Page MenuHomePhabricator
Feed Search

Search
Use Results
Hide Query

Nov 1 2025

gui-ying233 added a comment to T401099: CVE-2025-61638: Sanitizer::validateAttributes data-XSS.

We need to keep this issue private until the next core mediawiki security release, due out at the end of September 2025. I've subscribed #acl_release_security_pre_announce to this task for external operators to patch early if they so choose. @Reedy, who manages the core mediawiki security releases, can decide if a special supplemental announcement regarding this issue should accompany the core mediawiki security release.

Nov 1 2025, 1:57 PM · MW-1.44-release, MW-1.43-release, MW-1.39-release, Content-Transform-Team (Work In Progress), SecTeam-Processed, Vuln-XSS, MediaWiki-Parser, Security, Security-Team

Aug 13 2025

gui-ying233 added a comment to T401099: CVE-2025-61638: Sanitizer::validateAttributes data-XSS.

Should we also prepare an FAQ similar to the 2021-12 security release/FAQ?

Aug 13 2025, 4:14 PM · MW-1.44-release, MW-1.43-release, MW-1.39-release, Content-Transform-Team (Work In Progress), SecTeam-Processed, Vuln-XSS, MediaWiki-Parser, Security, Security-Team

Aug 5 2025

gui-ying233 updated gui-ying233.
Aug 5 2025, 5:15 PM
gui-ying233 updated gui-ying233.
Aug 5 2025, 5:14 PM
gui-ying233 updated gui-ying233.
Aug 5 2025, 5:13 PM
gui-ying233 added a comment to T401099: CVE-2025-61638: Sanitizer::validateAttributes data-XSS.

Based on Reporting security bugs, do we need a CVE?

Aug 5 2025, 1:25 AM · MW-1.44-release, MW-1.43-release, MW-1.39-release, Content-Transform-Team (Work In Progress), SecTeam-Processed, Vuln-XSS, MediaWiki-Parser, Security, Security-Team

Aug 4 2025

gui-ying233 updated subscribers of T401099: CVE-2025-61638: Sanitizer::validateAttributes data-XSS.

Added some friends who already knew and may be able to help with this vulnerability, since I assumed it was just an extension vulnerability.

Aug 4 2025, 1:31 PM · MW-1.44-release, MW-1.43-release, MW-1.39-release, Content-Transform-Team (Work In Progress), SecTeam-Processed, Vuln-XSS, MediaWiki-Parser, Security, Security-Team
gui-ying233 added a comment to T401099: CVE-2025-61638: Sanitizer::validateAttributes data-XSS.
Aug 4 2025, 10:53 AM · MW-1.44-release, MW-1.43-release, MW-1.39-release, Content-Transform-Team (Work In Progress), SecTeam-Processed, Vuln-XSS, MediaWiki-Parser, Security, Security-Team
gui-ying233 added a comment to T401099: CVE-2025-61638: Sanitizer::validateAttributes data-XSS.

FYI: XSS Filter Evasion Cheat Sheet

Aug 4 2025, 10:04 AM · MW-1.44-release, MW-1.43-release, MW-1.39-release, Content-Transform-Team (Work In Progress), SecTeam-Processed, Vuln-XSS, MediaWiki-Parser, Security, Security-Team
gui-ying233 attached a referenced file: F65709324: QQ_1754300067826.png.
Aug 4 2025, 9:59 AM · MW-1.44-release, MW-1.43-release, MW-1.39-release, Content-Transform-Team (Work In Progress), SecTeam-Processed, Vuln-XSS, MediaWiki-Parser, Security, Security-Team
gui-ying233 added a comment to T401099: CVE-2025-61638: Sanitizer::validateAttributes data-XSS.

Since I was the one who actually discovered this, please reopen this ticket and close the other one.

Aug 4 2025, 9:51 AM · MW-1.44-release, MW-1.43-release, MW-1.39-release, Content-Transform-Team (Work In Progress), SecTeam-Processed, Vuln-XSS, MediaWiki-Parser, Security, Security-Team
gui-ying233 created T401099: CVE-2025-61638: Sanitizer::validateAttributes data-XSS.
Aug 4 2025, 9:39 AM · MW-1.44-release, MW-1.43-release, MW-1.39-release, Content-Transform-Team (Work In Progress), SecTeam-Processed, Vuln-XSS, MediaWiki-Parser, Security, Security-Team
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits