Page MenuHomePhabricator

Ex:SemanticForms - Stored XSS in template label on Special:FormEdit
Closed, ResolvedPublic


  1. Create a form and add <script> tag in the "Template label (optional):" field
  2. Visit Special:FormEdit/<templatename>/<anypage>
  3. Script executes

Event Timeline

csteipp assigned this task to Yaron_Koren.
csteipp raised the priority of this task from to Needs Triage.
csteipp updated the task description. (Show Details)
csteipp added a project: acl*security.
csteipp changed the visibility from "Public (No Login Required)" to "Custom Policy".
csteipp changed the edit policy from "All Users" to "Custom Policy".
csteipp added subscribers: Grunny, Aklapper, csteipp.

For some reason I only saw this now. Thanks for the patch! I just checked in this change.

That was

@Yaron_Koren, for future patches on security bugs, it would be great if you could comment here if you think the patch looks good, or needs an improvement. Then we can deploy (secretly) to our cluster before making the patch public in gerrit.

Deployed as a security patch for wikitech. @mmodell, since the patch is in master, it will be included with wmf13. But wmf11 and 12 are patched.

csteipp added a parent task: Restricted Task.Aug 7 2015, 6:38 PM
csteipp added a subscriber: ProgramCeltic.
csteipp changed the visibility from "Custom Policy" to "Public (No Login Required)".Aug 10 2015, 9:58 PM
csteipp changed the edit policy from "Custom Policy" to "All Users".

CVE-2015-6732 was assigned for this and T103761.