Page MenuHomePhabricator
Create Task
Maniphest T395376

CVE-2025-53493: Stored XSS in Extension:MintyDocs
Closed, ResolvedPublicSecurity
Actions

Assigned To
SomeRandomDeveloper
Authored By
SomeRandomDeveloper
May 27 2025, 8:28 PM
Tags
Referenced Files
F60716194: 01-T395376.patch
May 27 2025, 9:06 PM
F60712852: image.png
May 27 2025, 8:28 PM
F60712766: image.png
May 27 2025, 8:28 PM
F60712723: image.png
May 27 2025, 8:28 PM
F60712708: image.png
May 27 2025, 8:28 PM
F60712686: image.png
May 27 2025, 8:28 PM
F60712673: image.png
May 27 2025, 8:28 PM
F60712633: image.png
May 27 2025, 8:28 PM
View All 11 Files
Subscribers
Aklapper
sbassett
SomeRandomDeveloper
Yaron_Koren

Description

The MintyDocs extension is vulnerable to stored XSS in several ways.

Stored XSS through parser functions

mintydocs_topic

  1. Make sure Show preview without reloading the page is enabled in your preferences
  2. Create a topic page and insert {{#mintydocs_topic:display name=<script>alert("Topic XSS")</script>}} into the edit box
  3. Click "Show preview"

image.png (165×440 px, 6 KB)

The display title is set to the value of the "display name" parameter without any sanitization: https://github.com/wikimedia/mediawiki-extensions-MintyDocs/blob/f3427df9bd0d421d3af99b052cf471f8af7817c8/includes/MintyDocsParserFunctions.php#L279
According to https://doc.wikimedia.org/mediawiki-core/master/php/classMediaWiki_1_1Parser_1_1ParserOutput.html#a926241e270866eb52b06047d978f7dc8, the setDisplayTitle function expects safe HTML.

mintydocs_manual (1)

  1. Make sure Show preview without reloading the page is enabled in your preferences
  2. Create a manual page and insert {{#mintydocs_manual:display name=<script>alert("Manual XSS 1")</script>}} into the edit box
  3. Click "Show preview"

image.png (162×406 px, 6 KB)

The display title is set to the value of the "display name" parameter without any sanitization: https://github.com/wikimedia/mediawiki-extensions-MintyDocs/blob/f3427df9bd0d421d3af99b052cf471f8af7817c8/includes/MintyDocsParserFunctions.php#L219
According to https://doc.wikimedia.org/mediawiki-core/master/php/classMediaWiki_1_1Parser_1_1ParserOutput.html#a926241e270866eb52b06047d978f7dc8, the setDisplayTitle function expects safe HTML.

mintydocs_manual (2)

  1. Create a manual page with the content {{#mintydocs_manual:display name=<script>alert("Manual XSS 2")</script>}}
  2. Go to a topic page that is a subpage of this manual page

image.png (156×416 px, 6 KB)

The display name (defined via the "display name" parameter, not the one built into MW) is inserted into raw HTML without sanitization: https://github.com/wikimedia/mediawiki-extensions-MintyDocs/blob/f3427df9bd0d421d3af99b052cf471f8af7817c8/includes/MintyDocsTopic.php#L161

mintydocs_version

  1. Create a version page with the content {{#mintydocs_version: manuals list=<script>alert("version xss")</script>}}
  2. Visit the page

image.png (154×414 px, 6 KB)

The content of the manuals list parameter is inserted into raw HTML without sanitization: https://github.com/wikimedia/mediawiki-extensions-MintyDocs/blob/f3427df9bd0d421d3af99b052cf471f8af7817c8/includes/MintyDocsVersion.php#L60

Stored XSS through system messages

mintydocs-topic-desc

  1. Make sure $wgUseXssLanguage is set to true
  2. Go to a topic page
  3. Append ?uselang=x-xss to the end of the URL

image.png (157×412 px, 7 KB)

Cause: https://github.com/wikimedia/mediawiki-extensions-MintyDocs/blob/f3427df9bd0d421d3af99b052cf471f8af7817c8/includes/MintyDocsTopic.php#L99

mintydocs-topic-otherversions

  1. Make sure $wgUseXssLanguage is set to true
  2. Go to a topic page that exists in multiple versions
  3. Append ?uselang=x-xss to the end of the URL

image.png (208×432 px, 11 KB)

Cause: https://github.com/wikimedia/mediawiki-extensions-MintyDocs/blob/f3427df9bd0d421d3af99b052cf471f8af7817c8/includes/MintyDocsTopic.php#L105

mintydocs-manual-desc

  1. Make sure $wgUseXssLanguage is set to true
  2. Go to a manual page
  3. Append ?uselang=x-xss to the end of the URL

image.png (164×421 px, 7 KB)

Cause: https://github.com/wikimedia/mediawiki-extensions-MintyDocs/blob/f3427df9bd0d421d3af99b052cf471f8af7817c8/includes/MintyDocsManual.php#L28

mintydocs-manual-otherversions

  1. Make sure $wgUseXssLanguage is set to true
  2. Go to a manual page that exists in multiple versions
  3. Append ?uselang=x-xss to the end of the URL

image.png (193×405 px, 15 KB)

Cause: https://github.com/wikimedia/mediawiki-extensions-MintyDocs/blob/f3427df9bd0d421d3af99b052cf471f8af7817c8/includes/MintyDocsManual.php#L34

mintydocs-version-desc

  1. Make sure $wgUseXssLanguage is set to true
  2. Go to a version page
  3. Append ?uselang=x-xss to the end of the URL

image.png (160×416 px, 7 KB)

Cause: https://github.com/wikimedia/mediawiki-extensions-MintyDocs/blob/f3427df9bd0d421d3af99b052cf471f8af7817c8/includes/MintyDocsVersion.php#L43

mintydocs-product-versionlist

  1. Make sure $wgUseXssLanguage is set to true
  2. Go to a product page that has at least one version
  3. Append ?uselang=x-xss to the end of the URL

image.png (155×428 px, 7 KB)

Cause: https://github.com/wikimedia/mediawiki-extensions-MintyDocs/blob/f3427df9bd0d421d3af99b052cf471f8af7817c8/includes/MintyDocsProduct.php#L80

mintydocs-publish-success

  1. Assure there are multiple drafts in your wiki
  2. Make sure $wgUseXssLanguage is set to true
  3. Go to the publish special page (Special:MintyDocsPublish) with the uselang parameter set to x-xss and publish multiple drafts at once

Cause: https://github.com/wikimedia/mediawiki-extensions-MintyDocs/blob/f3427df9bd0d421d3af99b052cf471f8af7817c8/includes/specials/MintyDocsPublish.php#L392

Additional information

  • MW: 1.45.0-alpha (4a86955)
  • PHP: 8.3.14 (fpm-fcgi)
  • MintyDocs: 1.4 (f3427df)
  • Browser: Firefox 138.0.4 (64-bit) on Fedora Linux 42

You might need to apply the following changes to get the extension working on >1.44:

diff --git a/includes/MintyDocsTopic.php b/includes/MintyDocsTopic.php
index 1527c2d..e4bf60f 100644
--- a/includes/MintyDocsTopic.php
+++ b/includes/MintyDocsTopic.php
@@ -1,5 +1,6 @@
 <?php
 
+use MediaWiki\Html\Html;
 use MediaWiki\MediaWikiServices;
 use MediaWiki\Title\Title;
 
diff --git a/includes/specials/MintyDocsPublish.php b/includes/specials/MintyDocsPublish.php
index 70b4068..e0486d1 100644
--- a/includes/specials/MintyDocsPublish.php
+++ b/includes/specials/MintyDocsPublish.php
@@ -1,6 +1,7 @@
 <?php
 
 use MediaWiki\Html\Html;
+use MediaWiki\Html\ListToggle;
 use MediaWiki\MediaWikiServices;
 use MediaWiki\Title\Title;

Details

Risk Rating
Low
Author Affiliation
Wikimedia Communities

Related Objects

Event Timeline

SomeRandomDeveloper created this task.May 27 2025, 8:28 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMay 27 2025, 8:28 PM
SomeRandomDeveloper claimed this task.May 27 2025, 8:29 PM
SomeRandomDeveloper added a project: affects-Miraheze.

Will provide a patch shortly.

SomeRandomDeveloper added a subscriber: Yaron_Koren.May 27 2025, 8:30 PM

Added @Yaron_Koren as the extension maintainer.

SomeRandomDeveloper updated the task description. (Show Details)May 27 2025, 8:33 PM
SomeRandomDeveloper added a comment.May 27 2025, 9:06 PM

Patch:

01-T395376.patch6 KBDownload

Aklapper added a project: MediaWiki-extensions-MintyDocs.May 27 2025, 9:53 PM
SomeRandomDeveloper added a project: Vuln-XSS.May 27 2025, 9:55 PM
sbassett subscribed.May 28 2025, 3:27 PM

If @Yaron_Koren or anyone else wants to review the patch on this task, great. Otherwise it should eventually just go through gerrit and be added to the supplemental security release, as this isn't Wikimedia production-deployed.

Yaron_Koren added a comment.May 28 2025, 10:08 PM

@SomeRandomDeveloper - thank you for the detailed analysis, and for this great patch! I just merged in (I believe) all your changes, here:

https://gerrit.wikimedia.org/r/c/mediawiki/extensions/MintyDocs/+/1151800

Feel free to close this if you think this is fixed now.

sbassett mentioned this in T389312: Write and send supplementary release announcement for extensions and skins with security patches (1.39.13/1.42.7/1.43.2).May 29 2025, 1:34 AM
Yaron_Koren closed this task as Resolved.May 30 2025, 1:29 PM

I assume this patch fully fixes these issues, since it's already been applied to other branches as well... feel free to re-open if not.

sbassett added a comment.May 30 2025, 5:42 PM
In T395376#10870905, @Yaron_Koren wrote:

I assume this patch fully fixes these issues, since it's already been applied to other branches as well... feel free to re-open if not.

Yes. And we'll re-announce this with the next supplemental security release in late June / early July (T389312).

sbassett triaged this task as Low priority.May 30 2025, 5:43 PM
sbassett changed Author Affiliation from N/A to Wikimedia Communities.
sbassett changed the visibility from "Custom Policy" to "Public (No Login Required)".
sbassett changed the edit policy from "Custom Policy" to "All Users".
sbassett changed Risk Rating from N/A to Low.
SomeRandomDeveloper mentioned this in T395737: CVE-2025-53492: Stored XSS in Extension:MintyDocs still reproducible.May 31 2025, 7:49 PM
sbassett raised the priority of this task from Low to Needs Triage.Jun 2 2025, 9:15 PM
sbassett set Security to Software security bug.
sbassett changed the visibility from "Public (No Login Required)" to "Custom Policy".

Re-protecting until the patch from T395737 is merged.

sbassett triaged this task as Low priority.Jun 3 2025, 2:01 PM
sbassett changed the visibility from "Custom Policy" to "Public (No Login Required)".
sbassett moved this task from Incoming to Our Part Is Done on the Security-Team board.
sbassett added a project: SecTeam-Processed.
Jly renamed this task from Stored XSS in Extension:MintyDocs to CVE-2025-53493: Stored XSS in Extension:MintyDocs.Jun 30 2025, 7:19 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits