CVE-2023-29133: XSS in Searchtext formatter in Cargo
Closed, ResolvedPublicSecurity
Actions

Assigned To

Authored By

	Bawolff
	Mar 6 2023, 5:53 PM

Description

CargoQueryDisplayer::getTextSnippet() calls html_entity_decode( $snippet ). This undos escaping, resulting in an XSS.

Steps to reproduce:
Have a cargo field named field of type Searchtext. Put the following value in it <script>alert(1)</script> foo bar

Have a cargo query like follows:

{{#cargo_query:
tables=Test
|fields=field
|format=table
|where=field matches 'foo'
}}

Note the alert box that pops up.

Mentioned In: T325849: Write and send supplementary release announcement for extensions and skins with security patches (1.35.10/1.38.6/1.39.3)

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMar 6 2023, 5:53 PM

Bawolff changed Author Affiliation from N/A to Other (Please specify in description).Mar 6 2023, 5:53 PM

Thanks for pointing this out - and it turns out that that call is apparently no longer needed. I just removed it here:

I assume thiss can be closed.

Mstyles renamed this task from XSS in Searchtext formatter in Cargo to CVE-2023-29133: XSS in Searchtext formatter in Cargo.Apr 4 2023, 4:17 AM

mmartorana changed the visibility from "Custom Policy" to "Public (No Login Required)".Apr 4 2023, 7:07 PM