Page MenuHomePhabricator
Create Task
Maniphest T392276

CVE-2025-6591: HTML injection in API action=feedcontributions output from i18n message
Closed, ResolvedPublicSecurity
Actions

Assigned To
Legoktm
Authored By
Legoktm
Apr 18 2025, 2:29 AM
Tags
Referenced Files
F59419129: T392276-rev2.patch
Apr 25 2025, 9:06 PM
F59285778: 0001-SECURITY-API-Escape-i18n-messages-in-action-feedcont.patch
Apr 18 2025, 2:34 AM
F59285734: Screenshot 2025-04-17 at 22-26-26 .png
Apr 18 2025, 2:29 AM
Subscribers
Aklapper
gerritbot
Jly
Legoktm
Lucas_Werkmeister_WMDE
sbassett

Description

This is basically the same issue as T386175: CVE-2025-32072: HTML injection in feed output from i18n message, except in the API's action=feedcontributions class.

This applies to:

Note that both are ->inContentLanguage(), so you'll need to set $wgLanguageCode = 'x-xss';, and then visiting a URL like http://localhost:4881/api.php?action=feedcontributions&format=json&user=Administrator&formatversion=2&uselang=x-xss, you'll see:

Screenshot 2025-04-17 at 22-26-26 .png (940×1 px, 174 KB)

in which the <title> and <description> both have unescaped script tags. I didn't research whether this would be exploitable in any feed reader (presumably feed readers should be defensive against this), but just copying T386175.

Fix should be as simple as using ->escaped() as the output format. I'll post a patch in a few minutes.

Details

Risk Rating
Low
Author Affiliation
Wikimedia Communities
Related Changes in Gerrit:
SubjectRepoBranchLines +/-
SECURITY: API: Escape i18n messages in action=feedcontributionsmediawiki/coremaster+3 -3
SECURITY: API: Escape i18n messages in action=feedcontributionsmediawiki/coreREL1_42+3 -3
SECURITY: API: Escape i18n messages in action=feedcontributionsmediawiki/coreREL1_43+3 -3
SECURITY: API: Escape i18n messages in action=feedcontributionsmediawiki/coreREL1_44+3 -3
SECURITY: API: Escape i18n messages in action=feedcontributionsmediawiki/coreREL1_39+3 -3
Customize query in gerrit

Related Objects
Search...

StatusSubtypeAssignedTask
 ResolvedReedyT389313 Formally EOL MW 1.42
Restricted Task
Restricted Task
 ResolvedSecurityLegoktmT392276 CVE-2025-6591: HTML injection in API action=feedcontributions output from i18n message

Event Timeline

Legoktm created this task.Apr 18 2025, 2:29 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptApr 18 2025, 2:29 AM
Legoktm added a project: MediaWiki-Action-API.Apr 18 2025, 2:30 AM
Legoktm added a subscriber: Lucas_Werkmeister_WMDE.
Legoktm added a project: Patch-For-Review.Apr 18 2025, 2:34 AM

0001-SECURITY-API-Escape-i18n-messages-in-action-feedcont.patch1 KBDownload

Legoktm mentioned this in T392279: CVE-2025-53502: HTML injection in FeaturedFeeds output from i18n message.Apr 18 2025, 3:38 AM
Lucas_Werkmeister_WMDE added a comment.Apr 22 2025, 8:44 AM

Code review: in execute(), htmlspecialchars( $msg ) should probably be changed to just $msg now that $msg is already escaped? (But I haven’t tried this out locally.)

About the content language issue, I wonder if the x-xss language code should also set the content language, or if that would cause more problems…

Jly subscribed.Apr 24 2025, 4:02 PM

For the patch, yes, you're right, htmlspecialchars( $msg ) should be just $msg as it will be encoded twice, needs a small tweak @Legoktm

Jly triaged this task as Low priority.Apr 24 2025, 4:04 PM
Jly edited projects, added Patch-Needs-Improvement, Vuln-XSS; removed Patch-For-Review.
sbassett subscribed.Apr 25 2025, 9:06 PM
In T392276#10765587, @Jly wrote:

For the patch, yes, you're right, htmlspecialchars( $msg ) should be just $msg as it will be encoded twice, needs a small tweak @Legoktm

Fixed in rev 2:

T392276-rev2.patch1 KBDownload

Lucas_Werkmeister_WMDE added a comment.Apr 28 2025, 3:09 PM
In T392276#10769562, @sbassett wrote:

T392276-rev2.patch1 KBDownload

CR+1

sbassett changed the task status from Open to In Progress.Apr 28 2025, 4:21 PM
sbassett moved this task from Incoming to Security Patch To Deploy on the Security-Team board.
sbassett edited projects, added Patch-For-Review; removed Patch-Needs-Improvement.
sbassett added a parent task: Restricted Task.Apr 28 2025, 9:53 PM
sbassett moved this task from Security Patch To Deploy to Watching on the Security-Team board.Apr 28 2025, 10:03 PM
sbassett removed a project: Patch-For-Review.

Deployed the rev2 patch to Wikimedia production: https://sal.toolforge.org/log/ImZtfpYBvg159pQrEcEf. All seems fine.

sbassett assigned this task to Legoktm.Apr 28 2025, 10:03 PM
Reedy added a subscriber: GerritBot.Jun 24 2025, 8:12 PM
Reedy closed this task as Resolved.Jun 24 2025, 8:25 PM
Reedy added projects: MW-1.39-release, MW-1.42-release, MW-1.43-release, MW-1.44-release.Jun 24 2025, 9:46 PM
Reedy renamed this task from HTML injection in API action=feedcontributions output from i18n message to CVE-2025-6591: HTML injection in API action=feedcontributions output from i18n message.Jun 24 2025, 11:26 PM
Reedy edited subscribers, added: gerritbot; removed: GerritBot.Jun 30 2025, 1:44 PM
gerritbot added a comment.Jun 30 2025, 6:04 PM

Change #1165072 had a related patch set uploaded (by Reedy; author: Legoktm):

[mediawiki/core@REL1_43] SECURITY: API: Escape i18n messages in action=feedcontributions

https://gerrit.wikimedia.org/r/1165072

gerritbot added a project: Patch-For-Review.Jun 30 2025, 6:04 PM
gerritbot added a comment.Jun 30 2025, 6:20 PM

Change #1165085 had a related patch set uploaded (by Reedy; author: Legoktm):

[mediawiki/core@REL1_39] SECURITY: API: Escape i18n messages in action=feedcontributions

https://gerrit.wikimedia.org/r/1165085

gerritbot added a comment.Jun 30 2025, 6:32 PM

Change #1165098 had a related patch set uploaded (by Reedy; author: Legoktm):

[mediawiki/core@REL1_44] SECURITY: API: Escape i18n messages in action=feedcontributions

https://gerrit.wikimedia.org/r/1165098

gerritbot added a comment.Jun 30 2025, 6:42 PM

Change #1165085 merged by jenkins-bot:

[mediawiki/core@REL1_39] SECURITY: API: Escape i18n messages in action=feedcontributions

https://gerrit.wikimedia.org/r/1165085

gerritbot added a comment.Jun 30 2025, 7:03 PM

Change #1165113 had a related patch set uploaded (by Reedy; author: Legoktm):

[mediawiki/core@master] SECURITY: API: Escape i18n messages in action=feedcontributions

https://gerrit.wikimedia.org/r/1165113

gerritbot added a comment.Jun 30 2025, 7:29 PM

Change #1165132 had a related patch set uploaded (by Reedy; author: Legoktm):

[mediawiki/core@REL1_42] SECURITY: API: Escape i18n messages in action=feedcontributions

https://gerrit.wikimedia.org/r/1165132

gerritbot added a comment.Jun 30 2025, 7:29 PM

Change #1165098 merged by jenkins-bot:

[mediawiki/core@REL1_44] SECURITY: API: Escape i18n messages in action=feedcontributions

https://gerrit.wikimedia.org/r/1165098

gerritbot added a comment.Jun 30 2025, 7:33 PM

Change #1165072 merged by jenkins-bot:

[mediawiki/core@REL1_43] SECURITY: API: Escape i18n messages in action=feedcontributions

https://gerrit.wikimedia.org/r/1165072

gerritbot added a comment.Jun 30 2025, 7:37 PM

Change #1165113 merged by jenkins-bot:

[mediawiki/core@master] SECURITY: API: Escape i18n messages in action=feedcontributions

https://gerrit.wikimedia.org/r/1165113

gerritbot added a comment.Jun 30 2025, 8:13 PM

Change #1165132 merged by jenkins-bot:

[mediawiki/core@REL1_42] SECURITY: API: Escape i18n messages in action=feedcontributions

https://gerrit.wikimedia.org/r/1165132

sbassett removed a project: Patch-For-Review.Jul 8 2025, 9:11 PM
sbassett changed the visibility from "Custom Policy" to "Public (No Login Required)".
sbassett changed the edit policy from "Custom Policy" to "All Users".
sbassett changed Risk Rating from N/A to Low.
Maintenance_bot added a project: MW-Interfaces-Team.Jul 8 2025, 9:30 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits