Page MenuHomePhabricator
Create Task
Maniphest T395737

CVE-2025-53492: Stored XSS in Extension:MintyDocs still reproducible
Closed, ResolvedPublicSecurity
Actions

Description

The first XSS in MintyDocs (T395376) using the mintydocs_topic parser function is still reproducible. It appears a part of the patch I submitted has not been applied:

diff --git a/includes/MintyDocsParserFunctions.php b/includes/MintyDocsParserFunctions.php
index 9025277..068956a 100644
--- a/includes/MintyDocsParserFunctions.php
+++ b/includes/MintyDocsParserFunctions.php
@@ -256,8 +256,8 @@ class MintyDocsParserFunctions {
 
                foreach ( $processedParams as $paramName => $value ) {
                        if ( $paramName == 'display name' ) {
-                               $parserOutput->setPageProperty( 'MintyDocsDisplayName', $value );
-                               $displayTitle = $value;
+                               $displayTitle = htmlspecialchars( $value, ENT_QUOTES );
+                               $parserOutput->setPageProperty( 'MintyDocsDisplayName', $displayTitle );
                        } elseif ( $paramName == 'toc name' ) {
                                $tocDisplayTitle = $value;
                        } elseif ( $paramName == 'inherit' && $value == null ) {

Creating a new task for this since the other one is already published.

Details

Risk Rating
Low
Author Affiliation
Wikimedia Communities

Related Objects

Event Timeline

SomeRandomDeveloper created this task.May 31 2025, 7:49 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMay 31 2025, 7:49 PM
SomeRandomDeveloper added projects: MediaWiki-extensions-MintyDocs, Vuln-XSS.May 31 2025, 7:49 PM
SomeRandomDeveloper added a subscriber: Yaron_Koren.
SomeRandomDeveloper added a comment.May 31 2025, 7:56 PM

Patch (this was already included in my last patch):

01-T395737.patch1 KBDownload

SomeRandomDeveloper added a comment.May 31 2025, 8:01 PM

@Yaron_Koren please consider applying the patch file provided in the task next time. I always format my patches using git format-patch so they can easily be applied.
The message in your commit also did not state the issue sufficiently - not only were messages improperly escaped, but users were also able to insert JS via Wikitext, which is a big difference in severity.

Mstyles subscribed.Jun 2 2025, 4:35 PM

@Yaron_Koren when you review this patch, it can go ahead and go through Gerrit since this extension is not deployed on WMF servers.

sbassett moved this task from Incoming to Watching on the Security-Team board.Jun 2 2025, 4:50 PM
sbassett added a project: SecTeam-Processed.
sbassett added a subscriber: gerritbot.
Yaron_Koren added a comment.Jun 2 2025, 5:47 PM

@SomeRandomDeveloper - thanks for catching that, and sorry I missed this change before! I just checked in this change here:

https://gerrit.wikimedia.org/r/c/mediawiki/extensions/MintyDocs/+/1152771

@Mstyles - I don't understand; are you saying that there's some way, from within Phabricator, to send a patch to Gerrit?

Mstyles added a comment.Jun 2 2025, 8:04 PM

@Yaron_Koren sorry for not making that clear, checking in the change to Gerrit was exactly what I meant.

sbassett mentioned this in T395376: CVE-2025-53493: Stored XSS in Extension:MintyDocs.Jun 2 2025, 9:17 PM
SomeRandomDeveloper added a comment.Jun 2 2025, 9:22 PM

Thanks @Yaron_Koren, I've tested the latest master commit on my local installation and was no longer able to reproduce this or any of the other XSS vulnerabilities I reported.

sbassett subscribed.Jun 2 2025, 9:53 PM

Just to clarify, per the standard documentation on security issues, for any Wikimedia-deployed code, we want to post patch files to protected bugs in Phabricator for review. These patches eventually get deployed to Wikimedia production and included within the primary or supplemental Wikimedia security releases. For extensions like MintyDocs, which aren't Wikimedia-deployed, this process doesn't apply, so pushing it up through gerrit is the standard way to get it reviewed and merged. And then we'll still plan to re-announce it (and similar issues) within the next supplemental security release.

Yaron_Koren closed this task as Resolved.Jun 2 2025, 11:13 PM
Yaron_Koren claimed this task.

It's great to hear that this is fully fixed now!

sbassett triaged this task as Low priority.Jun 3 2025, 2:00 PM
sbassett changed Author Affiliation from N/A to Wikimedia Communities.
sbassett changed the visibility from "Custom Policy" to "Public (No Login Required)".
sbassett changed the edit policy from "Custom Policy" to "All Users".
sbassett changed Risk Rating from N/A to Low.
Mstyles mentioned this in T389312: Write and send supplementary release announcement for extensions and skins with security patches (1.39.13/1.42.7/1.43.2).Jun 9 2025, 3:14 PM
Jly renamed this task from Stored XSS in Extension:MintyDocs still reproducible to CVE-2025-53492: Stored XSS in Extension:MintyDocs still reproducible.Jun 30 2025, 7:19 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits