Page MenuHomePhabricator

Exposed HTML in WikibaseMediaInfo autocomplete suggestions (CVE-2020-6163)
Closed, ResolvedPublic

Description

Introduced in T235754: Implement haswbstatement:P<depicts>=Q<your term> autocomplete suggestions:

Event Timeline

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptDec 14 2019, 11:05 PM
Restricted Application added a project: Structured-Data-Backlog. · View Herald TranscriptDec 14 2019, 11:06 PM

@matthiasmullie (probably the previous ping does not work)

This comment was removed by Bugreporter.

Looking into it.

[@Bugreporter: Please stop pinging people one by one and creating notification emails for each comment. Thanks for your understanding.]

sbassett added projects: Security-Team, Vuln-XSS.
sbassett moved this task from Incoming to Watching on the Security-Team board.
Reedy triaged this task as Medium priority.Dec 18 2019, 5:01 PM
matthiasmullie closed this task as Resolved.Jan 6 2020, 6:48 PM

This is now fixed - confirmed with example mentioned in task description.

@matthiasmullie - Is there a gerrit patch set or security patch we could reference here? Backports to supported release branches or a CVE? The Security-Team can help with the latter if need be. Thanks.

Yes - not sure why gerritbot didn't pick it up, but here's the patch: https://gerrit.wikimedia.org/r/c/mediawiki/extensions/WikibaseMediaInfo/+/558203

Yes - not sure why gerritbot didn't pick it up, but here's the patch: https://gerrit.wikimedia.org/r/c/mediawiki/extensions/WikibaseMediaInfo/+/558203

Thanks! gerritbot can't currently see security-protected Phab tasks.

So it doesn't look like templates/search/PropertySuggestionsWidget.mustache+dom existed in REL1_34 or previous, so no backports necessary. I'm going make the task public now and request a CVE.

sbassett changed the visibility from "Custom Policy" to "Public (No Login Required)".Jan 7 2020, 9:39 PM
sbassett moved this task from Other WMF team to Done on the acl*security board.
sbassett moved this task from Watching to Our Part Is Done on the Security-Team board.
sbassett renamed this task from Exposed HTML in WikibaseMediaInfo autocomplete suggestions to Exposed HTML in WikibaseMediaInfo autocomplete suggestions (CVE-2020-6163).Jan 8 2020, 6:18 PM