Page MenuHomePhabricator
Create Task
Maniphest T386337

CVE-2025-32073: System message XSS in HTMLTags
Closed, ResolvedPublicSecurity
Actions

Description

https://gerrit.wikimedia.org/r/plugins/gitiles/mediawiki/extensions/HTMLTags/+/aff6f56c8b555df262bad4e88dd60645e2848154/includes/HTMLTags.php#31

This returns the ~literal contents of the system message "htmltags-notagname", and the return value of the tag function is interpreted as raw HTML.

Details

Author Affiliation
Wikimedia Communities

Related Objects

Event Timeline

BlankEclair created this task.Feb 13 2025, 10:17 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptFeb 13 2025, 10:17 AM
BlankEclair added projects: Vuln-XSS, MediaWiki-extensions-Other.Feb 13 2025, 10:18 AM
BlankEclair added a subscriber: Yaron_Koren.
Aklapper added a comment.Feb 13 2025, 10:29 AM

@Yaron_Koren: https://www.mediawiki.org/wiki/Extension:HTML_Tags does not list where to report issues. If you'd like to use Wikimedia Phabricator to track issues in this extension, could you please request a dedicated project tag and watch it afterwards, so folks don't have to manually look up maintainer(s) on the wiki page and manually CC them on tickets? Thanks a lot! :)

BlankEclair added a comment.Feb 13 2025, 10:20 PM

We have to subscribe them to security tasks anyway because of the default view policy

sbassett added subscribers: gerritbot, sbassett.Feb 19 2025, 6:14 PM

If an owner/maintainer is found who wishes to submit a patch, this should just go directly through gerrit.

sbassett edited projects, added SecTeam-Processed; removed Security-Team.Feb 19 2025, 6:14 PM
Yaron_Koren added a comment.Feb 19 2025, 7:16 PM

@BlankEclair - thanks for pointing out the problem. I believe it's fixed now, with this change:

https://gerrit.wikimedia.org/r/c/mediawiki/extensions/HTMLTags/+/1121056

sbassett mentioned this in T382326: Write and send supplementary release announcement for extensions and skins with security patches (1.39.12/1.42.6/1.43.1).Feb 19 2025, 8:26 PM
BlankEclair closed this task as Resolved.Feb 19 2025, 10:04 PM
BlankEclair assigned this task to Yaron_Koren.

LGTM

Aklapper added a comment.Feb 21 2025, 1:12 PM

@Yaron_Koren: https://www.mediawiki.org/wiki/Extension:HTML_Tags does not list where to report issues. If you'd like to use Wikimedia Phabricator to track issues in this extension, could you please request a dedicated project tag and watch it afterwards, so folks don't have to manually look up maintainer(s) on the wiki page and manually CC them on tickets? Thanks a lot!

Mstyles renamed this task from System message XSS in HTMLTags to CVE-2025-32073: System message XSS in HTMLTags.Apr 11 2025, 5:05 PM
Mstyles changed the visibility from "Custom Policy" to "Public (No Login Required)".
Mstyles changed the edit policy from "Custom Policy" to "All Users".
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits