Page MenuHomePhabricator

XSS on
Closed, ResolvedPublicSecurity


Go to<script>alert()</script>&title=Oculus+Quest+II+(50844634326).jpg or<script>alert()</script> and view the numerous alert popups.

Furthermore, I was able to create a proof of concept URL which when clicked, would result in a file being uploaded or overwritten. This could potentially also be exploited to overwrite a highly in-use file when clicked by a user with sysop permissions, vandalizing highly visible pages.


Risk Rating
Author Affiliation
Wikimedia Communities

Event Timeline

Thanks for reporting this!
CC'ing @Danmichaelo per (but not sure how active they are; plus there is also )

In app.js

config(['$translateProvider', function($translateProvider) {
        prefix: 'locale/',
        suffix: '.json'

It seems that the interpolation parameters are trusted as HTML and thus not escaped due to this line


I removed this line and it fixed the XSS locally.

@Danmichaelo: Could you please answer? Thanks in advance!

Danmichaelo claimed this task.

@Aklapper @Dylsss Sorry that I missed this, have been on a wikibreak and missed the notifications!

Thanks a lot for reporting and also suggesting a fix! Have tested and committed the fix in and deployed it now

sbassett triaged this task as Medium priority.Jun 6 2022, 8:57 PM
sbassett changed Author Affiliation from N/A to Wikimedia Communities.
sbassett changed the visibility from "Custom Policy" to "Public (No Login Required)".
sbassett changed the edit policy from "Custom Policy" to "All Users".
sbassett changed Risk Rating from N/A to Medium.