Change Details

Original report to security@: > Hello, I am contacting you in reference of a security vulnerability found in the MediaWiki Parsoid service. > > In particular, the Parsoid web service page is vulnerable to reflected Cross Site scripting, via the following URL: <host>:<ParsoidPort>/<img src=x onerror"javascript:alert('XSS')"> > > Please see screenshot attached below: > > {F4675592} > > I am building a technical advisory to be published, with a CVE reservation number, to provide to the security community. > > Waiting to hear from your company, > > MediaWiki version: 1.27.0 > > I hope you find this useful. Please don't hesitate to contact me for further research or additional information in regards of this. TODOs to address this: [x] Create a patch fixing exploit [x] Darian reviews patch [] Deploy patch to Wikimedia cluster -- @Arlolra [x] Prepare v0.5.3 debian package -- @ssastry (yet to be uploaded) [] Prepare v0.5.3 npm library -- @Arlolra [] Prepare gerrit patchfor merge -- @Arlolra [] Prepare security fix announcement [] Merge gerrit patch, upload debian package, release npm library -- @ssastry, @arlolra [] Send announcement to wikitech-l, mediawiki-announce -- @ssastry

Original report to security@: > Hello, I am contacting you in reference of a security vulnerability found in the MediaWiki Parsoid service. > > In particular, the Parsoid web service page is vulnerable to reflected Cross Site scripting, via the following URL: <host>:<ParsoidPort>/<img src=x onerror"javascript:alert('XSS')"> > > Please see screenshot attached below: > > {F4675592} > > I am building a technical advisory to be published, with a CVE reservation number, to provide to the security community. > > Waiting to hear from your company, > > MediaWiki version: 1.27.0 > > I hope you find this useful. Please don't hesitate to contact me for further research or additional information in regards of this. TODOs to address this: [x] Create a patch fixing exploit -- @Arlolra [x] Darian reviews patch -- @dpatrick [] Deploy patch to Wikimedia cluster -- @Arlolra [x] Prepare v0.5.3 debian package -- @ssastry (yet to be uploaded) [] Prepare v0.5.3 npm library -- @Arlolra [] Prepare gerrit patch for merge -- @Arlolra [] Prepare security fix announcement -- @ssastry [] Upload and merge gerrit patch, upload debian package, release npm library -- @ssastry, @arlolra [] Send announcement to wikitech-l, mediawiki-announce -- @ssastry

Original report to security@: > Hello, I am contacting you in reference of a security vulnerability found in the MediaWiki Parsoid service. > > In particular, the Parsoid web service page is vulnerable to reflected Cross Site scripting, via the following URL: <host>:<ParsoidPort>/<img src=x onerror"javascript:alert('XSS')"> > > Please see screenshot attached below: > > {F4675592} > > I am building a technical advisory to be published, with a CVE reservation number, to provide to the security community. > > Waiting to hear from your company, > > MediaWiki version: 1.27.0 > > I hope you find this useful. Please don't hesitate to contact me for further research or additional information in regards of this. TODOs to address this: [x] Create a patch fixing exploit -- @Arlolra [x] Darian reviews patch -- @dpatrick [] Deploy patch to Wikimedia cluster -- @Arlolra [x] Prepare v0.5.3 debian package -- @ssastry (yet to be uploaded) [] Prepare v0.5.3 npm library -- @Arlolra [] Prepare gerrit patch for merge -- @Arlolra [] Prepare security fix announcement -- @ssastry [] MUpload and merge gerrit patch, upload debian package, release npm library -- @ssastry, @arlolra [] Send announcement to wikitech-l, mediawiki-announce -- @ssastry