Page MenuHomePhabricator
Create Task
Maniphest T394721

CVE-2025-7363: XSS in TitleIcon
Closed, ResolvedPublicSecurity
Actions

Assigned To
SomeRandomDeveloper
Authored By
SomeRandomDeveloper
May 19 2025, 6:10 PM
Tags
Referenced Files
F60384666: 01-T394721.patch
May 22 2025, 7:02 PM
F60256820: T394721.diff
May 19 2025, 9:32 PM
F60256617: image.png
May 19 2025, 9:31 PM
F60256600: image.png
May 19 2025, 9:31 PM
F60256577: image.png
May 19 2025, 9:31 PM
Subscribers
Aklapper
Bawolff
BlankEclair
cicalese
gerritbot
Paladox
RhinosF1
View All 9 Subscribers

Description

The Title Icon extension is vulnerable to XSS by abusing the unicode icon parser function.

Reproduction steps:

  • Enable the Title Icon extension
  • Insert the following code into a page: {{#titleicon_unicode:<script>alert("XSS :(")</script>}} (Special:ExpandTemplates does not work since it doesn't show the title icon)
  • Visit the page

The XSS payload will very likely also be executed in search results, however I wasn't able to test this since searching did not work on my test MW instance.

Cause:

The supplied unicode for the icon is wrapped in an HtmlArmor without any prior sanitization or validation: https://github.com/wikimedia/mediawiki-extensions-TitleIcon/blob/bd722b67b55b87012b66226ed3542ccafe7a5173/src/IconManager.php#L407

Further information:

  • Tested on MediaWiki 1.43.0 (d7861af)
  • PHP: 8.3.14 (fpm-fcgi)
  • Extension version: 6.2.0 (bd722b6)
  • Browser: Firefox 138.0.3 (64-bit) on Fedora Linux 42

Details

Risk Rating
Medium
Author Affiliation
Wikimedia Communities
Related Changes in Gerrit:
SubjectRepoBranchLines +/-
Bump version number due to T394721mediawiki/extensions/TitleIconREL1_44+1 -1
Bump version number due to T394721mediawiki/extensions/TitleIconREL1_43+1 -1
Bump version number due to T394721mediawiki/extensions/TitleIconmaster+1 -1
Bump version number due to T394721mediawiki/extensions/TitleIconREL1_42+6 -0
Bump version number due to T394721mediawiki/extensions/TitleIconREL1_39+1 -1
SECURITY: Escape unicode iconsmediawiki/extensions/TitleIconREL1_44+2 -1
SECURITY: Escape unicode iconsmediawiki/extensions/TitleIconmaster+2 -1
SECURITY: Escape unicode iconsmediawiki/extensions/TitleIconREL1_39+2 -1
SECURITY: Escape unicode iconsmediawiki/extensions/TitleIconREL1_42+2 -1
SECURITY: Escape unicode iconsmediawiki/extensions/TitleIconREL1_43+2 -1
Customize query in gerrit

Related Objects

Event Timeline

SomeRandomDeveloper created this task.May 19 2025, 6:10 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMay 19 2025, 6:10 PM
SomeRandomDeveloper added a project: affects-Miraheze.May 19 2025, 6:12 PM
SomeRandomDeveloper added subscribers: BlankEclair, Paladox, cicalese, RhinosF1.

Not sure how to fix this issue without breaking the examples mentioned on the mediawiki.org page (e.g. {{#titleicon_unicode:&#x1F469;&#x1F3FE;&zwj;&#x1F4BB;|TestPage}} would be shown as &#x1F469;&#x1F3FE;&zwj;&#x1F4BB; when not wrapped in an HTMLArmor)

Bawolff subscribed.May 19 2025, 7:07 PM

I have not tested this and am not that familiar with the extension, but maybe try:
In https://github.com/wikimedia/mediawiki-extensions-TitleIcon/blob/master/src/IconManager.php#L407

Change line
new HtmlArmor( $icon->getIcon() )

To

Sanitizer::decodeCharReferences( $icon->getIcon() )

SomeRandomDeveloper added a comment.May 19 2025, 9:31 PM

That seems to work with both escaped and unescaped emojis, and it fixes the vulnerability, since the text is now always sanitized by linkRenderer->makeLink. Thank you!

image.png (154×540 px, 16 KB)

image.png (159×338 px, 13 KB)

image.png (177×721 px, 21 KB)

SomeRandomDeveloper claimed this task.EditedMay 19 2025, 9:32 PM

Patch:

T394721.diff482 BDownload

This uses the deprecated class alias for Sanitizer, which is still present in core on the master branch, so there shouldn't be any compatibility issues caused by this.

Reedy added a project: MediaWiki-extensions-Title-Icon.May 19 2025, 10:19 PM
SomeRandomDeveloper renamed this task from Reflected XSS in TitleIcon to XSS in TitleIcon.May 22 2025, 6:55 PM
SomeRandomDeveloper updated the task description. (Show Details)
SomeRandomDeveloper added a comment.May 22 2025, 7:02 PM

Properly formatted patch:

01-T394721.patch936 BDownload

SomeRandomDeveloper added a subscriber: gerritbot.May 22 2025, 7:09 PM
gerritbot added a comment.May 22 2025, 7:11 PM

Change #1149458 had a related patch set uploaded (by SomeRandomDeveloper; author: SomeRandomDeveloper):

[mediawiki/extensions/TitleIcon@master] SECURITY: Escape unicode icons

https://gerrit.wikimedia.org/r/1149458

gerritbot added a project: Patch-For-Review.May 22 2025, 7:11 PM
gerritbot added a comment.May 22 2025, 7:15 PM

Change #1149459 had a related patch set uploaded (by RhinosF1; author: SomeRandomDeveloper):

[mediawiki/extensions/TitleIcon@REL1_43] SECURITY: Escape unicode icons

https://gerrit.wikimedia.org/r/1149459

gerritbot added a comment.May 22 2025, 7:17 PM

Change #1149460 had a related patch set uploaded (by RhinosF1; author: SomeRandomDeveloper):

[mediawiki/extensions/TitleIcon@REL1_42] SECURITY: Escape unicode icons

https://gerrit.wikimedia.org/r/1149460

gerritbot added a comment.May 22 2025, 7:17 PM

Change #1149461 had a related patch set uploaded (by RhinosF1; author: SomeRandomDeveloper):

[mediawiki/extensions/TitleIcon@REL1_39] SECURITY: Escape unicode icons

https://gerrit.wikimedia.org/r/1149461

gerritbot added a comment.May 22 2025, 7:19 PM

Change #1149459 merged by jenkins-bot:

[mediawiki/extensions/TitleIcon@REL1_43] SECURITY: Escape unicode icons

https://gerrit.wikimedia.org/r/1149459

gerritbot added a comment.May 22 2025, 7:20 PM

Change #1149460 merged by jenkins-bot:

[mediawiki/extensions/TitleIcon@REL1_42] SECURITY: Escape unicode icons

https://gerrit.wikimedia.org/r/1149460

gerritbot added a comment.May 22 2025, 7:20 PM

Change #1149461 merged by jenkins-bot:

[mediawiki/extensions/TitleIcon@REL1_39] SECURITY: Escape unicode icons

https://gerrit.wikimedia.org/r/1149461

cicalese added a comment.May 22 2025, 7:41 PM

Please also do a version bump to 6.2.1 in extension.json in all patched branches that did not get a MW version bump and a version bump to 6.3.0 in all branches that got a MW version bump from 1.39.0 to 1.40.0. Thank you!

gerritbot added a comment.May 22 2025, 7:41 PM

Change #1149458 merged by jenkins-bot:

[mediawiki/extensions/TitleIcon@master] SECURITY: Escape unicode icons

https://gerrit.wikimedia.org/r/1149458

gerritbot added a comment.May 22 2025, 7:42 PM

Change #1149468 had a related patch set uploaded (by RhinosF1; author: SomeRandomDeveloper):

[mediawiki/extensions/TitleIcon@REL1_44] SECURITY: Escape unicode icons

https://gerrit.wikimedia.org/r/1149468

gerritbot added a comment.May 22 2025, 7:45 PM

Change #1149468 merged by jenkins-bot:

[mediawiki/extensions/TitleIcon@REL1_44] SECURITY: Escape unicode icons

https://gerrit.wikimedia.org/r/1149468

RhinosF1 added a subscriber: sbassett.May 22 2025, 7:47 PM
In T394721#10850435, @cicalese wrote:

Please also do a version bump to 6.2.1 in extension.json in all patched branches that did not get a MW version bump and a version bump to 6.3.0 in all branches that got a MW version bump from 1.39.0 to 1.40.0. Thank you!

Hi Cindy, I don't think that's a normal part of the security patching process. If you want to follow up with a version bump, you're more than welcome to.

@sbassett: patches have been merged on all supported branches and we've additionally done https://gerrit.wikimedia.org/r/c/mediawiki/extensions/TitleIcon/+/1149462 to fix master CI, Can you add it to the supplemental tracker and make public when suited? We've already deployed and confirmed it fixed the report example on Miraheze.

cicalese added a comment.May 22 2025, 9:07 PM

I will add the version bump. As a secure software engineering principle, it is important for a site maintainer to be able to easily confirm that they are using a version of the code that has a vulnerability patched.

gerritbot added a comment.May 23 2025, 1:09 PM

Change #1149658 had a related patch set uploaded (by Cicalese; author: Cicalese):

[mediawiki/extensions/TitleIcon@master] Bump version number due to T394721

https://gerrit.wikimedia.org/r/1149658

gerritbot added a comment.May 23 2025, 1:18 PM

Change #1149659 had a related patch set uploaded (by Cicalese; author: Cicalese):

[mediawiki/extensions/TitleIcon@REL1_39] Bump version number due to T394721

https://gerrit.wikimedia.org/r/1149659

gerritbot added a comment.May 23 2025, 1:19 PM

Change #1149660 had a related patch set uploaded (by Cicalese; author: Cicalese):

[mediawiki/extensions/TitleIcon@REL1_43] Bump version number due to T394721

https://gerrit.wikimedia.org/r/1149660

gerritbot added a comment.May 23 2025, 1:19 PM

Change #1149661 had a related patch set uploaded (by Cicalese; author: Cicalese):

[mediawiki/extensions/TitleIcon@REL1_44] Bump version number due to T394721

https://gerrit.wikimedia.org/r/1149661

gerritbot added a comment.May 23 2025, 1:20 PM

Change #1149662 had a related patch set uploaded (by Cicalese; author: Cicalese):

[mediawiki/extensions/TitleIcon@REL1_42] Bump version number due to T394721

https://gerrit.wikimedia.org/r/1149662

gerritbot added a comment.May 23 2025, 1:20 PM

Change #1149659 merged by jenkins-bot:

[mediawiki/extensions/TitleIcon@REL1_39] Bump version number due to T394721

https://gerrit.wikimedia.org/r/1149659

gerritbot added a comment.May 23 2025, 1:21 PM

Change #1149662 abandoned by Cicalese:

[mediawiki/extensions/TitleIcon@REL1_42] Bump version number due to T394721

Reason:

still at version 6.1

https://gerrit.wikimedia.org/r/1149662

gerritbot added a comment.May 23 2025, 1:21 PM

Change #1149658 merged by jenkins-bot:

[mediawiki/extensions/TitleIcon@master] Bump version number due to T394721

https://gerrit.wikimedia.org/r/1149658

gerritbot added a comment.May 23 2025, 1:23 PM

Change #1149660 merged by jenkins-bot:

[mediawiki/extensions/TitleIcon@REL1_43] Bump version number due to T394721

https://gerrit.wikimedia.org/r/1149660

gerritbot added a comment.May 23 2025, 1:23 PM

Change #1149661 merged by jenkins-bot:

[mediawiki/extensions/TitleIcon@REL1_44] Bump version number due to T394721

https://gerrit.wikimedia.org/r/1149661

Mstyles added a project: Vuln-XSS.May 27 2025, 3:40 PM
sbassett moved this task from Incoming to In Progress on the Security-Team board.May 27 2025, 3:41 PM
sbassett edited projects, added SecTeam-Processed; removed Patch-For-Review.
Mstyles mentioned this in T389312: Write and send supplementary release announcement for extensions and skins with security patches (1.39.13/1.42.7/1.43.2).May 27 2025, 3:44 PM
cicalese closed this task as Resolved.May 27 2025, 3:54 PM
SomeRandomDeveloper added a comment.Jun 25 2025, 9:21 PM

@sbassett can this task be made public? The fixes have been merged more than a month ago

sbassett added a comment.Jun 25 2025, 9:27 PM
In T394721#10948816, @SomeRandomDeveloper wrote:

@sbassett can this task be made public? The fixes have been merged more than a month ago

Yes.

sbassett triaged this task as Medium priority.Jun 25 2025, 9:27 PM
sbassett changed Author Affiliation from N/A to Wikimedia Communities.
sbassett changed the visibility from "Custom Policy" to "Public (No Login Required)".
sbassett changed the edit policy from "Custom Policy" to "All Users".
sbassett changed Risk Rating from N/A to Medium.
mmartorana renamed this task from XSS in TitleIcon to CVE-2025-7363: XSS in TitleIcon.Jul 8 2025, 5:28 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits