Page MenuHomePhabricator
Create Task
Maniphest T382043

CVE-2025-23078: XSS in BreadCrumbs2
Closed, ResolvedPublicSecurity
Actions

Assigned To
BlankEclair
Authored By
BlankEclair
Dec 12 2024, 1:06 AM
Tags
Referenced Files
F57841359: T382043.patch
Dec 12 2024, 4:51 AM
Unknown Object (File)
Dec 12 2024, 4:51 AM
F57810250: T382043.patch
Dec 12 2024, 1:26 AM
F57807038: 2024-12-12_11-56.png
Dec 12 2024, 1:06 AM
Subscribers
Aklapper
BlankEclair
gerritbot
Reception123
Universal_Omega
YOUR1

Description

Found when doing security review for https://issue-tracker.miraheze.org/T12987

Cause: https://gerrit.wikimedia.org/r/plugins/gitiles/mediawiki/extensions/BreadCrumbs2/+/98a156f34f13635a73193df245c569a9855328e2/BreadCrumbs2.class.php#124
Screenshot:

2024-12-12_11-56.png (988×1 px, 147 KB)

Reproduction steps:

  1. Install BreadCrumb2
  2. Set $wgAllowDisplayTitle to true and $wgRestrictDisplayTitle to false
  3. Save the following wikitext to a page:
{{DISPLAYTITLE: <span style="color: purple">meow&lt;&gt;&amp;'"</span> <script>alert(1)</script>}}
  1. Load said page

Details

Risk Rating
Medium
Author Affiliation
Wikimedia Communities
SubjectRepoBranchLines +/-
SECURITY: Fix XSS when outputting display titlemediawiki/extensions/BreadCrumbs2REL1_42+9 -7
SECURITY: Fix XSS when outputting display titlemediawiki/extensions/BreadCrumbs2REL1_43+9 -7
SECURITY: Fix XSS when outputting display titlemediawiki/extensions/BreadCrumbs2master+9 -7
Customize query in gerrit

Related Objects

Event Timeline

BlankEclair created this task.Dec 12 2024, 1:06 AM
Restricted Application added a project: affects-Miraheze. · View Herald TranscriptDec 12 2024, 1:06 AM
Restricted Application added a subscriber: Aklapper. · View Herald Transcript
BlankEclair claimed this task.Dec 12 2024, 1:07 AM
BlankEclair added projects: MediaWiki-extensions-Other, Vuln-XSS.
BlankEclair added subscribers: Universal_Omega, YOUR1.
BlankEclair updated the task description. (Show Details)Dec 12 2024, 1:23 AM
BlankEclair added a comment.EditedDec 12 2024, 1:26 AM

T382043.patch1 KBDownload

BlankEclair added a comment.Dec 12 2024, 4:53 AM

oops forgot a trim

T382043.patch1 KBDownload

BlankEclair attached a referenced file: F57841359: T382043.patch. (Show Details)Dec 12 2024, 4:54 AM
YOUR1 added a comment.Dec 12 2024, 6:41 AM

Thanks for the patch, can you submit it to Gerrit?

BlankEclair added a project: Patch-For-Review.Dec 12 2024, 9:14 AM
BlankEclair added a subscriber: gerritbot.
gerritbot added a comment.Dec 12 2024, 9:14 AM

Change #1102734 had a related patch set uploaded (by BlankEclair; author: BlankEclair):

[mediawiki/extensions/BreadCrumbs2@master] SECURITY: Fix XSS when outputting display title

https://gerrit.wikimedia.org/r/1102734

gerritbot added a comment.Dec 12 2024, 9:19 AM

Change #1102737 had a related patch set uploaded (by BlankEclair; author: BlankEclair):

[mediawiki/extensions/BreadCrumbs2@REL1_42] SECURITY: Fix XSS when outputting display title

https://gerrit.wikimedia.org/r/1102737

gerritbot added a comment.Dec 12 2024, 9:20 AM

Change #1102738 had a related patch set uploaded (by BlankEclair; author: BlankEclair):

[mediawiki/extensions/BreadCrumbs2@REL1_43] SECURITY: Fix XSS when outputting display title

https://gerrit.wikimedia.org/r/1102738

gerritbot added a comment.Dec 12 2024, 9:22 AM

Change #1102734 merged by jenkins-bot:

[mediawiki/extensions/BreadCrumbs2@master] SECURITY: Fix XSS when outputting display title

https://gerrit.wikimedia.org/r/1102734

gerritbot added a comment.Dec 12 2024, 9:41 AM

Change #1102738 merged by jenkins-bot:

[mediawiki/extensions/BreadCrumbs2@REL1_43] SECURITY: Fix XSS when outputting display title

https://gerrit.wikimedia.org/r/1102738

gerritbot added a comment.Dec 12 2024, 11:28 AM

Change #1102737 merged by jenkins-bot:

[mediawiki/extensions/BreadCrumbs2@REL1_42] SECURITY: Fix XSS when outputting display title

https://gerrit.wikimedia.org/r/1102737

mmartorana closed this task as Resolved.Dec 19 2024, 3:31 PM
mmartorana mentioned this in T375631: Write and send supplementary release announcement for extensions and skins with security patches (1.39.11/1.41.5/1.42.4).
mmartorana changed Risk Rating from N/A to Medium.
sbassett triaged this task as Medium priority.Dec 19 2024, 3:58 PM
sbassett changed the visibility from "Custom Policy" to "Public (No Login Required)".
sbassett changed the edit policy from "Custom Policy" to "All Users".
Restricted Application added a subscriber: Reception123. · View Herald TranscriptDec 19 2024, 3:58 PM
sbassett moved this task from Incoming to Watching on the Security-Team board.Dec 19 2024, 3:59 PM
sbassett edited projects, added SecTeam-Processed; removed Patch-For-Review.
mmartorana renamed this task from XSS in BreadCrumbs2 to CVE-2025-23078: XSS in BreadCrumbs2.Tue, Jan 14, 7:20 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits