Page MenuHomePhabricator
Create Task
Maniphest T394700

CVE-2025-53480: Special:Investigate 'Account information' tab has i18n XSS vectors
Closed, ResolvedPublic1 Estimated Story PointsSecurity
Actions

Description

Summary

The CheckUser extension has Special:Investigate which is currently vulnerable to i18n XSS in the 'Account information' tab (through checking with the x-xss language). These XSS vectors should be fixed.

Background

  • The x-xss language allows finding messages which are not properly escaped in MediaWiki interfaces
  • The CheckUser extension has Special:Investigate for investigating users to see if they have performed abuse
  • When using the x-xss language on Special:Investigate for the Account information tab, there are several popup alerts that indicate the CheckUser is not properly escaping these messages
  • The messages which are vulnerable:
    • checkuser-investigate-preliminary-table-cell-wiki-nowiki
    • rev-deleted-user

Acceptance criteria

  • The CheckUser Special:Investigate Account information tab is no longer vulnerable to i18n XSS

Details

Risk Rating
Low
Author Affiliation
WMF Technology
Related Changes in Gerrit:
SubjectRepoBranchLines +/-
SECURITY: Fix i18n XSS in PreliminaryCheckPagermediawiki/extensions/CheckUsermaster+2 -2
SECURITY: Fix i18n XSS in PreliminaryCheckPagermediawiki/extensions/CheckUserREL1_42+2 -2
SECURITY: Fix i18n XSS in PreliminaryCheckPagermediawiki/extensions/CheckUserREL1_43+2 -2
SECURITY: Fix i18n XSS in PreliminaryCheckPagermediawiki/extensions/CheckUserREL1_44+2 -2
SECURITY: Fix i18n XSS in PreliminaryCheckPagermediawiki/extensions/CheckUserREL1_39+2 -2
Customize query in gerrit

Related Objects

Event Timeline

Dreamy_Jazz created this task.May 19 2025, 4:29 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMay 19 2025, 4:29 PM
Dreamy_Jazz added projects: CheckUser, Trust and Safety Product Team, Vuln-XSS.May 19 2025, 4:29 PM
Dreamy_Jazz claimed this task.May 19 2025, 4:37 PM
Dreamy_Jazz set the point value for this task to 1.
Dreamy_Jazz added projects: Patch-For-Review, Trust and Safety Product Sprint (Sprint Key Lime Pie (May 5 - May 23)).

T394700.patch1 KBDownload

Dreamy_Jazz moved this task from Priority Backlog to Needs Review on the Trust and Safety Product Sprint (Sprint Key Lime Pie (May 5 - May 23)) board.May 19 2025, 4:37 PM
mszabo subscribed.May 19 2025, 4:39 PM

+2

sbassett moved this task from Incoming to Security Patch To Deploy on the Security-Team board.May 19 2025, 4:40 PM
sbassett added a project: SecTeam-Processed.
sbassett moved this task from Security Patch To Deploy to Watching on the Security-Team board.May 19 2025, 9:21 PM
sbassett subscribed.

Deployed to Wikimedia production.

sbassett changed the task status from Open to In Progress.May 19 2025, 9:22 PM
sbassett triaged this task as Low priority.
sbassett changed Risk Rating from N/A to Low.
sbassett mentioned this in T389312: Write and send supplementary release announcement for extensions and skins with security patches (1.39.13/1.42.7/1.43.2).May 19 2025, 9:30 PM
sbassett removed a project: Patch-For-Review.May 19 2025, 9:46 PM
Dreamy_Jazz moved this task from Needs Review to Needs QA on the Trust and Safety Product Sprint (Sprint Key Lime Pie (May 5 - May 23)) board.May 21 2025, 12:51 PM
Dreamy_Jazz added a comment.May 21 2025, 1:00 PM

This may be hard to QA on production, so probably best wait until the patches are backported.

kostajh edited projects, added Trust and Safety Product Sprint (Sprint Carrot Cake (May 26 - June 13)); removed Trust and Safety Product Sprint (Sprint Key Lime Pie (May 5 - May 23)).May 25 2025, 6:52 PM
kostajh moved this task from Priority Backlog to Needs QA on the Trust and Safety Product Sprint (Sprint Carrot Cake (May 26 - June 13)) board.
kostajh edited projects, added Trust and Safety Product Sprint (Sprint Baklava (June 16 - July 4)); removed Trust and Safety Product Sprint (Sprint Carrot Cake (May 26 - June 13)).Jun 16 2025, 6:12 AM
kostajh moved this task from Priority Backlog to Needs QA on the Trust and Safety Product Sprint (Sprint Baklava (June 16 - July 4)) board.
kostajh edited projects, added Trust and Safety Product Sprint (Sprint Cannoli (July 7 - July 25)); removed Trust and Safety Product Sprint (Sprint Baklava (June 16 - July 4)).Jul 7 2025, 9:41 AM
kostajh moved this task from Priority Backlog to Needs QA on the Trust and Safety Product Sprint (Sprint Cannoli (July 7 - July 25)) board.
mmartorana renamed this task from Special:Investigate 'Account information' tab has i18n XSS vectors to CVE-2025-53480: Special:Investigate 'Account information' tab has i18n XSS vectors.Jul 8 2025, 5:29 PM
mmartorana closed this task as Resolved.Jul 8 2025, 5:32 PM
mmartorana changed the visibility from "Custom Policy" to "Public (No Login Required)".
Dreamy_Jazz reopened this task as Open.Jul 8 2025, 6:11 PM

Needs to wait for QA

sbassett added a comment.Jul 8 2025, 8:50 PM

Note: this has been merged to master and backported - https://gerrit.wikimedia.org/r/q/I777fc55fef15c3b00df0db268af2b64cb2d6e381

Dreamy_Jazz moved this task from Inbox to Investigate on the CheckUser board.Jul 16 2025, 12:28 PM
Dreamy_Jazz added subscribers: dom_walden, Djackson-ctr.Jul 18 2025, 11:54 AM
Djackson-ctr moved this task from Needs QA to Done on the Trust and Safety Product Sprint (Sprint Cannoli (July 7 - July 25)) board.Jul 19 2025, 9:14 AM

QA is completed...
The new code has been implemented and is working as expected per the Acceptance Criteria.

Tchanders closed this task as Resolved.Jul 20 2025, 6:32 AM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits