In which Claire accidentally finds her third security vulnerability while trying to fix a bug
Dates shown are when I reported the issue
2024-06-01: Citizen: Stored XSS in MediaWiki:Tagline (CVE-2024-36123, GHSA-jhm6-qjhq-5mf9)
Due to accidentally calling Message::text() (which returns unparsed wikitext) instead of Message::parse() (which returns parsed wikitext as HTML), an administrator can edit MediaWiki:Tagline to inject an XSS payload for Citizen users
2024-07-08: CSS: CSS sanitization bypass through @import (CVE-2024-47845, T368594)
Due to using a function not meant for sanitizing CSS files, anyone who can edit pages can add a crafted CSS file that loads another CSS file from a remote server, bypassing sanitization and leaking the viewer's IP address along the way
(Originally discovered by Bawolff on 2024-06-27)
2024-07-08: CSS: Path traversal when loading local stylesheets (CVE-2024-47841, T369486)
Due to inadequete URL parsing, it is possible to use backslashes to avoid the path traversal being detected and prevented while still having spec-compliant browsers travel one folder up.
2024-07-22: Cargo: Users can call arbitrary SQL functions (CVE-2024-47849, T370632)
Due to the regex used for detecting SQL functions not handling backticks, a user can inject backticks without Cargo noticing and preventing the query, allowing it to pass through the database
2024-08-11: Cargo: No CSRF protection on Special:DeleteCargoTable and Special:SwitchCargoTable (CVE-2024-47846, T372209)
Due to Cargo not checking the CSRF token (also called an "edit token" in MediaWiki), administrators can be tricked into deleting and switching in tables by simply travelling to a link with the "delete" or "switch" URL query parameter
2024-08-11: Cargo: Various stored, reflective, and DOM-based XSSes (primarily requiring high privileges, but some with low or none as well) (CVE-2024-47847, T372211)
Due to a systemic lack of escaping, users and administrators alike can inject XSS payloads
2024-09-06: NeoChat: User IP address leaks through malicious messages (CVE-2024-52868, KDE Advisory 20241120-1)
Due to a lack of escaping, a malicious user with the ability to send messages in a room can send messages that can leak the IP address of any NeoChat client displaying the malicious message (with or without user interaction)
2024-09-28: Citizen: Stored, self-XSS in user "real name" setting (CVE-2024-47536, GHSA-62r2-gcxr-426x)
Due to a lack of escaping, a user can XSS themselves by setting an XSS payload in their "real name" field
2024-10-01: DataDump: Stored XSS in Special:DataDump when outputting dump status (CVE-2024-47612, GHSA-h8x8-24c7-r2rj, T12670)
Due to a lack of escaping, an administrator can edit some interface messages to XSS those who can view Special:DataDump
2024-10-04: CreateWiki: Stored XSS in Special:RequestWikiQueue when displaying sitename (CVE-2024-47781, GHSA-h527-jh77-5g7j, T12693)
Due to a lack of escaping, anyone who can request a wiki (the ability of which is freely granted to new users) can set an XSS payload as their requested wiki name
2024-10-04: WikiDiscover: Stored XSS in Special:WikiDiscover when displaying wiki information (CVE-2024-47782, GHSA-wf48-rqx3-39mf, T12697)
Due to a lack of escaping, anyone who can modify a wiki's name and description (which is easy to achieve, since it is relatively simple to create a wiki) can XSS anyone who views Special:WikiDiscover
2024-10-04: ImportDump: Stored XSS in Special:RequestImportQueue when displaying timestamp (CVE-2024-47812, GHSA-465h-45v4-6fx9, T12698)
Due to a lack of escaping, anyone who can modify interface messages can inject XSS payloads into Special:RequestImportQueue when it displays the timestamp of a request
2024-10-04: ImportDump: Users can impersonate import requesters if their actor IDs coincide (CVE-2024-47816, GHSA-jjmq-mg36-6387, T12701)
Since Special:RequestImportQueue was available on all wikis, due to the code storing and comparing the local actor IDs instead of CentralAuth IDs, users whose local actor IDs happen to coincide can comment and edit the request as if they're the requester
2024-10-04: IncidentReporting: Various stored XSSes in Special:IncidentReports (CVE-2024-47815, GHSA-9p36-hrmr-98r9, T12702)
Due to a systemic lack of escaping, anyone who can create incident reports and/or those who can edit interface messages can inject XSS payloads into various parts of Special:IncidentReports
2024-11-03: RefreshSpecial: Various stored XSSes from system messages in Special:RefreshSpecial (CVE-2025-23072, T378885)
Due to a lack of escaping, there were various stored XSSes on Special:RefreshSpecial when system messages are mistakenly treated as HTML
2024-11-13: DataTransfer: Various stored XSSes from system messages, missing CSRF protection, and blocked admins can edit pages (CVE-2025-23081, T379749)
Due to a systemic lack of escaping, there were various stored XSSes in the extension's special pages when system messages are improperly treated as HTML. Additionally, CSRF and block protection was missing
2024-12-01: OpenBadges: XSSes in Special:BadgeView (CVE-2025-23080, T381220)
Due to a lack of escaping, certain system messages can cause XSSes when used on Special:BadgeView
2024-12-09: ArticleFeedbackv5: Various stored XSSes (CVE-2025-23079, T381753)
Due to a systemic lack of escaping, those who can edit interface messages can XSS various users
2024-12-12: BreadCrumbs2: XSS when outputting display title (CVE-2025-23078, T382043)
Due to a lack of escaping, anyone who can edit pages can inject arbitrary HTML (and thus JavaScript) by setting the display name of a page
2025-01-04: TabberNeue: XSS in error output for <tabbertransclude> (CVE-2025-21612, GHSA-4x6x-8rm8-c37j)
Due to a lack of escaping, anyone who can render wikitext (e.g. by viewing a page or via Special:ExpandTemplates) can use an XSS payload as the title of a page to XSS the user
2025-01-07: Medik: Low-severity stored XSSes for config variables and system messages (efe9600, credit, T13063)
Due to a lack of escaping, those who can edit certain configuration variables or system messages can XSS viewers
2025-02-13: Lakeus: Low-severity stored XSSes from system messages (CVE-2025-25287, GHSA-mq77-3q68-v64v)
Due to a systemic lack of escaping, those who can edit system messages can XSS viewers
The source code to this website is under the MIT license.
Unless otherwise specified, the text and images on this site are under CC BY-SA 4.0.
Made by a 🏳️⚧️ person · Source code (Average Codestuff, Github)