Page MenuHomePhabricator
Create Task
Maniphest T381220

CVE-2025-23080: XSSes in Special:BadgeView
Closed, ResolvedPublicSecurity
Actions

Description

The system messages ob-view-proof, ob-view-no-evidence, and ob-view-evidence are used unescaped: https://github.com/wikimedia/mediawiki-extensions-OpenBadges/blob/a8d210903f0f0df1d3aa630b020576acc1a5e716/includes/specials/BadgesPager.php#L101-L125

Screenshot of XSS:

2024-12-02_00-46.png (973×1 px, 232 KB)

Details

Author Affiliation
Wikimedia Communities
SubjectRepoBranchLines +/-
SECURITY: Escape interface messages used in Special:BadgeViewmediawiki/extensions/OpenBadgesREL1_41+3 -3
SECURITY: Escape interface messages used in Special:BadgeViewmediawiki/extensions/OpenBadgesREL1_43+3 -3
SECURITY: Escape interface messages used in Special:BadgeViewmediawiki/extensions/OpenBadgesREL1_42+3 -3
SECURITY: Escape interface messages used in Special:BadgeViewmediawiki/extensions/OpenBadgesmaster+3 -3
Customize query in gerrit

Related Objects

Event Timeline

BlankEclair created this task.Dec 1 2024, 1:46 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptDec 1 2024, 1:46 PM
BlankEclair added projects: OpenBadges, Vuln-XSS.Dec 1 2024, 1:47 PM
BlankEclair added subscribers: Universal_Omega, Tfellows.
BlankEclair added a comment.Dec 1 2024, 1:51 PM

T381220.patch1 KBDownload

Mstyles subscribed.Dec 2 2024, 5:24 PM

@BlankEclair you can put this patch through gerrit since it's low priority.

Mstyles mentioned this in T375631: Write and send supplementary release announcement for extensions and skins with security patches (1.39.11/1.41.5/1.42.4).Dec 2 2024, 5:26 PM
Mstyles added a subscriber: gerritbot.
gerritbot added a comment.Dec 8 2024, 9:27 AM

Change #1101187 had a related patch set uploaded (by BlankEclair; author: BlankEclair):

[mediawiki/extensions/OpenBadges@master] SECURITY: Escape interface messages used in Special:BadgeView

https://gerrit.wikimedia.org/r/1101187

gerritbot added a project: Patch-For-Review.Dec 8 2024, 9:27 AM
gerritbot added a comment.Dec 8 2024, 12:57 PM

Change #1101187 merged by jenkins-bot:

[mediawiki/extensions/OpenBadges@master] SECURITY: Escape interface messages used in Special:BadgeView

https://gerrit.wikimedia.org/r/1101187

gerritbot added a comment.Dec 8 2024, 12:58 PM

Change #1101196 had a related patch set uploaded (by Paladox; author: BlankEclair):

[mediawiki/extensions/OpenBadges@REL1_43] SECURITY: Escape interface messages used in Special:BadgeView

https://gerrit.wikimedia.org/r/1101196

gerritbot added a comment.Dec 8 2024, 12:59 PM

Change #1101198 had a related patch set uploaded (by Paladox; author: BlankEclair):

[mediawiki/extensions/OpenBadges@REL1_42] SECURITY: Escape interface messages used in Special:BadgeView

https://gerrit.wikimedia.org/r/1101198

gerritbot added a comment.Dec 8 2024, 1:01 PM

Change #1101198 merged by jenkins-bot:

[mediawiki/extensions/OpenBadges@REL1_42] SECURITY: Escape interface messages used in Special:BadgeView

https://gerrit.wikimedia.org/r/1101198

gerritbot added a comment.Dec 8 2024, 1:02 PM

Change #1101196 merged by jenkins-bot:

[mediawiki/extensions/OpenBadges@REL1_43] SECURITY: Escape interface messages used in Special:BadgeView

https://gerrit.wikimedia.org/r/1101196

BlankEclair closed this task as Resolved.Dec 9 2024, 1:37 PM
BlankEclair claimed this task.
BlankEclair removed a project: Patch-For-Review.
gerritbot added a comment.Fri, Jan 10, 4:36 PM

Change #1109742 had a related patch set uploaded (by Mmartorana; author: BlankEclair):

[mediawiki/extensions/OpenBadges@REL1_41] SECURITY: Escape interface messages used in Special:BadgeView

https://gerrit.wikimedia.org/r/1109742

gerritbot added a project: Patch-For-Review.Fri, Jan 10, 4:36 PM
mmartorana changed the visibility from "Custom Policy" to "Public (No Login Required)".Tue, Jan 14, 4:33 PM
mmartorana changed the edit policy from "Custom Policy" to "All Users".
mmartorana renamed this task from XSSes in Special:BadgeView to CVE-2025-23080: XSSes in Special:BadgeView.Tue, Jan 14, 7:19 PM
gerritbot added a comment.Tue, Jan 14, 8:07 PM

Change #1109742 merged by Paladox:

[mediawiki/extensions/OpenBadges@REL1_41] SECURITY: Escape interface messages used in Special:BadgeView

https://gerrit.wikimedia.org/r/1109742

Maintenance_bot removed a project: Patch-For-Review.Tue, Jan 14, 8:31 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits