Page MenuHomePhabricator
Create Task
Maniphest T305774

wikidata-todo: dupe_finder XSS vulnerability
Closed, ResolvedPublicSecurity
Actions

Description

URL parameters like https://wikidata-todo.toolforge.org/dupe_finder.php?site=%27%3C/input%3E%3Cscript%3Ealert(%27XSS%27)%3C/script%3E can be used to execute arbitrary JS.

Since I had not received an email response for T305764 either, I am reporting this to Phabricator as well.

Details

Risk Rating
Low
Author Affiliation
Wikimedia Communities

Related Objects

Event Timeline

1234qwer1234qwer4 created this task.Apr 8 2022, 11:37 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptApr 8 2022, 11:37 PM
bd808 added a project: Tools.Apr 9 2022, 12:46 AM
bd808 removed a subscriber: Toolforge.
Reedy edited projects, added Vuln-XSS, SecTeam-Processed; removed Security-Team.Apr 9 2022, 11:57 AM
Lucas_Werkmeister_WMDE renamed this task from wikidata-todo XSS vulnerability to wikidata-todo: dupe_finder XSS vulnerability.Apr 11 2022, 10:26 AM
Magnus closed this task as Resolved.May 18 2022, 3:53 PM
Magnus claimed this task.

Fixed

sbassett triaged this task as Low priority.May 18 2022, 5:26 PM
sbassett changed Author Affiliation from N/A to Wikimedia Communities.
sbassett changed the visibility from "Custom Policy" to "Public (No Login Required)".
sbassett changed the edit policy from "Custom Policy" to "All Users".
sbassett changed Risk Rating from N/A to Low.
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits