Page MenuHomePhabricator
Projects Vuln-XSS

Vuln-XSSBugs
ActivePublic
Watch Project

Members (1)

Watchers (5)

Details

Description

This tag is used to group security bugs by their general classification. These bugs allow an attacker to run JavaScript in another user's browser (Cross-site Scripting / XSS). See OWASP Top 10 2017 - A7

Parent project: Security-Team

Recent Activity
View All

Wed, Jul 16

Dreamy_Jazz moved T394700: CVE-2025-53480: Special:Investigate 'Account information' tab has i18n XSS vectors from Inbox to Investigate on the CheckUser board.
Wed, Jul 16, 12:28 PM · Trust and Safety Product Sprint (Sprint Cannoli (July 7 - July 25)), SecTeam-Processed, Vuln-XSS, Trust and Safety Product Team, CheckUser, Security, Security-Team
Dreamy_Jazz moved T394692: CVE-2025-53478: Special:Investigate 'IPs and User agents' tab has i18n XSS vectors from Inbox to Investigate on the CheckUser board.
Wed, Jul 16, 12:28 PM · MW-1.45-notes (1.45.0-wmf.9; 2025-07-08), Trust and Safety Product Sprint (Sprint Cannoli (July 7 - July 25)), SecTeam-Processed, Vuln-XSS, Trust and Safety Product Team, CheckUser, Security, Security-Team

Tue, Jul 15

sbassett changed the visibility for T399414: XSS through system messages in WikiHiero still reproducible on certain versions.
Tue, Jul 15, 5:30 PM · SecTeam-Processed, Vuln-XSS, WikiHiero, Security, Security-Team
sbassett closed T399414: XSS through system messages in WikiHiero still reproducible on certain versions as Resolved.
In T399414#11002373, @sbassett wrote:
  1. REL1_39: https://gerrit.wikimedia.org/r/1166022
  2. REL1_42: https://gerrit.wikimedia.org/r/1166021
Tue, Jul 15, 5:29 PM · SecTeam-Processed, Vuln-XSS, WikiHiero, Security, Security-Team
gerritbot added a comment to T396524: CVE-2025-53488: Stored XSS through system messages in WikiHiero.

Change #1166021 merged by SBassett:

[mediawiki/extensions/wikihiero@REL1_42] SECURITY: Insert system messages using .text() to prevent stored XSS

https://gerrit.wikimedia.org/r/1166021

Tue, Jul 15, 3:52 PM · Patch-For-Review, MW-1.45-notes (1.45.0-wmf.9; 2025-07-08), SecTeam-Processed, WikiHiero, Vuln-XSS, affects-Miraheze, Security, Security-Team
gerritbot added a comment to T396524: CVE-2025-53488: Stored XSS through system messages in WikiHiero.

Change #1166022 merged by jenkins-bot:

[mediawiki/extensions/wikihiero@REL1_39] SECURITY: Insert system messages using .text() to prevent stored XSS

https://gerrit.wikimedia.org/r/1166022

Tue, Jul 15, 8:32 AM · Patch-For-Review, MW-1.45-notes (1.45.0-wmf.9; 2025-07-08), SecTeam-Processed, WikiHiero, Vuln-XSS, affects-Miraheze, Security, Security-Team

Mon, Jul 14

SomeRandomDeveloper updated subscribers of T399414: XSS through system messages in WikiHiero still reproducible on certain versions.
Mon, Jul 14, 9:59 PM · SecTeam-Processed, Vuln-XSS, WikiHiero, Security, Security-Team
sbassett changed the status of T399414: XSS through system messages in WikiHiero still reproducible on certain versions from Open to In Progress.
Mon, Jul 14, 9:06 PM · SecTeam-Processed, Vuln-XSS, WikiHiero, Security, Security-Team
sbassett claimed T399414: XSS through system messages in WikiHiero still reproducible on certain versions.
Mon, Jul 14, 9:06 PM · SecTeam-Processed, Vuln-XSS, WikiHiero, Security, Security-Team
sbassett added a comment to T399414: XSS through system messages in WikiHiero still reproducible on certain versions.

Ok, I've restored the affected change sets:

  1. REL1_39: https://gerrit.wikimedia.org/r/1166022
  2. REL1_42: https://gerrit.wikimedia.org/r/1166021

I had to modify a few syntactic things for the REL1_39 patch to get its (old) tests to pass. Namely use non-arrow notation and s/const/var/, which shouldn't be a big deal. It should be ready for a +2. I also pushed those same changes to the 1.42 change set since there are no tests anymore and I'd rather be safe than sorry re: back compat. If someone would like to +2 Verify/Confirm that change set, they should be able to do so now.

Mon, Jul 14, 9:05 PM · SecTeam-Processed, Vuln-XSS, WikiHiero, Security, Security-Team
gerritbot added a comment to T396524: CVE-2025-53488: Stored XSS through system messages in WikiHiero.

Change #1166021 restored by SBassett:

[mediawiki/extensions/wikihiero@REL1_42] SECURITY: Insert system messages using .text() to prevent stored XSS

https://gerrit.wikimedia.org/r/1166021

Mon, Jul 14, 8:47 PM · Patch-For-Review, MW-1.45-notes (1.45.0-wmf.9; 2025-07-08), SecTeam-Processed, WikiHiero, Vuln-XSS, affects-Miraheze, Security, Security-Team
gerritbot added a project to T396524: CVE-2025-53488: Stored XSS through system messages in WikiHiero: Patch-For-Review.
Mon, Jul 14, 8:45 PM · Patch-For-Review, MW-1.45-notes (1.45.0-wmf.9; 2025-07-08), SecTeam-Processed, WikiHiero, Vuln-XSS, affects-Miraheze, Security, Security-Team
gerritbot added a comment to T396524: CVE-2025-53488: Stored XSS through system messages in WikiHiero.

Change #1166022 restored by SBassett:

[mediawiki/extensions/wikihiero@REL1_39] SECURITY: Insert system messages using .text() to prevent stored XSS

https://gerrit.wikimedia.org/r/1166022

Mon, Jul 14, 8:45 PM · Patch-For-Review, MW-1.45-notes (1.45.0-wmf.9; 2025-07-08), SecTeam-Processed, WikiHiero, Vuln-XSS, affects-Miraheze, Security, Security-Team
sbassett added a comment to T399414: XSS through system messages in WikiHiero still reproducible on certain versions.

We can look at this during our clinic today, but just so it's clear, the Security-Team does not make any guarantees around supporting backports to older (even if supported) release branches. For anything under the supplemental security releases, we guarantee merging the patches to master/main and, if trivial, backports to other, supported release branches.

Mon, Jul 14, 2:01 PM · SecTeam-Processed, Vuln-XSS, WikiHiero, Security, Security-Team
SomeRandomDeveloper added a comment to T399414: XSS through system messages in WikiHiero still reproducible on certain versions.
In T399414#10999212, @Lucas_Werkmeister_WMDE wrote:

The backports for REL1_39 and REL1_42 were abandoned, presumably due to merge conflicts:

My guess would be that REL1_42 was abandoned because MediaWiki 1.42 is End of Life; MediaWiki 1.39 doesn’t become EoL until November 2025, but maybe that patch was abandoned by mistake / confusion for a similar reason.

Mon, Jul 14, 8:58 AM · SecTeam-Processed, Vuln-XSS, WikiHiero, Security, Security-Team
Lucas_Werkmeister_WMDE added a comment to T399414: XSS through system messages in WikiHiero still reproducible on certain versions.

The backports for REL1_39 and REL1_42 were abandoned, presumably due to merge conflicts:

Mon, Jul 14, 8:56 AM · SecTeam-Processed, Vuln-XSS, WikiHiero, Security, Security-Team

Sun, Jul 13

SomeRandomDeveloper added projects to T399414: XSS through system messages in WikiHiero still reproducible on certain versions: WikiHiero, Vuln-XSS.
Sun, Jul 13, 5:58 PM · SecTeam-Processed, Vuln-XSS, WikiHiero, Security, Security-Team

Fri, Jul 11

gerritbot added a comment to T396946: CVE-2025-53496: Stored XSS through a system message in MediaSearch.

Change #1166035 merged by Jly:

[mediawiki/extensions/MediaSearch@REL1_39] SECURITY: Insert message as text instead of HTML

https://gerrit.wikimedia.org/r/1166035

Fri, Jul 11, 6:20 PM · SecTeam-Processed, Structured-Data-Backlog, Vuln-XSS, MediaSearch, Security, Security-Team

Thu, Jul 10

A_smart_kitten added a project to T394383: CVE-2025-53487: Stored XSS through system messages in Extension:ApprovedRevs: MediaWiki-extensions-Approved-Revs.
Thu, Jul 10, 7:28 AM · MediaWiki-extensions-Approved-Revs, Patch-For-Review, Vuln-XSS, SecTeam-Processed, affects-Miraheze, Security

Tue, Jul 8

Maintenance_bot added a project to T392276: CVE-2025-6591: HTML injection in API action=feedcontributions output from i18n message: MW-Interfaces-Team.
Tue, Jul 8, 9:30 PM · MW-Interfaces-Team, MW-1.44-release, MW-1.43-release, MW-1.42-release, MW-1.39-release, Vuln-XSS, MediaWiki-Action-API, Security, Security-Team
sbassett moved T394863: CVE-2025-6595: Stored XSS through system messages in MultimediaViewer from Watching to Our Part Is Done on the Security-Team board.
Tue, Jul 8, 9:14 PM · MW-1.39-release, MW-1.42-release, MW-1.44-release, MW-1.43-release, Readers Essential Work 2025, Web-Team (Q4 Sprint 5 (June 4 2025 - 18 June)), SecTeam-Processed, Vuln-XSS, MediaViewer, affects-Miraheze, Security, Security-Team
sbassett moved T395063: CVE-2025-6594: XSS in Special:ApiSandbox (User interaction required) from Watching to Our Part Is Done on the Security-Team board.
Tue, Jul 8, 9:13 PM · MW-1.43-release, MW-1.44-release, MediaWiki-Platform-Team, affects-Miraheze, SecTeam-Processed, MediaWiki-Action-API, Vuln-XSS, Security, Security-Team
sbassett removed a project from T392276: CVE-2025-6591: HTML injection in API action=feedcontributions output from i18n message: Patch-For-Review.
Tue, Jul 8, 9:11 PM · MW-Interfaces-Team, MW-1.44-release, MW-1.43-release, MW-1.42-release, MW-1.39-release, Vuln-XSS, MediaWiki-Action-API, Security, Security-Team
sbassett moved T396413: CVE-2025-53497: Stored XSS in RelatedArticles from Watching to Our Part Is Done on the Security-Team board.
Tue, Jul 8, 9:07 PM · Web-Team, RelatedArticles, affects-Miraheze, Vuln-XSS, Security, Security-Team
sbassett reassigned T396413: CVE-2025-53497: Stored XSS in RelatedArticles from Jly to Lucas_Werkmeister_WMDE.
Tue, Jul 8, 9:07 PM · Web-Team, RelatedArticles, affects-Miraheze, Vuln-XSS, Security, Security-Team
sbassett moved T396685: CVE-2025-6596: Vector inserts portlet labels as HTML, allowing for stored XSS through system messages from Watching to Our Part Is Done on the Security-Team board.
Tue, Jul 8, 9:03 PM · MW-1.42-release, MW-1.43-release, MW-1.44-release, SecTeam-Processed, Vector 2022 (Desktop improvements), Vector (legacy skin), affects-Miraheze, Vuln-XSS, Security, Security-Team
sbassett removed a project from T396685: CVE-2025-6596: Vector inserts portlet labels as HTML, allowing for stored XSS through system messages: Patch-For-Review.
Tue, Jul 8, 9:03 PM · MW-1.42-release, MW-1.43-release, MW-1.44-release, SecTeam-Processed, Vector 2022 (Desktop improvements), Vector (legacy skin), affects-Miraheze, Vuln-XSS, Security, Security-Team
sbassett removed a project from T394863: CVE-2025-6595: Stored XSS through system messages in MultimediaViewer: Patch-For-Review.
Tue, Jul 8, 8:55 PM · MW-1.39-release, MW-1.42-release, MW-1.44-release, MW-1.43-release, Readers Essential Work 2025, Web-Team (Q4 Sprint 5 (June 4 2025 - 18 June)), SecTeam-Processed, Vuln-XSS, MediaViewer, affects-Miraheze, Security, Security-Team
sbassett added a comment to T394692: CVE-2025-53478: Special:Investigate 'IPs and User agents' tab has i18n XSS vectors.

Note: this has been merged to master and backported - https://gerrit.wikimedia.org/r/q/I3a1e21b6800ff4d813a33ee9fe9b7ccf070b6b2e

Tue, Jul 8, 8:51 PM · MW-1.45-notes (1.45.0-wmf.9; 2025-07-08), Trust and Safety Product Sprint (Sprint Cannoli (July 7 - July 25)), SecTeam-Processed, Vuln-XSS, Trust and Safety Product Team, CheckUser, Security, Security-Team
sbassett added a comment to T394700: CVE-2025-53480: Special:Investigate 'Account information' tab has i18n XSS vectors.

Note: this has been merged to master and backported - https://gerrit.wikimedia.org/r/q/I777fc55fef15c3b00df0db268af2b64cb2d6e381

Tue, Jul 8, 8:50 PM · Trust and Safety Product Sprint (Sprint Cannoli (July 7 - July 25)), SecTeam-Processed, Vuln-XSS, Trust and Safety Product Team, CheckUser, Security, Security-Team
sbassett set Author Affiliation to community on T395063: CVE-2025-6594: XSS in Special:ApiSandbox (User interaction required).
Tue, Jul 8, 8:33 PM · MW-1.43-release, MW-1.44-release, MediaWiki-Platform-Team, affects-Miraheze, SecTeam-Processed, MediaWiki-Action-API, Vuln-XSS, Security, Security-Team
Jly closed T396946: CVE-2025-53496: Stored XSS through a system message in MediaSearch as Resolved.
Tue, Jul 8, 7:13 PM · SecTeam-Processed, Structured-Data-Backlog, Vuln-XSS, MediaSearch, Security, Security-Team
Dreamy_Jazz reopened T394692: CVE-2025-53478: Special:Investigate 'IPs and User agents' tab has i18n XSS vectors as "Open".

Needs to wait for QA

Tue, Jul 8, 6:12 PM · MW-1.45-notes (1.45.0-wmf.9; 2025-07-08), Trust and Safety Product Sprint (Sprint Cannoli (July 7 - July 25)), SecTeam-Processed, Vuln-XSS, Trust and Safety Product Team, CheckUser, Security, Security-Team
Dreamy_Jazz reopened T394700: CVE-2025-53480: Special:Investigate 'Account information' tab has i18n XSS vectors as "Open".

Needs to wait for QA

Tue, Jul 8, 6:12 PM · Trust and Safety Product Sprint (Sprint Cannoli (July 7 - July 25)), SecTeam-Processed, Vuln-XSS, Trust and Safety Product Team, CheckUser, Security, Security-Team
mmartorana changed the visibility for T394393: CVE-2025-53482: IPInfo: Message key XSS through several IPInfo messages in infobox and popup.
Tue, Jul 8, 5:45 PM · Trust and Safety Product Sprint (Sprint Cannoli (July 7 - July 25)), affects-Miraheze, MW-1.45-notes (1.45.0-wmf.2; 2025-05-20), SecTeam-Processed, Patch-For-Review, Vuln-XSS, IP Info, Trust and Safety Product Team, Security, Security-Team
mmartorana closed T394393: CVE-2025-53482: IPInfo: Message key XSS through several IPInfo messages in infobox and popup as Resolved.
Tue, Jul 8, 5:45 PM · Trust and Safety Product Sprint (Sprint Cannoli (July 7 - July 25)), affects-Miraheze, MW-1.45-notes (1.45.0-wmf.2; 2025-05-20), SecTeam-Processed, Patch-For-Review, Vuln-XSS, IP Info, Trust and Safety Product Team, Security, Security-Team
mmartorana renamed T394393: CVE-2025-53482: IPInfo: Message key XSS through several IPInfo messages in infobox and popup from IPInfo: Message key XSS through several IPInfo messages in infobox and popup to CVE-2025-53482: IPInfo: Message key XSS through several IPInfo messages in infobox and popup.
Tue, Jul 8, 5:44 PM · Trust and Safety Product Sprint (Sprint Cannoli (July 7 - July 25)), affects-Miraheze, MW-1.45-notes (1.45.0-wmf.2; 2025-05-20), SecTeam-Processed, Patch-For-Review, Vuln-XSS, IP Info, Trust and Safety Product Team, Security, Security-Team
mmartorana renamed T392341: CVE-2025-53483, CVE-2025-53484, CVE-2025-53485: SecurePoll is vulnerable to XSS, CSRF, and lack of authorisation from CVE-2025-53484: SecurePoll is vulnerable to XSS, CSRF, and lack of authorisation to CVE-2025-53483, CVE-2025-53484, CVE-2025-53485: SecurePoll is vulnerable to XSS, CSRF, and lack of authorisation.
Tue, Jul 8, 5:44 PM · Trust and Safety Product Sprint (Sprint Cannoli (July 7 - July 25)), Patch-For-Review, Trust and Safety Product Team, Vuln-BrokenAccessControl, affects-Miraheze, Vuln-CSRF, Vuln-XSS, MediaWiki-extensions-SecurePoll, Security, Security-Team
mmartorana changed the visibility for T392341: CVE-2025-53483, CVE-2025-53484, CVE-2025-53485: SecurePoll is vulnerable to XSS, CSRF, and lack of authorisation.
Tue, Jul 8, 5:43 PM · Trust and Safety Product Sprint (Sprint Cannoli (July 7 - July 25)), Patch-For-Review, Trust and Safety Product Team, Vuln-BrokenAccessControl, affects-Miraheze, Vuln-CSRF, Vuln-XSS, MediaWiki-extensions-SecurePoll, Security, Security-Team
mmartorana closed T392341: CVE-2025-53483, CVE-2025-53484, CVE-2025-53485: SecurePoll is vulnerable to XSS, CSRF, and lack of authorisation as Resolved.
Tue, Jul 8, 5:42 PM · Trust and Safety Product Sprint (Sprint Cannoli (July 7 - July 25)), Patch-For-Review, Trust and Safety Product Team, Vuln-BrokenAccessControl, affects-Miraheze, Vuln-CSRF, Vuln-XSS, MediaWiki-extensions-SecurePoll, Security, Security-Team
mmartorana renamed T392341: CVE-2025-53483, CVE-2025-53484, CVE-2025-53485: SecurePoll is vulnerable to XSS, CSRF, and lack of authorisation from SecurePoll is vulnerable to XSS, CSRF, and lack of authorisation to CVE-2025-53484: SecurePoll is vulnerable to XSS, CSRF, and lack of authorisation.
Tue, Jul 8, 5:41 PM · Trust and Safety Product Sprint (Sprint Cannoli (July 7 - July 25)), Patch-For-Review, Trust and Safety Product Team, Vuln-BrokenAccessControl, affects-Miraheze, Vuln-CSRF, Vuln-XSS, MediaWiki-extensions-SecurePoll, Security, Security-Team
mmartorana renamed T394590: CVE-2025-53486: Reflected XSS in WikiCategoryTagCloud from Reflected XSS in WikiCategoryTagCloud to CVE-2025-53486: Reflected XSS in WikiCategoryTagCloud.
Tue, Jul 8, 5:41 PM · WikiCategoryTagCloud, Vuln-XSS, affects-Miraheze, Security, Security-Team
mmartorana changed the visibility for T394383: CVE-2025-53487: Stored XSS through system messages in Extension:ApprovedRevs.
Tue, Jul 8, 5:40 PM · MediaWiki-extensions-Approved-Revs, Patch-For-Review, Vuln-XSS, SecTeam-Processed, affects-Miraheze, Security
mmartorana renamed T394383: CVE-2025-53487: Stored XSS through system messages in Extension:ApprovedRevs from Stored XSS through system messages in Extension:ApprovedRevs to CVE-2025-53487: Stored XSS through system messages in Extension:ApprovedRevs.
Tue, Jul 8, 5:38 PM · MediaWiki-extensions-Approved-Revs, Patch-For-Review, Vuln-XSS, SecTeam-Processed, affects-Miraheze, Security
mmartorana changed the visibility for T394692: CVE-2025-53478: Special:Investigate 'IPs and User agents' tab has i18n XSS vectors.
Tue, Jul 8, 5:37 PM · MW-1.45-notes (1.45.0-wmf.9; 2025-07-08), Trust and Safety Product Sprint (Sprint Cannoli (July 7 - July 25)), SecTeam-Processed, Vuln-XSS, Trust and Safety Product Team, CheckUser, Security, Security-Team
mmartorana closed T394692: CVE-2025-53478: Special:Investigate 'IPs and User agents' tab has i18n XSS vectors as Resolved.
Tue, Jul 8, 5:37 PM · MW-1.45-notes (1.45.0-wmf.9; 2025-07-08), Trust and Safety Product Sprint (Sprint Cannoli (July 7 - July 25)), SecTeam-Processed, Vuln-XSS, Trust and Safety Product Team, CheckUser, Security, Security-Team
mmartorana renamed T394692: CVE-2025-53478: Special:Investigate 'IPs and User agents' tab has i18n XSS vectors from Special:Investigate 'IPs and User agents' tab has i18n XSS vectors to CVE-2025-53478: Special:Investigate 'IPs and User agents' tab has i18n XSS vectors.
Tue, Jul 8, 5:34 PM · MW-1.45-notes (1.45.0-wmf.9; 2025-07-08), Trust and Safety Product Sprint (Sprint Cannoli (July 7 - July 25)), SecTeam-Processed, Vuln-XSS, Trust and Safety Product Team, CheckUser, Security, Security-Team
mmartorana renamed T394693: CVE-2025-53479: Special:CheckUser has i18n XSS vectors from Special:CheckUser has i18n XSS vectors to CVE-2025-53479: Special:CheckUser has i18n XSS vectors.
Tue, Jul 8, 5:33 PM · MW-1.45-notes (1.45.0-wmf.4; 2025-06-03), Trust and Safety Product Sprint (Sprint Carrot Cake (May 26 - June 13)), SecTeam-Processed, Vuln-XSS, Trust and Safety Product Team, CheckUser, Security, Security-Team
mmartorana changed the visibility for T394700: CVE-2025-53480: Special:Investigate 'Account information' tab has i18n XSS vectors.
Tue, Jul 8, 5:33 PM · Trust and Safety Product Sprint (Sprint Cannoli (July 7 - July 25)), SecTeam-Processed, Vuln-XSS, Trust and Safety Product Team, CheckUser, Security, Security-Team
mmartorana closed T394700: CVE-2025-53480: Special:Investigate 'Account information' tab has i18n XSS vectors as Resolved.
Tue, Jul 8, 5:32 PM · Trust and Safety Product Sprint (Sprint Cannoli (July 7 - July 25)), SecTeam-Processed, Vuln-XSS, Trust and Safety Product Team, CheckUser, Security, Security-Team
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits