Page MenuHomePhabricator
Create Task
Maniphest T418254

CVE-2026-39934: Stored XSS through system messages on the contributions tab of Special:EventDetails
Closed, ResolvedPublicSecurity
Actions

Description

The localised wiki names displayed on the "Contributions" tab of Special:EventDetails are coming from the project-localized-name-* messages, and are output without escaping (text() only).

Details

Risk Rating
Low
Author Affiliation
WMF Product
Related Changes in Gerrit:
SubjectRepoBranchLines +/-
SECURITY: EventContributionsPager: escape wiki names for displaymediawiki/extensions/CampaignEventsmaster+5 -3
Customize query in gerrit

Related Objects

Event Timeline

Daimona created this task.Feb 24 2026, 3:21 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptFeb 24 2026, 3:21 PM
Daimona claimed this task.Feb 24 2026, 3:22 PM
Daimona added projects: Connection-Team (Connection-Current-Sprint), CampaignEvents, Vuln-XSS.
Daimona moved this task from Upcoming / refining 💡 to Code Review 💬 on the Connection-Team (Connection-Current-Sprint) board.Feb 24 2026, 3:29 PM
Daimona added a project: Patch-For-Review.

Proposed patch:

T418254.patch1 KBDownload

This code was introduced in r1206829 (for T410374), on 2025-11-27. This is not part of any MW release, so it only needs to be fixed in master (no backports needed).

Daimona added subscribers: JFernandez-WMF, ldelench_wmf, ifried and 3 others.Feb 24 2026, 3:31 PM
sbassett subscribed.Feb 24 2026, 7:25 PM
In T418254#11645995, @Daimona wrote:

Proposed patch:

T418254.patch1 KBDownload

CR+2, LGTM. I think we can try to get this deployed during next Monday's (2026-03-02) security window.

sbassett changed the task status from Open to In Progress.Mar 2 2026, 5:19 PM
sbassett triaged this task as Medium priority.
sbassett moved this task from Incoming to Security Patch To Deploy on the Security-Team board.
sbassett added a project: SecTeam-Processed.
Daimona added a comment.Mar 5 2026, 2:01 PM

@sbassett Hi, has the patch been deployed? If so, can we proceed with the public patch now, considering that it only needs a master fix per T418254#11645995.

sbassett added a comment.Mar 5 2026, 2:56 PM
In T418254#11677562, @Daimona wrote:

@sbassett Hi, has the patch been deployed? If so, can we proceed with the public patch now, considering that it only needs a master fix per T418254#11645995.

Hey, sadly, it looks like this one didn't go out during Monday's window. I can try to get it out today after the late backport window. And then we can open up the task.

Mstyles moved this task from Security Patch To Deploy to Watching on the Security-Team board.Mar 5 2026, 10:46 PM
Mstyles subscribed.
In T418254#11645995, @Daimona wrote:

Proposed patch:

T418254.patch1 KBDownload

This code was introduced in r1206829 (for T410374), on 2025-11-27. This is not part of any MW release, so it only needs to be fixed in master (no backports needed).

Deployed

Mstyles mentioned this in T411394: Write and send supplementary release announcement for extensions and skins with security patches (1.43.7/1.44.4/1.45.2).Mar 5 2026, 10:50 PM
Daimona added a comment.Mar 6 2026, 11:59 PM
In T418254#11679671, @Mstyles wrote:

Deployed

Thanks! Can I proceed with the public fix now then?

sbassett added a subscriber: gerritbot.Mar 8 2026, 4:21 PM
In T418254#11684076, @Daimona wrote:
In T418254#11679671, @Mstyles wrote:

Deployed

Thanks! Can I proceed with the public fix now then?

Yes.

gerritbot added a comment.Mar 9 2026, 2:23 PM

Change #1249320 had a related patch set uploaded (by Daimona Eaytoy; author: Daimona Eaytoy):

[mediawiki/extensions/CampaignEvents@master] SECURITY: EventContributionsPager: escape wiki names for display

https://gerrit.wikimedia.org/r/1249320

gerritbot added a comment.Fri, Mar 13, 11:47 AM

Change #1249320 merged by jenkins-bot:

[mediawiki/extensions/CampaignEvents@master] SECURITY: EventContributionsPager: escape wiki names for display

https://gerrit.wikimedia.org/r/1249320

Daimona moved this task from Code Review 💬 to QA 🐛 on the Connection-Team (Connection-Current-Sprint) board.Fri, Mar 13, 2:08 PM

The fix can be verified with $wgUseXssLanguage on a non-empty contribution tab.

And it should be possible to undeploy the security patch with next week's train.

Jdforrester-WMF added a project: MW-1.46-notes (1.46.0-wmf.20; 2026-03-17).Fri, Mar 13, 2:23 PM
sbassett changed the visibility from "Custom Policy" to "Public (No Login Required)".Fri, Mar 13, 4:02 PM
sbassett changed the edit policy from "Custom Policy" to "All Users".
sbassett changed Risk Rating from N/A to Low.
SecurityPatchBot changed the task status from In Progress to Open.Sat, Mar 14, 12:53 AM
SecurityPatchBot raised the priority of this task from Medium to Unbreak Now!.
SecurityPatchBot added a parent task: T413811: 1.46.0-wmf.20 deployment blockers.
Patch is blocking upcoming release

Patch 01-T418254.patch is currently failing to apply for the most recent code in the mainline branch of extensions/CampaignEvents. This is blocking MediaWiki release 1.46.0-wmf.20(T413811)

If the patch needs to be rebased

A new version of the patch can be placed at the right location in the deployment server with the following Scap command:

REVISED_PATCH=<path_to_revised_patch>
scap update-patch --message-body 'Rebase to solve merge conflicts' /srv/patches/next/extensions/CampaignEvents/01-T418254.patch "$REVISED_PATCH"

If the patch has been made public

The patch can be dropped in the deployment server with the following Scap command:

scap remove-patch --message-body 'Dropping patch already made public' /srv/patches/next/extensions/CampaignEvents/01-T418254.patch
Zabe changed the task status from Open to In Progress.Sat, Mar 14, 12:56 AM
Zabe lowered the priority of this task from Unbreak Now! to Medium.
Zabe subscribed.
commit a7829842fd2c224b75d24428ad0cab8631d73b82 (HEAD -> master)
Author: Alexander Vorwerk <zabe@avorwerk.net>
Date:   Sat Mar 14 00:55:51 2026 +0000

    Scap remove-patch: removed 1 patch
    
    Dropping patch already made public
    
    Removed patches:
    next:
      - extensions/CampaignEvents/01-T418254.patch
Zabe removed a parent task: T413811: 1.46.0-wmf.20 deployment blockers.Sat, Mar 14, 12:57 AM
MHorsey-WMF added a comment.Mon, Mar 16, 11:21 AM

@Daimona as this patch failed to deploy, does it require more work?

MHorsey-WMF moved this task from QA 🐛 to Ready for development on the Connection-Team (Connection-Current-Sprint) board.Mon, Mar 16, 11:22 AM
Daimona moved this task from Ready for development to QA 🐛 on the Connection-Team (Connection-Current-Sprint) board.Mon, Mar 16, 2:24 PM
In T418254#11713035, @MHorsey-WMF wrote:

@Daimona as this patch failed to deploy, does it require more work?

No, the patch has landed in master and testing instructions from T418254#11706736 are still valid.

The bot in T418254#11709279 warned that the previously applied private patch in production would no longer apply with this week's train due to a conflict, which is expected because the fix is now public. BUT, the fix was not backported to wmf.19; so, does that mean that production is currently not patched?

sbassett added a comment.Mon, Mar 16, 3:32 PM
In T418254#11713904, @Daimona wrote:

The bot in T418254#11709279 warned that the previously applied private patch in production would no longer apply with this week's train due to a conflict, which is expected because the fix is now public. BUT, the fix was not backported to wmf.19; so, does that mean that production is currently not patched?

The patch is still on wmf.19 in production:

( ^◡^)> pwd
/srv/mediawiki-staging/php-1.46.0-wmf.19/extensions/CampaignEvents
( ^◡^)> git log --graph --decorate --oneline -n5
* b363c975 (HEAD) SECURITY: EventContributionsPager: escape wiki names for display
...

Since the master patch got merged last week, it should make the cut today for wmf.20. And then the wmf.19 patch will "fall off" production. SecurityPatchBot is just aggressive in trying to call out potential conflicts with security patches before they happen.

Daimona added a comment.Mon, Mar 16, 3:33 PM

I see, thank you! I'm not familiar with the process, hence my question. I'll keep that in mind going forwards.

sbassett added a comment.EditedMon, Mar 16, 3:42 PM
In T418254#11714197, @Daimona wrote:

I see, thank you! I'm not familiar with the process, hence my question. I'll keep that in mind going forwards.

Sure, the high-level process looks a bit like:

  1. We push security patches up to deployment under various version-related staging directories
  2. We deploy these patches via scap, typically during the Monday security deployment window, but sometimes throughout the week
  3. If any of those patches conflict (due to public changes in the code or publicly merging the security patch), SecurityPatchBot uses a "next" directory to try to find these issues early and alert the security team and release engineering
  4. The aforementioned process ^ doesn't directly remove or modify any existing, applied security patches within Wikimedia production, it just alerts
  5. Though scap won't apply any conflicting security patches (technically it can't anyways) it finds (it considers them "dropped" or "released" in this context)
  6. The dropped/released security patches get cleaned up by the security team or release engineering throughout the week
Daimona added a comment.Mon, Mar 16, 5:24 PM

Thanks for the explanation, bookmarked for future reference :D

So, this task can be QAed as noted in T418254#11706736.

Mstyles renamed this task from XSS-via-i18n in localised wiki names on the contributions tab of Special:EventDetails to CVE-2026-39934: XSS-via-i18n in localised wiki names on the contributions tab of Special:EventDetails.Tue, Apr 7, 10:30 PM
Mstyles closed this task as Resolved.
sbassett renamed this task from CVE-2026-39934: XSS-via-i18n in localised wiki names on the contributions tab of Special:EventDetails to CVE-2026-39934: Stored XSS through system messages on the contributions tab of Special:EventDetails.Wed, Apr 8, 3:08 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits