Page MenuHomePhabricator
Create Task
Maniphest T361451

CVE-2024-40602: Tempo skin: stored XSS via MediaWiki:Sidebar
Closed, ResolvedPublicSecurity
Actions

Description

A continuation of T361448, T361449 & T361450, just for a different skin.

Proposed & tested patch:

diff --git a/Tempo.skin.php b/Tempo.skin.php
index fcb1f91..9cb7824 100644
--- a/Tempo.skin.php
+++ b/Tempo.skin.php
@@ -156,7 +156,7 @@ class TempoTemplate extends BaseTemplate {
                                        <div id="sidebar" role="navigation">
                                                <?php
                                                        foreach ( $this->getSidebar() as $boxName => $box ) { ?>
-                                                                               <section id="<?php echo Sanitizer::escapeIdForAttribute( $box['id'] ) ?>"<?php echo Linker::tooltip( $box['id'] ) ?>>
+                                                                               <section id="<?php echo htmlspecialchars( Sanitizer::escapeIdForAttribute( $box['id'] ), ENT_QUOTES ) ?>"<?php echo Linker::tooltip( $box['id'] ) ?>>
                                                                                <div class="top"><h3><?php echo htmlspecialchars( $box['header'] ); ?></h3></div>
 
                                                                                <?php if ( is_array( $box['content'] ) ) { ?>

Details

SubjectRepoBranchLines +/-
SECURITY: avoid stored XSS via MediaWiki:Sidebarmediawiki/skins/TempoREL1_41+1 -1
SECURITY: avoid stored XSS via MediaWiki:Sidebarmediawiki/skins/TempoREL1_39+1 -1
SECURITY: avoid stored XSS via MediaWiki:Sidebarmediawiki/skins/TempoREL1_40+1 -1
SECURITY: avoid stored XSS via MediaWiki:Sidebarmediawiki/skins/Tempomaster+1 -1
Customize query in gerrit

Related Objects

Event Timeline

ashley created this task.Mar 31 2024, 8:08 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMar 31 2024, 8:08 PM
ashley claimed this task.Mar 31 2024, 8:08 PM
ashley added projects: Vuln-XSS, Other-skins.
sbassett mentioned this in T361321: Write and send supplementary release announcement for extensions and skins with security patches (1.39.8/1.40.4/1.41.2/1.42.0).Apr 2 2024, 5:56 PM
sbassett subscribed.Apr 2 2024, 5:59 PM

Since this skin isn't deployed or bundled, the proposed patch can go through gerrit at any time. It will be (re)announced via the next supplemental security release: T361321.

sbassett edited projects, added SecTeam-Processed; removed Security-Team.Apr 2 2024, 5:59 PM
sbassett added a project: security-bug.Apr 2 2024, 7:00 PM
Bawolff subscribed.Apr 3 2024, 9:10 PM

lgtm

ashley closed this task as Resolved.May 20 2024, 11:33 AM

This patch, too, got merged a while ago.

Reedy changed the visibility from "Custom Policy" to "Public (No Login Required)".May 20 2024, 11:33 AM
Reedy changed the edit policy from "Custom Policy" to "All Users".
gerritbot added a comment.Jul 3 2024, 2:48 PM

Change #1051776 had a related patch set uploaded (by Mmartorana; author: Jack Phoenix):

[mediawiki/skins/Tempo@REL1_41] SECURITY: avoid stored XSS via MediaWiki:Sidebar

https://gerrit.wikimedia.org/r/1051776

gerritbot added a project: Patch-For-Review.Jul 3 2024, 2:48 PM

Change #1051777 had a related patch set uploaded (by Mmartorana; author: Jack Phoenix):

[mediawiki/skins/Tempo@REL1_40] SECURITY: avoid stored XSS via MediaWiki:Sidebar

https://gerrit.wikimedia.org/r/1051777

gerritbot added a comment.Jul 3 2024, 2:48 PM

Change #1051778 had a related patch set uploaded (by Mmartorana; author: Jack Phoenix):

[mediawiki/skins/Tempo@REL1_39] SECURITY: avoid stored XSS via MediaWiki:Sidebar

https://gerrit.wikimedia.org/r/1051778

gerritbot added a comment.Jul 5 2024, 7:38 PM

Change #1051777 abandoned by Umherirrender:

[mediawiki/skins/Tempo@REL1_40] SECURITY: avoid stored XSS via MediaWiki:Sidebar

Reason:

REL1_40 is end of life

https://gerrit.wikimedia.org/r/1051777

gerritbot added a comment.Jul 5 2024, 7:39 PM

Change #1051778 merged by jenkins-bot:

[mediawiki/skins/Tempo@REL1_39] SECURITY: avoid stored XSS via MediaWiki:Sidebar

https://gerrit.wikimedia.org/r/1051778

gerritbot added a comment.Jul 5 2024, 7:40 PM

Change #1051776 merged by jenkins-bot:

[mediawiki/skins/Tempo@REL1_41] SECURITY: avoid stored XSS via MediaWiki:Sidebar

https://gerrit.wikimedia.org/r/1051776

mmartorana renamed this task from Tempo skin: stored XSS via MediaWiki:Sidebar to CVE-2024-40602: Tempo skin: stored XSS via MediaWiki:Sidebar.Jul 8 2024, 5:36 PM
Maintenance_bot removed a project: Patch-For-Review.Jul 9 2024, 7:52 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits