an attacker to inject arbitrary HTTP headers through crafted URLs.

*   Problem Type:
    *   CWE-20 Improper Input Validation
*   CVSS Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
    *   Base Score: 8.3 (High)

**CVE-2021-23854**

CVE description: An error in the handling of a page parameter may lead to a reflected cross site scripting (XSS) in the web-based interface.

This issue only affects versions 7.7x and 7.6x. All other versions are not affected.

*   Problem Type:
    *   CWE-79 Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
*   CVSS Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
    *   Base Score: 8.3 (High)

**Remark**

Vulnerability classification has been performed using the CVSS v3.1 scoring system . The CVSS environmental score is specific to each customer’s environment and should be defined by the customer to attain a final scoring.

**Additional Resources**

*   \[1\] Firmware Download Area: https://downloadstore.boschsecurity.com/index.php?type=FW

Please contact the Bosch PSIRT if you have feedback, comments, or additional information about this vulnerability at: psirt@bosch.com .

**Revision History**

*   09 Jun 2021: Correction of build version number of fixed firmware
*   09 Jun 2021: Initial Publication

**Appendix****Affected Plattforms and Cameras**

**CPP13**

*   AUTODOME inteox 7000i
    
*   MIC inteox 7100i
    

**CPP7.3**

*   AUTODOME IP 4000i
    
*   AUTODOME IP 5000i
    
*   AUTODOME IP starlight 5000i (IR)
    
*   AUTODOME IP starlight 7000i
    
*   DINION IP 3000i
    
*   DINION IP bullet 4000i
    
*   DINION IP bullet 5000
    
*   DINION IP bullet 5000i
    
*   DINION IP bullet 6000i
    
*   FLEXIDOME IP 3000i
    
*   FLEXIDOME IP 4000i
    
*   FLEXIDOME IP 5000i
    
*   FLEXIDOME IP starlight 5000i (IR)
    
*   FLEXIDOME IP starlight 8000i
    
*   MIC IP starlight 7000i
    
*   MIC IP starlight 7100i
    
*   MIC IP ultra 7100i
    
*   MIC IP fusion 9000i
    

**CPP7**

*   DINION IP starlight 6000
    
*   DINION IP starlight 7000
    
*   DINION IP thermal 8000
    
*   FLEXIDOME IP starlight 6000
    
*   FLEXIDOME IP starlight 7000
    
*   DINION IP thermal 9000 RM
    

**CPP6**

*   DINION IP starlight 8000 12MP
    
*   DINION IP ultra 8000 12MP
    
*   DINION IP ultra 8000 12MP with C/CS mount telephoto lens
    
*   FLEXIDOME IP panoramic 6000 12MP 180
    
*   FLEXIDOME IP panoramic 6000 12MP 360
    
*   FLEXIDOME IP panoramic 6000 12MP 180 IVA
    
*   FLEXIDOME IP panoramic 6000 12MP 360 IVA
    
*   FLEXIDOME IP panoramic 7000 12MP 180
    
*   FLEXIDOME IP panoramic 7000 12MP 360
    
*   FLEXIDOME IP panoramic 7000 12MP 180 IVA
    
*   FLEXIDOME IP panoramic 7000 12MP 360 IVA
    

**CPP4**

*   AUTODOME IP 4000 HD
    
*   AUTODOME IP 5000 HD
    
*   AUTODOME IP 5000 IR
    
*   AUTODOME 7000 series
    
*   DINION HD 1080p
    
*   DINION HD 1080p HDR
    
*   DINION HD 720p
    
*   DINION imager 9000 HD
    
*   DINION IP bullet 4000
    
*   DINION IP bullet 5000
    
*   DINION IP 4000 HD
    
*   DINION IP 5000 HD
    
*   DINION IP 5000 MP
    
*   DINION IP starlight 7000 HD
    
*   FLEXIDOME corner 9000 MP
    
*   FLEXIDOME HD 1080p
    
*   FLEXIDOME HD 1080p HDR
    
*   FLEXIDOME HD 720p
    
*   Vandal-proof FLEXIDOME HD 1080p
    
*   Vandal-proof FLEXIDOME HD 1080p HDR
    
*   Vandal-proof FLEXIDOME HD 720p
    
*   FLEXIDOME IP micro 2000 HD
    
*   FLEXIDOME IP micro 2000 IP
    
*   FLEXIDOME IP indoor 4000 HD
    
*   FLEXIDOME IP indoor 4000 IR
    
*   FLEXIDOME IP outdoor 4000 HD
    
*   FLEXIDOME IP outdoor 4000 IR
    
*   FLEXIDOME IP indoor 5000 HD
    
*   FLEXIDOME IP indoor 5000 MP
    
*   FLEXIDOME IP micro 5000 MP
    
*   FLEXIDOME IP outdoor 5000 HD
    
*   FLEXIDOME IP outdoor 5000 MP
    
*   FLEXIDOME IP panoramic 5000
    
*   IP bullet 4000 HD
    
*   IP bullet 5000 HD
    
*   IP micro 2000
    
*   IP micro 2000 HD
    
*   MIC IP dynamic 7000
    
*   MIC IP starlight 7000
    
*   TINYON IP 2000 family

CVE-2021-23850: Multiple vulnerabilities in Bosch IP cameras

Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in Group Functionality of Profelis IT Consultancy SambaBox allows AUTHENTICATED user to cause execute arbitrary codes on the vulnerable server. This issue affects: Profelis IT Consultancy SambaBox 4.0 version 4.0 and prior versions on x86.

Skip to content

*   SambaBox
    *   Kurumsal Dizin Çözümü
    *   Güvenlik
    *   Bireysel Parola Servisi
    *   SambaBox’a Geçiş
    *   Karşılaştırma Tablosu
*   Kimler İçin?
    *   Kamu Kurumları
    *   Üniversiteler
    *   Kurumsal Şirketler
    *   Çözüm ve Ürün Üreticiler
    *   Bulut ve Servis Sağlayıcılar
*   Kaynaklar
    *   Güncellemeler
    *   Sertifikalar
    *   Dokümanlar
    *   Entegrasyonlar
    *   Web Seminerleri
    *   Videolar
    *   Başarı Hikayeleri
    *   SSS
*   Belgeler
*   Partner Portal
*   İletişim
*   TR

*   SambaBox
    *   Kurumsal Dizin Çözümü
    *   Güvenlik
    *   Bireysel Parola Servisi
    *   SambaBox’a Geçiş
    *   Karşılaştırma Tablosu
*   Kimler İçin?
    *   Kamu Kurumları
    *   Üniversiteler
    *   Kurumsal Şirketler
    *   Çözüm ve Ürün Üreticiler
    *   Bulut ve Servis Sağlayıcılar
*   Kaynaklar
    *   Güncellemeler
    *   Sertifikalar
    *   Dokümanlar
    *   Entegrasyonlar
    *   Web Seminerleri
    *   Videolar
    *   Başarı Hikayeleri
    *   SSS
*   Belgeler
*   Partner Portal
*   İletişim
*   TR

*   SambaBox
    *   Kurumsal Dizin Çözümü
    *   Güvenlik
    *   Bireysel Parola Servisi
    *   SambaBox’a Geçiş
    *   Karşılaştırma Tablosu
*   Kimler İçin?
    *   Kamu Kurumları
    *   Üniversiteler
    *   Kurumsal Şirketler
    *   Çözüm ve Ürün Üreticiler
    *   Bulut ve Servis Sağlayıcılar
*   Kaynaklar
    *   Güncellemeler
    *   Sertifikalar
    *   Dokümanlar
    *   Entegrasyonlar
    *   Web Seminerleri
    *   Videolar
    *   Başarı Hikayeleri
    *   SSS
*   Belgeler
*   Partner Portal
*   İletişim
*   TR

Page load link

CVE-2022-25620: SambaBox Sürüm 4.0

DouPHP v1.6 Release 20220121 is affected by Cross Site Scripting (XSS) through /admin/login.php in the background, which will lead to JavaScript code execution.

XSS vulnerability exists in douphp background adding articles.

Official demo site, administrator login. https://demo.douphp.com/admin/login.php

Source download address. https://down.douphp.com/DouPHP\_1.6\_Release\_20220121.zip

Log in to the background and add articles. ![image](https://github.com/zpxlz/douphp/raw/gh-pages/1.png)

Insert XSS code at the article name,Submit.

<script>alert(document.cookie)</script>

![image](https://github.com/zpxlz/douphp/raw/gh-pages/2.png)

Cookie pops up in the background. ![image](https://github.com/zpxlz/douphp/raw/gh-pages/3.png)

The foreground will also trigger vulnerabilities. ![image](https://github.com/zpxlz/douphp/raw/gh-pages/4.png)

CVE-2022-24131: GitHub - zpxlz/douphp: douphp

Cross-site Scripting (XSS) - Stored in GitHub repository mineweb/minewebcms prior to next.

@@ -96,12 +96,12 @@

<div class\="form-group"\>

<label\><?= $Lang\->get('NAVBAR\_\_LINK\_NAME') ?></label\>

<input type\="text" class\="form-control name\_of\_nav"

value\="<?= urldecode($name) ?>" name\="name\_of\_nav"\>

value\="<?= $name ?>" name\="name\_of\_nav"\>

</div\>

<div class\="form-group"\>

<label\><?= $Lang\->get('URL') ?></label\>

<input type\="text" class\="form-control url\_of\_nav"

value\="<?= urldecode($url) ?>"

value\="<?= $url ?>"

placeholder\="<?= $Lang\->get('NAVBAR\_\_CUSTOM\_URL') ?>" name\="url"\>

</div\>

<a href\="#"

@@ -238,9 +238,9 @@

url \= {};

for (var key in test \= names) {

var l \= test\[key\].split('=');

l \= l\[1\];

l \= decodeURIComponent(l\[1\]);

var p \= urls\[key\].split('=');

p \= p\[1\];

p \= decodeURIComponent(p\[1\]);

url\[l\] \= p;

}

}

CVE-2022-1163: improv. fix xss with navbar · MineWeb/MineWebCMS@06ce52c

An XSS issue was discovered in MediaWiki before 1.35.6, 1.36.x before 1.36.4, and 1.37.x before 1.37.2. The widthheight, widthheightpage, and nbytes properties of messages are not escaped when used in galleries or Special:RevisionDelete.

*   Edit Task

*   Mute Notifications
*   Protect as security issue
*   Award Token
*   Flag For Later

Risk Rating

Low

Author Affiliation

Wikimedia Communities

*   Task Graph
*   Mentions

**Event Timeline**

Restricted Application added a subscriber: Aklapper.

sbassett changed Author Affiliation from N/A to Wikimedia Communities.

sbassett changed the visibility from "Custom Policy" to "Public (No Login Required)".

sbassett changed Risk Rating from N/A to Low.

Reedy renamed this task from Messages widthheight/widthheightpage/nbytes not escaped when used in galleries or Special:RevisionDelete to CVE-2022-: Messages widthheight/widthheightpage/nbytes not escaped when used in galleries or Special:RevisionDelete.

Reedy renamed this task from CVE-2022-: Messages widthheight/widthheightpage/nbytes not escaped when used in galleries or Special:RevisionDelete to CVE-2022-28202: Messages widthheight/widthheightpage/nbytes not escaped when used in galleries or Special:RevisionDelete.

Content licensed under Creative Commons Attribution-ShareAlike 3.0 (CC-BY-SA) unless otherwise noted; code licensed under GNU General Public License (GPL) or other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL

CVE-2022-28202: Messages widthheight/widthheightpage/nbytes not escaped when used in galleries or Special:RevisionDelete

**

CVE-2022-: Messages widthheight/widthheightpage/nbytes not escaped when used in galleries or Special:RevisionDelete

Closed, ResolvedPublicSecurity



**

*   Edit Task
*   Edit Related Tasks...
*   Edit Related Objects...

*   Mute Notifications
*   Protect as security issue
*   Award Token
*   Flag For Later

**List of steps to reproduce** (step by step, including full links if applicable):

*   Be sure your wiki has files uploaded (non-pdfs)
*   Go to \[\[MediaWiki:Widthheight\]\] and append "<script>alert('XSS widthheight');</script>"
*   Go to index.php?title=Special:NewFiles&limit=2 and you will get the alerts

This is from ImageHandler::getDimensionsString and also includes "widthheightpage" for pdfs.  
It affects all gallery which shows dimensions, that is not true for parser/wikitext.  
The default depends on $wgGalleryOptions.  
Categories with files are affected  
Special:Uncategorizedimages and Special:Unusedimages and Special:Mostimages are affected.

A second case:

*   Log in as sysop
*   Go to Special:ListFiles and select a file with a 2 or higher in the Versions column
*   In the file history click "(change visibility)" and you will get the alert.

For the second case the escaped is also missing for message "nbytes" in RevDelFileItem::getHTML

**What happens?**:  
javascript alerts are shown.

**What should have happened instead?**:  
No javascript alert should be shown. The script tag must be presented as visible text.

**Software version (if not a Wikimedia wiki), browser information, screenshots, other information, etc**: current master

Risk Rating

Low

Author Affiliation

Wikimedia Communities

*   Task Graph

**Event Timeline**

Comment Actions

Only priviliged user can edit messages, but the use of Special:RevisionDelete also affects oversights.

I am not sure if problems with message escaping should be public or better private like this. Feel free to change as needed.

Comment Actions

Thanks for filling the task. Definitely let's keep this private (at least for now) – this is an active vulnerability (although it requires sysop rights to exploit).

Comment Actions

We've resolved many issues like this in public in the past (recent examples:  1   2 ).

I think it's much more practical, and not very risky, to resolve them in public. Or if there's a good reason not to do that, please let me know and I'll keep similar issues private in the future too.

Comment Actions

This should just be a simple s/text/escaped/ here and here, correct?

> I think it's much more practical, and not very risky, to resolve them in public. Or if there's a good reason not to do that, please let me know and I'll keep similar issues private in the future too.

I think the Security-Team is fine rating many of these msg issues (including this issue) as **low risk** if a patch can go through gerrit on a Monday just prior to the train cut.

Comment Actions

> This should just be a simple s/text/escaped/ here and here, correct?
> 
> > I think it's much more practical, and not very risky, to resolve them in public. Or if there's a good reason not to do that, please let me know and I'll keep similar issues private in the future too.
> 
> I think the Security-Team is fine rating many of these msg issues (including this issue) as **low risk** if a patch can go through gerrit on a Monday just prior to the train cut.

The return value of ImageHandler::getDimensionsString is escaped by the caller (at least in ImageHistoryList) and should be wrapped with htmlspecialchars in the Gallery here

The second part in RevDelFileItem is okay with /text/escaped/ replace.

Comment Actions

First attempt at a patch per @Umherirrender's advice above. Per my previous comment, this can be sent up and merged via gerrit next Monday if it looks decent.

Comment Actions

> First attempt at a patch per @Umherirrender's advice above. Per my previous comment, this can be sent up and merged via gerrit next Monday if it looks decent.

That works and looks very good. +2

sbassett changed Author Affiliation from N/A to Wikimedia Communities.

sbassett changed the visibility from "Custom Policy" to "Public (No Login Required)".

sbassett changed Risk Rating from N/A to Low.

Reedy added a parent task: Restricted Task.Sun, Mar 20, 2:51 PM

Reedy renamed this task from Messages widthheight/widthheightpage/nbytes not escaped when used in galleries or Special:RevisionDelete to CVE-2022-: Messages widthheight/widthheightpage/nbytes not escaped when used in galleries or Special:RevisionDelete.Mon, Mar 28, 1:53 PM

Content licensed under Creative Commons Attribution-ShareAlike 3.0 (CC-BY-SA) unless otherwise noted; code licensed under GNU General Public License (GPL) or other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL

Tag

#xss