Original report to security@:
> Hello, I am contacting you in reference of a security vulnerability found in the MediaWiki Parsoid service.
>
> In particular, the Parsoid web service page is vulnerable to reflected Cross Site scripting, via the following URL: <host>:<ParsoidPort>/<img src=x onerror"javascript:alert('XSS')">
>
> Please see screenshot attached below:
>
> {F4675592}
>
> I am building a technical advisory to be published, with a CVE reservation number, to provide to the security community.
>
> Waiting to hear from your company,
>
> MediaWiki version: 1.27.0
>
> I hope you find this useful. Please don't hesitate to contact me for further research or additional information in regards of this.
TODOs to address this:
[x] Create a patch fixing exploit -- @Arlolra
[x] Darian reviews patch -- @dpatrick
[x] Deploy patch to Wikimedia cluster -- @Arlolra
[x] Prepare v0.5.3 debian package -- @ssastry (yet to be uploaded)
[x] Prepare v0.5.3 npm library -- @Arlolra
[x] Prepare gerrit patch for merge -- @Arlolra
[x] Prepare security fix announcement -- @ssastry
[x] Upload v0.5.3 debian package -- @ssastry, @dzahn and ops
[x] Release npm library -- @arlolra
[x] Upload and merge gerrit patch -- @arlolra, @ssastry
[] Update Parsoid deployment log with info about Parsoid deploy on 10/31 -- @arlolra
[] Send announcement to wikitech-l, mediawiki-announce -- @ssastry