Page MenuHomePhabricator
Create Task
Maniphest T305766

filedupes XSS vulnerability
Closed, ResolvedPublicSecurity
Actions

Description

URL parameters like https://filedupes.toolforge.org/?project=%27%3C/input%3E%3Cscript%3Ealert(%27XSS%27)%3C/script%3E can be used to execute arbitrary JS.

Since I had not received an email response for T305764 either, I am reporting this to Phabricator as well.

Details

Risk Rating
Medium
Author Affiliation
Wikimedia Communities

Related Objects

Event Timeline

1234qwer1234qwer4 created this task.Apr 8 2022, 11:36 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptApr 8 2022, 11:36 PM
bd808 added a project: Tools.Apr 9 2022, 12:48 AM
bd808 removed a subscriber: Toolforge.
Reedy edited projects, added Vuln-XSS, SecTeam-Processed; removed Security-Team.Apr 9 2022, 11:58 AM
Magnus closed this task as Resolved.May 18 2022, 3:43 PM
Magnus claimed this task.

Fixed

sbassett triaged this task as Low priority.May 18 2022, 5:16 PM
sbassett changed Author Affiliation from N/A to Wikimedia Communities.
sbassett changed the visibility from "Custom Policy" to "Public (No Login Required)".
sbassett changed the edit policy from "Custom Policy" to "All Users".
sbassett changed Risk Rating from N/A to Low.
1234qwer1234qwer4 reopened this task as Open.Jan 25 2023, 10:02 PM

Fixed for short input parameters. But the issue persists with https://filedupes.toolforge.org/?language=commons&project=wikimedia&category=<%2Ftextarea><img+src%3D1+onerror%3D"alert('xss')">&doit=Do+it.

sbassett raised the priority of this task from Low to Needs Triage.Jan 25 2023, 10:06 PM
sbassett set Security to Software security bug.
sbassett added a project: Security-Team.
sbassett changed the visibility from "Public (No Login Required)" to "Custom Policy".
sbassett subscribed.
sbassett removed a project: Security-Team.Jan 30 2023, 5:11 PM
Magnus closed this task as Resolved.Nov 26 2025, 8:11 AM

Fixed.

sbassett triaged this task as Medium priority.Nov 27 2025, 4:18 PM
sbassett changed the visibility from "Custom Policy" to "Public (No Login Required)".
sbassett changed Risk Rating from Low to Medium.
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits