Page MenuHomePhabricator
Create Task
Maniphest T402146

CVE-2025-62662: Stored XSS through system messages in AdvancedSearch
Closed, ResolvedPublicSecurity
Actions

Description

Multiple system messages are inserted as HTML by the AdvancedSearch extension, allowing for stored XSS.

Reproduction steps

  1. Enable AdvancedSearch
  2. Make sure $wgUseXssLanguage is set to 'true`
  3. Go to /w/index.php?search=test&uselang=x-xss

A number of alerts should pop up for the following messages:

  • advancedsearch-field-deepcategory
  • advancedsearch-field-fileh
  • advancedsearch-field-filetype
  • advancedsearch-field-filew
  • advancedsearch-field-hastemplate
  • advancedsearch-field-inlanguage
  • advancedsearch-field-intitle
  • advancedsearch-field-not
  • advancedsearch-field-or
  • advancedsearch-field-phrase
  • advancedsearch-field-plain
  • advancedsearch-field-sort
  • advancedsearch-field-subpageof

Cause

The messages are retrieved via mw.msg, which does not escape the contents, and stored in the head variable.
head is then inserted as HTML via a HTMLSnippet.

https://gerrit.wikimedia.org/g/mediawiki/extensions/AdvancedSearch/+/f61483a44c6420c4debddc447ff797574cc19a56/modules/ext.advancedSearch.defaultFields.js#95

Additional information

Details

Author Affiliation
Wikimedia Communities
Related Changes in Gerrit:
SubjectRepoBranchLines +/-
SECURITY: Escape system messages before inserting them into HTMLmediawiki/extensions/AdvancedSearchREL1_39+1 -1
SECURITY: Escape system messages before inserting them into HTMLmediawiki/extensions/AdvancedSearchREL1_43+1 -1
SECURITY: Escape system messages before inserting them into HTMLmediawiki/extensions/AdvancedSearchREL1_44+1 -1
SECURITY: Escape system messages before inserting them into HTMLmediawiki/extensions/AdvancedSearchmaster+1 -1
Customize query in gerrit

Related Objects

Event Timeline

SomeRandomDeveloper created this task.Aug 17 2025, 9:13 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptAug 17 2025, 9:13 PM
SomeRandomDeveloper claimed this task.Aug 17 2025, 9:13 PM
SomeRandomDeveloper added projects: Advanced-Search, Vuln-XSS, affects-Miraheze.
SomeRandomDeveloper added a project: Patch-For-Review.Aug 17 2025, 9:16 PM

Patch:

T402146.patch1 KBDownload

SomeRandomDeveloper mentioned this in T397776: Write and send supplementary release announcement for extensions and skins with security patches (1.39.14/1.43.4/1.44.1).Aug 17 2025, 9:18 PM
sbassett changed the task status from Open to In Progress.Aug 18 2025, 4:37 PM
sbassett reassigned this task from SomeRandomDeveloper to Mstyles.
sbassett triaged this task as Low priority.
sbassett moved this task from Incoming to In Progress on the Security-Team board.
sbassett added a project: SecTeam-Processed.
Mstyles moved this task from In Progress to Security Patch To Deploy on the Security-Team board.Aug 25 2025, 4:15 PM
In T402146#11092562, @SomeRandomDeveloper wrote:

Patch:

T402146.patch1 KBDownload

+2

sbassett moved this task from Security Patch To Deploy to Watching on the Security-Team board.Aug 25 2025, 9:25 PM
sbassett subscribed.

The above patch was deployed during today's (2025-08-25) security window.

thiemowmde subscribed.Sep 11 2025, 7:14 AM
Reedy added a subscriber: gerritbot.Sep 17 2025, 2:03 PM
gerritbot added a comment.Sep 17 2025, 2:04 PM

Change #1189200 had a related patch set uploaded (by Reedy; author: SomeRandomDeveloper):

[mediawiki/extensions/AdvancedSearch@master] SECURITY: Escape system messages before inserting them into HTML

https://gerrit.wikimedia.org/r/1189200

Reedy closed this task as Resolved.Sep 17 2025, 2:05 PM
gerritbot added a comment.Sep 17 2025, 2:52 PM

Change #1189200 merged by jenkins-bot:

[mediawiki/extensions/AdvancedSearch@master] SECURITY: Escape system messages before inserting them into HTML

https://gerrit.wikimedia.org/r/1189200

gerritbot added a comment.Sep 17 2025, 3:07 PM

Change #1189227 had a related patch set uploaded (by Reedy; author: SomeRandomDeveloper):

[mediawiki/extensions/AdvancedSearch@REL1_44] SECURITY: Escape system messages before inserting them into HTML

https://gerrit.wikimedia.org/r/1189227

gerritbot added a comment.Sep 17 2025, 3:07 PM

Change #1189228 had a related patch set uploaded (by Reedy; author: SomeRandomDeveloper):

[mediawiki/extensions/AdvancedSearch@REL1_43] SECURITY: Escape system messages before inserting them into HTML

https://gerrit.wikimedia.org/r/1189228

gerritbot added a comment.Sep 17 2025, 3:08 PM

Change #1189229 had a related patch set uploaded (by Reedy; author: SomeRandomDeveloper):

[mediawiki/extensions/AdvancedSearch@REL1_39] SECURITY: Escape system messages before inserting them into HTML

https://gerrit.wikimedia.org/r/1189229

gerritbot added a comment.Sep 17 2025, 3:08 PM

Change #1189229 abandoned by Reedy:

[mediawiki/extensions/AdvancedSearch@REL1_39] SECURITY: Escape system messages before inserting them into HTML

https://gerrit.wikimedia.org/r/1189229

gerritbot added a comment.Sep 17 2025, 3:24 PM

Change #1189227 merged by jenkins-bot:

[mediawiki/extensions/AdvancedSearch@REL1_44] SECURITY: Escape system messages before inserting them into HTML

https://gerrit.wikimedia.org/r/1189227

gerritbot added a comment.Sep 17 2025, 4:09 PM

Change #1189228 merged by jenkins-bot:

[mediawiki/extensions/AdvancedSearch@REL1_43] SECURITY: Escape system messages before inserting them into HTML

https://gerrit.wikimedia.org/r/1189228

gerritbot added a comment.Sep 17 2025, 7:49 PM

Change #1189229 restored by Paladox:

[mediawiki/extensions/AdvancedSearch@REL1_39] SECURITY: Escape system messages before inserting them into HTML

https://gerrit.wikimedia.org/r/1189229

SomeRandomDeveloper added a subscriber: Reedy.Sep 17 2025, 7:53 PM
In T402146#11191413, @gerritbot wrote:

Change #1189229 restored by Paladox:

[mediawiki/extensions/AdvancedSearch@REL1_39] SECURITY: Escape system messages before inserting them into HTML

https://gerrit.wikimedia.org/r/1189229

@Reedy I've asked paladox to restore it and published an edit as the vulnerability is present on REL1_39 too, there just were too many merge conflicts

gerritbot added a comment.Sep 17 2025, 8:11 PM

Change #1189229 merged by jenkins-bot:

[mediawiki/extensions/AdvancedSearch@REL1_39] SECURITY: Escape system messages before inserting them into HTML

https://gerrit.wikimedia.org/r/1189229

Mstyles renamed this task from Stored XSS through system messages in AdvancedSearch to CVE-2025-62662: Stored XSS through system messages in AdvancedSearch.Oct 18 2025, 5:01 AM
Mstyles changed the visibility from "Custom Policy" to "Public (No Login Required)".
Mstyles changed the edit policy from "Custom Policy" to "All Users".
A_smart_kitten reassigned this task from Mstyles to SomeRandomDeveloper.Oct 18 2025, 6:34 AM
A_smart_kitten removed a project: Patch-For-Review.
A_smart_kitten added subscribers: Mstyles, A_smart_kitten.

(reassigning to patch author for posterity)

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits