Page MenuHomePhabricator
Create Task
Maniphest T381753

CVE-2025-23079: XSSes in Extension:ArticleFeedbackv5
Closed, ResolvedPublicSecurity
Actions

Assigned To
BlankEclair
Authored By
BlankEclair
Dec 9 2024, 9:54 AM
Tags
Referenced Files
F57791066: T381753.patch
Dec 9 2024, 11:14 AM
F57790924: 2024-12-09_20-45.png
Dec 9 2024, 9:54 AM
F57790922: 2024-12-09_20-29.png
Dec 9 2024, 9:54 AM
F57790920: 2024-12-09_20-23.png
Dec 9 2024, 9:54 AM
F57790918: 2024-12-09_20-16.png
Dec 9 2024, 9:54 AM
F57790916: 2024-12-09_20-05.png
Dec 9 2024, 9:54 AM
F57790913: 2024-12-09_19-59.png
Dec 9 2024, 9:54 AM
Subscribers
Aklapper
ashley
BlankEclair
gerritbot
mmartorana
Reception123
RhinosF1
Universal_Omega

Description

This was found during security review when requested for installation, so the extension is not installed on Miraheze yet
Corresponding Miraheze issue tracker task: https://issue-tracker.miraheze.org/T12979

System message: articlefeedbackv5-activity-pane-header
Cause: https://gerrit.wikimedia.org/r/plugins/gitiles/mediawiki/extensions/ArticleFeedbackv5/+/aa0e2e6dfe9e1004d145f2a787b59885688464c5/modules/jquery.articleFeedbackv5/jquery.articleFeedbackv5.special.js#1709
Screenshot:

2024-12-09_19-59.png (1×1 px, 200 KB)

Example reproduction steps:

  1. Leave some feedback on a page
  2. Go to Special:ArticleFeedbackv5
  3. Mark feedback as inappropriate
  4. Request oversight on feedback
  5. Refresh page
  6. Find that comment again
  7. View activity

System messages: articlefeedbackv5-bucket?-title
Cause: https://gerrit.wikimedia.org/r/plugins/gitiles/mediawiki/extensions/ArticleFeedbackv5/+/aa0e2e6dfe9e1004d145f2a787b59885688464c5/modules/jquery.articleFeedbackv5/jquery.articleFeedbackv5.js#710
Screenshot:

2024-12-09_20-05.png (1×1 px, 340 KB)

Example reproduction steps:

  1. Use ?uselang=x-xss on a page that has feedback enabled

System message: pipe-separator
Cause: https://gerrit.wikimedia.org/r/plugins/gitiles/mediawiki/extensions/ArticleFeedbackv5/+/aa0e2e6dfe9e1004d145f2a787b59885688464c5/modules/jquery.articleFeedbackv5/jquery.articleFeedbackv5.js#1312
Screenshot:

2024-12-09_20-16.png (1×1 px, 347 KB)

Example reproduction steps:

  1. Add to common.css:
#siteSub {
    display: block;
}
  1. Add to LocalSettings.php:
$wgArticleFeedbackv5LinkBuckets['buckets']['X'] = 0;
$wgArticleFeedbackv5LinkBuckets['buckets']['A'] = 100;
  1. Clear your cookies because you're way too lazy to wait for the chosen bucket to expire lol
  2. Use ?uselang=x-xss on a page that has feedback enabled

Cause: https://gerrit.wikimedia.org/r/plugins/gitiles/mediawiki/extensions/ArticleFeedbackv5/+/aa0e2e6dfe9e1004d145f2a787b59885688464c5/modules/jquery.articleFeedbackv5/jquery.articleFeedbackv5.js#2030
Screenshot:

2024-12-09_20-23.png (1×1 px, 204 KB)

Example reproduction steps:

  1. Add to common.css:
#siteSub {
    display: block;
}
  1. Add to LocalSettings.php:
$wgArticleFeedbackv5LinkBuckets['buckets']['X'] = 0;
$wgArticleFeedbackv5LinkBuckets['buckets']['A'] = 100;
  1. Add XSS to the system message articlefeedbackv5-disable-preference
  2. Clear your cookies because you're way too lazy to wait for the chosen bucket to expire lol
  3. Go to a page with feedback enabled
  4. Hover over the "Improve this page" link in the site subtitle
  5. Click on the subsequent [x]

Cause: https://gerrit.wikimedia.org/r/plugins/gitiles/mediawiki/extensions/ArticleFeedbackv5/+/aa0e2e6dfe9e1004d145f2a787b59885688464c5/modules/jquery.articleFeedbackv5/jquery.articleFeedbackv5.js#2812
Screenshot:

2024-12-09_20-29.png (1×1 px, 205 KB)

Example reproduction steps:

  1. Add to LocalSettings.php:
$wgArticleFeedbackv5ThrottleThresholdPostsPerHour = 0;
  1. Add XSS to the system message articlefeedbackv5-error-throttled
  2. Go to a page with feedback enabled
  3. Try to leave some feedback

System message: articlefeedbackv5-activity-feedback-info
Cause: https://gerrit.wikimedia.org/r/plugins/gitiles/mediawiki/extensions/ArticleFeedbackv5/+/aa0e2e6dfe9e1004d145f2a787b59885688464c5/api/ApiViewActivityArticleFeedbackv5.php#106
Screenshot:

2024-12-09_20-45.png (1×1 px, 221 KB)

Example reproduction steps:

  1. Leave some feedback on a page
  2. Go to Special:ArticleFeedbackv5
  3. Mark feedback as inappropriate
  4. Request oversight on feedback
  5. Refresh page
  6. Find that comment again
  7. View activity

Details

Author Affiliation
Wikimedia Communities
SubjectRepoBranchLines +/-
SECURITY: Fix several XSSesmediawiki/extensions/ArticleFeedbackv5REL1_42+35 -43
SECURITY: Fix several XSSesmediawiki/extensions/ArticleFeedbackv5REL1_43+35 -43
SECURITY: Fix several XSSesmediawiki/extensions/ArticleFeedbackv5REL1_41+35 -43
SECURITY: Fix several XSSesmediawiki/extensions/ArticleFeedbackv5master+35 -43
Customize query in gerrit

Related Objects

Event Timeline

BlankEclair created this task.Dec 9 2024, 9:54 AM
Restricted Application added a project: affects-Miraheze. · View Herald TranscriptDec 9 2024, 9:54 AM
Restricted Application added a subscriber: Aklapper. · View Herald Transcript
BlankEclair added projects: Vuln-XSS, ArticleFeedbackv5.Dec 9 2024, 9:56 AM
BlankEclair added subscribers: Universal_Omega, ashley.
BlankEclair moved this task from Backlog to Bugs on the ArticleFeedbackv5 board.Dec 9 2024, 9:59 AM
BlankEclair claimed this task.Dec 9 2024, 10:04 AM
BlankEclair added a comment.Dec 9 2024, 10:48 AM

There's an extra XSS source I missed:
Cause: https://gerrit.wikimedia.org/r/plugins/gitiles/mediawiki/extensions/ArticleFeedbackv5/+/aa0e2e6dfe9e1004d145f2a787b59885688464c5/modules/jquery.articleFeedbackv5/jquery.articleFeedbackv5.js#2275
Example reproduction steps:

  1. Use ?uselang=x-xss on a page that has feedback enabled
BlankEclair added a comment.Dec 9 2024, 11:14 AM

T381753.patch6 KBDownload

mmartorana removed a project: Security-Team.Dec 11 2024, 2:03 PM
mmartorana subscribed.

Hey

this patch needs to go through Gerrit.

We’ll include it in the supplemental security release.

Thanks

mmartorana mentioned this in T375631: Write and send supplementary release announcement for extensions and skins with security patches (1.39.11/1.41.5/1.42.4).Dec 11 2024, 2:08 PM
BlankEclair added a subscriber: gerritbot.Dec 12 2024, 1:38 AM
gerritbot added a comment.Dec 12 2024, 1:38 AM

Change #1102463 had a related patch set uploaded (by BlankEclair; author: BlankEclair):

[mediawiki/extensions/ArticleFeedbackv5@master] SECURITY: Fix several XSSes

https://gerrit.wikimedia.org/r/1102463

gerritbot added a project: Patch-For-Review.Dec 12 2024, 1:38 AM
gerritbot added a comment.Dec 12 2024, 1:54 AM

Change #1102469 had a related patch set uploaded (by BlankEclair; author: BlankEclair):

[mediawiki/extensions/ArticleFeedbackv5@REL1_41] SECURITY: Fix several XSSes

https://gerrit.wikimedia.org/r/1102469

gerritbot added a comment.Dec 12 2024, 1:55 AM

Change #1102470 had a related patch set uploaded (by BlankEclair; author: BlankEclair):

[mediawiki/extensions/ArticleFeedbackv5@REL1_42] SECURITY: Fix several XSSes

https://gerrit.wikimedia.org/r/1102470

gerritbot added a comment.Dec 12 2024, 1:55 AM

Change #1102471 had a related patch set uploaded (by BlankEclair; author: BlankEclair):

[mediawiki/extensions/ArticleFeedbackv5@REL1_43] SECURITY: Fix several XSSes

https://gerrit.wikimedia.org/r/1102471

gerritbot added a comment.Dec 12 2024, 1:59 AM

Change #1102463 merged by jenkins-bot:

[mediawiki/extensions/ArticleFeedbackv5@master] SECURITY: Fix several XSSes

https://gerrit.wikimedia.org/r/1102463

gerritbot added a comment.Dec 12 2024, 2:07 AM

Change #1102469 merged by jenkins-bot:

[mediawiki/extensions/ArticleFeedbackv5@REL1_41] SECURITY: Fix several XSSes

https://gerrit.wikimedia.org/r/1102469

gerritbot added a comment.Dec 12 2024, 2:09 AM

Change #1102471 merged by jenkins-bot:

[mediawiki/extensions/ArticleFeedbackv5@REL1_43] SECURITY: Fix several XSSes

https://gerrit.wikimedia.org/r/1102471

RhinosF1 subscribed.Dec 12 2024, 6:37 AM
gerritbot added a comment.Dec 12 2024, 11:13 AM

Change #1102470 merged by jenkins-bot:

[mediawiki/extensions/ArticleFeedbackv5@REL1_42] SECURITY: Fix several XSSes

https://gerrit.wikimedia.org/r/1102470

BlankEclair closed this task as Resolved.Dec 12 2024, 11:15 AM
mmartorana changed the visibility from "Custom Policy" to "Public (No Login Required)".Fri, Jan 10, 6:04 PM
mmartorana changed the edit policy from "Custom Policy" to "All Users".
Restricted Application added a subscriber: Reception123. · View Herald TranscriptFri, Jan 10, 6:04 PM
Maintenance_bot removed a project: Patch-For-Review.Fri, Jan 10, 6:30 PM
mmartorana renamed this task from XSSes in Extension:ArticleFeedbackv5 to CVE-2025-23079: XSSes in Extension:ArticleFeedbackv5.Tue, Jan 14, 7:19 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits