Original report to security@:
> Hello, I am contacting you in reference of a security vulnerability found in the MediaWiki Parsoid service.
>
> In particular, the Parsoid web service page is vulnerable to reflected Cross Site scripting, via the following URL: <host>:<ParsoidPort>/<img src=x onerror"javascript:alert('XSS')">
>
> Please see screenshot attached below:
>
> {F4675592}
>
> I am building a technical advisory to be published, with a CVE reservation number, to provide to the security community.
>
> Waiting to hear from your company,
>
> MediaWiki version: 1.27.0
>
> I hope you find this useful. Please don't hesitate to contact me for further research or additional information in regards of this.
TODOs to address this:
[x] Create a patch fixing exploit
[x] Darian reviews patch
[] Deploy patch to Wikimedia cluster -- @Arlolra
[x] Prepare v0.5.3 debian package -- @ssastry (yet to be uploaded)
[] Prepare v0.5.3 npm library -- @Arlolra
[] Prepare gerrit patchfor merge -- @Arlolra
[] Prepare security fix announcement
[] Merge gerrit patch, upload debian package, release npm library -- @ssastry, @arlolra
[] Send announcement to wikitech-l, mediawiki-announce -- @ssastry