Create an item with description <img src=x onerror=alert()> or change an existing item and add this description. Add a wiki sitelink or go to an existing wiki sitelink of that item. Click on the "page information" sidebar link, e.g. so you arrive at a page like https://en.wikipedia.org/w/index.php?title=Earth&action=info. View an alert box originating from the "Central description" row.
Description
Details
Status | Subtype | Assigned | Task | ||
---|---|---|---|---|---|
Resolved | Reedy | T292226 Release MediaWiki 1.35.5/1.36.3/1.37.1 | |||
Resolved | Mstyles | T292236 Write and send supplementary release announcement for extensions and skins with security patches (1.35.5/1.36.3/1.37.1) | |||
Resolved | Security | Urbanecm | T294693 XSS on page information Wikibase central description (CVE-2021-45473) |
Event Timeline
As soon as this gets reviewed by someone else, the security team will be more than happy to deploy!
I’ll try to deploy the security patch to wmf.7 (and also wmf.6 since T293948: 1.38.0-wmf.7 deployment blockers isn’t closed yet).
Fix tested on Test Wikidata and Test Wikipedia (action=info showed the HTML-escaped description; I’ve revdeleted the relevant edits).
Thanks for the deploys. Also tracking this issue at T292236: Write and send supplementary release announcement for extensions and skins with security patches (1.35.5/1.36.3/1.37.1) and {T276237}.
We also intend to make this task public given the fix has landed in public git repository. Please stop us if there are some additional steps required (e.g. related to T292236)
For non-bundled extensions like Wikibase, a task like this can be made public if mitigations have been deployed to Wikimedia production and there is no sensitive information on the task, which I do not believe there is. And yes, it's fine to handle any relevant backports once the issue has been mitigated within Wikimedia production. The backport to master means the patch will be removed from Wikimedia production either today for wmf.11 (if it made the cut) or next week for wmf.12 (or whatever it will be). This issue will get a proper CVE once we get closer to processing the supplemental security release, again towards the end of the December 2021. I believe that's pretty much everything left to do at this point.