Page MenuHomePhabricator
Create Task
Maniphest T396946

CVE-2025-53496: Stored XSS through a system message in MediaSearch
Closed, ResolvedPublicSecurity
Actions

Description

The mediasearch-empty-state system message is inserted as raw HTML by the MediaSearch extension, allowing for stored XSS by adding malicious HTML to the message.

Reproduction

  1. Edit MediaWiki:Mediasearch-empty-state to <img src="" onerror="alert('mediasearch-empty-state')"> (Note that <script> tags do not work here due to the way the HTML is inserted)
  2. Visit Special:MediaSearch

image.png (129×396 px, 6 KB)

Cause

mw.msg() returns the message using the text() output mode without escaping any HTML.
https://github.com/wikimedia/mediawiki-extensions-MediaSearch/blob/10530d9a7800784a09c8f062d19bd3269306b193/resources/components/EmptyState.vue#L32-L34

The message is then inserted as raw HTML via v-html:
https://github.com/wikimedia/mediawiki-extensions-MediaSearch/blob/10530d9a7800784a09c8f062d19bd3269306b193/resources/components/EmptyState.vue#L5-L6

Additional information

MediaWiki: 1.45.0-alpha (b6993c3)
MediaSearch: 10530d9

Details

Risk Rating
Low
Author Affiliation
Wikimedia Communities
Related Changes in Gerrit:
SubjectRepoBranchLines +/-
SECURITY: Insert message as text instead of HTMLmediawiki/extensions/MediaSearchREL1_39+1 -4
SECURITY: Insert message as text instead of HTMLmediawiki/extensions/MediaSearchmaster+1 -4
SECURITY: Insert message as text instead of HTMLmediawiki/extensions/MediaSearchREL1_42+1 -4
SECURITY: Insert message as text instead of HTMLmediawiki/extensions/MediaSearchREL1_44+1 -4
SECURITY: Insert message as text instead of HTMLmediawiki/extensions/MediaSearchREL1_43+1 -4
Customize query in gerrit

Related Objects

Event Timeline

SomeRandomDeveloper created this task.Jun 15 2025, 11:06 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJun 15 2025, 11:06 AM
SomeRandomDeveloper claimed this task.Jun 15 2025, 11:06 AM
SomeRandomDeveloper added projects: MediaSearch, Vuln-XSS.
Restricted Application added a project: Structured-Data-Backlog. · View Herald TranscriptJun 15 2025, 11:06 AM
SomeRandomDeveloper added a comment.Jun 15 2025, 11:10 AM

Patch:

01-T396946.patch1 KBDownload

The non-JS template escapes the message too, so this should not cause any issues.

sbassett moved this task from Incoming to In Progress on the Security-Team board.Jun 16 2025, 4:20 PM
sbassett added a project: SecTeam-Processed.
sbassett subscribed.Jun 16 2025, 5:57 PM
In T396946#10915735, @SomeRandomDeveloper wrote:

Patch:

01-T396946.patch1 KBDownload

The non-JS template escapes the message too, so this should not cause any issues.

LGTM. I suppose this is the same as changing the existing v-html attribute to v-text? At least AFAIK. Anyhow, we can get this deployed during today's security deployment window.

sbassett moved this task from In Progress to Security Patch To Deploy on the Security-Team board.Jun 16 2025, 5:58 PM
SomeRandomDeveloper added a comment.Jun 16 2025, 7:30 PM
In T396946#10919972, @sbassett wrote:

LGTM. I suppose this is the same as changing the existing v-html attribute to v-text? At least AFAIK. Anyhow, we can get this deployed during today's security deployment window.

According to the docs, it is the same, but I preferred using the mustache syntax here since it's easier to read.

sbassett added a comment.Jun 16 2025, 9:39 PM

The above patch has been deployed to Wikimedia production. I'll also add it to the next supplemental security release (T389312).

sbassett mentioned this in T389312: Write and send supplementary release announcement for extensions and skins with security patches (1.39.13/1.42.7/1.43.2).Jun 16 2025, 9:39 PM
sbassett moved this task from Security Patch To Deploy to Watching on the Security-Team board.
Jly renamed this task from Stored XSS through a system message in MediaSearch to CVE-2025-53486: Stored XSS through a system message in MediaSearch.Jun 30 2025, 7:22 PM
Jly renamed this task from CVE-2025-53486: Stored XSS through a system message in MediaSearch to CVE-2025-53496: Stored XSS through a system message in MediaSearch.Jun 30 2025, 7:26 PM
Jly added a subscriber: gerritbot.Jul 2 2025, 11:45 PM
gerritbot added a comment.Jul 2 2025, 11:45 PM

Change #1166030 had a related patch set uploaded (by Jly; author: Jly):

[mediawiki/extensions/MediaSearch@master] SECURITY: Insert message as text instead of HTML

https://gerrit.wikimedia.org/r/1166030

gerritbot added a project: Patch-For-Review.Jul 2 2025, 11:45 PM

Change #1166032 had a related patch set uploaded (by Jly; author: Jly):

[mediawiki/extensions/MediaSearch@REL1_44] SECURITY: Insert message as text instead of HTML

https://gerrit.wikimedia.org/r/1166032

gerritbot added a comment.Jul 2 2025, 11:46 PM

Change #1166033 had a related patch set uploaded (by Jly; author: Jly):

[mediawiki/extensions/MediaSearch@REL1_43] SECURITY: Insert message as text instead of HTML

https://gerrit.wikimedia.org/r/1166033

gerritbot added a comment.Jul 2 2025, 11:46 PM

Change #1166034 had a related patch set uploaded (by Jly; author: Jly):

[mediawiki/extensions/MediaSearch@REL1_42] SECURITY: Insert message as text instead of HTML

https://gerrit.wikimedia.org/r/1166034

gerritbot added a comment.Jul 2 2025, 11:47 PM

Change #1166035 had a related patch set uploaded (by Jly; author: Jly):

[mediawiki/extensions/MediaSearch@REL1_39] SECURITY: Insert message as text instead of HTML

https://gerrit.wikimedia.org/r/1166035

gerritbot added a comment.Jul 7 2025, 6:55 PM

Change #1166030 merged by Jly:

[mediawiki/extensions/MediaSearch@master] SECURITY: Insert message as text instead of HTML

https://gerrit.wikimedia.org/r/1166030

gerritbot added a comment.Jul 7 2025, 6:55 PM

Change #1166033 merged by Jly:

[mediawiki/extensions/MediaSearch@REL1_43] SECURITY: Insert message as text instead of HTML

https://gerrit.wikimedia.org/r/1166033

gerritbot added a comment.Jul 7 2025, 6:55 PM

Change #1166032 merged by Jly:

[mediawiki/extensions/MediaSearch@REL1_44] SECURITY: Insert message as text instead of HTML

https://gerrit.wikimedia.org/r/1166032

gerritbot added a comment.Jul 7 2025, 7:16 PM

Change #1166034 merged by Jly:

[mediawiki/extensions/MediaSearch@REL1_42] SECURITY: Insert message as text instead of HTML

https://gerrit.wikimedia.org/r/1166034

Jly closed this task as Resolved.Jul 8 2025, 7:13 PM
Jly removed a project: Patch-For-Review.
Jly changed the visibility from "Custom Policy" to "Public (No Login Required)".
Jly changed the edit policy from "Custom Policy" to "All Users".
Jly changed Risk Rating from N/A to Low.
gerritbot added a comment.Jul 11 2025, 6:19 PM

Change #1166035 merged by Jly:

[mediawiki/extensions/MediaSearch@REL1_39] SECURITY: Insert message as text instead of HTML

https://gerrit.wikimedia.org/r/1166035

SomeRandomDeveloper mentioned this in T400585: Use img elements for x-xss language code.Jul 27 2025, 9:49 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits