Page MenuHomePhabricator

CVE-2023-29133: XSS in Searchtext formatter in Cargo
Closed, ResolvedPublicSecurity

Description

CargoQueryDisplayer::getTextSnippet() calls html_entity_decode( $snippet ). This undos escaping, resulting in an XSS.

Steps to reproduce:
Have a cargo field named field of type Searchtext. Put the following value in it <script>alert(1)</script> foo bar

Have a cargo query like follows:

{{#cargo_query:
tables=Test
|fields=field
|format=table
|where=field matches 'foo'
}}

Note the alert box that pops up.

Details

Author Affiliation
Other (Please specify in description)

Event Timeline

Bawolff changed Author Affiliation from N/A to Other (Please specify in description).Mar 6 2023, 5:53 PM

Thanks for pointing this out - and it turns out that that call is apparently no longer needed. I just removed it here:

https://gerrit.wikimedia.org/r/c/mediawiki/extensions/Cargo/+/895193

Yaron_Koren claimed this task.

I assume thiss can be closed.

Mstyles renamed this task from XSS in Searchtext formatter in Cargo to CVE-2023-29133: XSS in Searchtext formatter in Cargo.Apr 4 2023, 4:17 AM
mmartorana changed the visibility from "Custom Policy" to "Public (No Login Required)".Apr 4 2023, 7:07 PM