Page MenuHomePhabricator
Create Task
Maniphest T395622

CVE-2025-53490: Multiple XSS-via-i18n in Special:EnableEventRegistration and Special:EditEventRegistration due to validation-callback
Closed, ResolvedPublic1 Estimated Story PointsSecurity
Actions

Description

The special pages in question have 3 instances of HTMLForm's validation-callback where an error message is returned using Message::text():

  • Invalid organizer
  • Invalid dashboard URL
  • Invalid event type

But when returning a string from validation-callback, the string is displayed as-is, so this is vulnerable to XSS-via-i18n. Returning the whole Message object would be enough to fix this.

Details

Risk Rating
Low
Author Affiliation
WMF Product
Related Changes in Gerrit:
SubjectRepoBranchLines +/-
SECURITY: do not return result of Message::text() in validation-callbackmediawiki/extensions/CampaignEventsREL1_42+2 -4
SECURITY: do not return result of Message::text() in validation-callbackmediawiki/extensions/CampaignEventsmaster+2 -4
SECURITY: do not return result of Message::text() in validation-callbackmediawiki/extensions/CampaignEventsREL1_43+2 -4
SECURITY: do not return result of Message::text() in validation-callbackmediawiki/extensions/CampaignEventsREL1_44+2 -4
Customize query in gerrit

Related Objects

Event Timeline

Daimona created this task.May 29 2025, 9:14 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMay 29 2025, 9:14 PM
Daimona claimed this task.May 29 2025, 9:16 PM
Daimona added projects: CampaignEvents, Connection-Team (Connection-Current-Sprint), Vuln-XSS, Essential-Work.
Daimona set the point value for this task to 1.
Daimona added subscribers: cmelo, MHorsey-WMF, VPuffetMichel and 3 others.
Daimona added a project: Patch-For-Review.May 29 2025, 9:26 PM
Daimona moved this task from Upcoming / refining 💡 to Code Review 💬 on the Connection-Team (Connection-Current-Sprint) board.

As usual, I'm assuming this to be low-risk since it's via i18n, but still, adding the patch here:

T395622.patch1 KBDownload

Note that the one for event types has a public fix in gerrit with a broader refactoring of that code. This was also introduced recently (T386273 / r1144701) and is behind a feature flag not enabled anywhere. Hence I excluded this from the security patch (also to avoid conflicts).

The patch above will need backporting to REL1_42, REL1_43, and REL1_44 (not 1.39 as the Message::text() calls were introduced in r889129 and r930213, with the oldest affected MW version being 1.40).

Once this is made public, I'd like to make a follow-up task to have phan-taint-check-plugin catch these (writing it here so I don't forget).

Mstyles moved this task from Incoming to Security Patch To Deploy on the Security-Team board.Jun 2 2025, 4:26 PM
Mstyles subscribed.

+1 to this patch and going to get this out in today's security deploy. Adding support to the phan-taint-check-plugin for these issues is a great idea and I'll ping about a follow up task in case that doesn't happen.

sbassett added a project: SecTeam-Processed.Jun 2 2025, 4:52 PM
sbassett subscribed.Jun 2 2025, 5:07 PM
In T395622#10869366, @Daimona wrote:

As usual, I'm assuming this to be low-risk since it's via i18n, but still, adding the patch here:

T395622.patch1 KBDownload

CR+2, we'll plan to get this deployed during today's (2025-06-02) security window.

Mstyles added a comment.Jun 2 2025, 10:11 PM
In T395622#10876475, @sbassett wrote:
In T395622#10869366, @Daimona wrote:

As usual, I'm assuming this to be low-risk since it's via i18n, but still, adding the patch here:

T395622.patch1 KBDownload

CR+2, we'll plan to get this deployed during today's (2025-06-02) security window.

Deployed

Mstyles moved this task from Security Patch To Deploy to Watching on the Security-Team board.Jun 2 2025, 10:12 PM
sbassett removed a project: Patch-For-Review.Jun 3 2025, 2:17 PM
Mstyles mentioned this in T389312: Write and send supplementary release announcement for extensions and skins with security patches (1.39.13/1.42.7/1.43.2).Jun 9 2025, 4:23 PM
sbassett changed the task status from Open to In Progress.Jun 10 2025, 7:02 PM
sbassett triaged this task as Low priority.
Jly renamed this task from Multiple XSS-via-i18n in Special:EnableEventRegistration and Special:EditEventRegistration due to validation-callback to CVE-2025-53490: Multiple XSS-via-i18n in Special:EnableEventRegistration and Special:EditEventRegistration due to validation-callback.Jun 30 2025, 7:20 PM
Jly added a subscriber: gerritbot.Jul 2 2025, 5:11 PM
gerritbot added a comment.Jul 2 2025, 5:12 PM

Change #1165949 had a related patch set uploaded (by Jly; author: Jly):

[mediawiki/extensions/CampaignEvents@master] SECURITY: do not return result of Message::text() in validation-callback

https://gerrit.wikimedia.org/r/1165949

gerritbot added a project: Patch-For-Review.Jul 2 2025, 5:12 PM
gerritbot added a comment.Jul 2 2025, 5:18 PM

Change #1165950 had a related patch set uploaded (by Jly; author: Jly):

[mediawiki/extensions/CampaignEvents@REL1_44] SECURITY: do not return result of Message::text() in validation-callback

https://gerrit.wikimedia.org/r/1165950

gerritbot added a comment.Jul 2 2025, 5:18 PM

Change #1165951 had a related patch set uploaded (by Jly; author: Jly):

[mediawiki/extensions/CampaignEvents@REL1_43] SECURITY: do not return result of Message::text() in validation-callback

https://gerrit.wikimedia.org/r/1165951

gerritbot added a comment.Jul 2 2025, 5:19 PM

Change #1165952 had a related patch set uploaded (by Jly; author: Jly):

[mediawiki/extensions/CampaignEvents@REL1_42] SECURITY: do not return result of Message::text() in validation-callback

https://gerrit.wikimedia.org/r/1165952

gerritbot added a comment.Jul 2 2025, 6:14 PM

Change #1165950 merged by jenkins-bot:

[mediawiki/extensions/CampaignEvents@REL1_44] SECURITY: do not return result of Message::text() in validation-callback

https://gerrit.wikimedia.org/r/1165950

gerritbot added a comment.Jul 2 2025, 6:23 PM

Change #1165951 merged by jenkins-bot:

[mediawiki/extensions/CampaignEvents@REL1_43] SECURITY: do not return result of Message::text() in validation-callback

https://gerrit.wikimedia.org/r/1165951

gerritbot added a comment.Jul 2 2025, 9:14 PM

Change #1165949 merged by jenkins-bot:

[mediawiki/extensions/CampaignEvents@master] SECURITY: do not return result of Message::text() in validation-callback

https://gerrit.wikimedia.org/r/1165949

Jly closed this task as Resolved.Jul 3 2025, 3:59 PM
Daimona mentioned this in T398654: Check HTMLForm's validation-callback in taint-check.Jul 3 2025, 5:42 PM
Daimona added a subscriber: Jly.

@Jly noting that the patch for 1.42 was not merged. 1.42 went EOL a few days ago, though, so maybe the intent was to abandon the patch? Also wondering, can this task can be made public now?

sbassett added a comment.Jul 7 2025, 2:10 PM
In T395622#10973423, @Daimona wrote:

@Jly noting that the patch for 1.42 was not merged. 1.42 went EOL a few days ago, though, so maybe the intent was to abandon the patch? Also wondering, can this task can be made public now?

Eh, this should technically be a part of the final security release for 1.42. So we (@Jly et al) should work to resolve those conflicts and get that change set merged.

gerritbot added a comment.Jul 7 2025, 2:33 PM

Change #1165952 merged by Daimona Eaytoy:

[mediawiki/extensions/CampaignEvents@REL1_42] SECURITY: do not return result of Message::text() in validation-callback

https://gerrit.wikimedia.org/r/1165952

Jly changed the visibility from "Custom Policy" to "Public (No Login Required)".Jul 7 2025, 6:50 PM
Jly changed the edit policy from "Custom Policy" to "All Users".
Jly changed Risk Rating from N/A to Low.
Jly removed a project: Patch-For-Review.Jul 8 2025, 3:43 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits