ghsa-jfj7-249r-7j2m
Vulnerability from github
Published
2025-06-27 20:50
Modified
2025-06-27 20:50
Severity ?
8.6 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L
Summary
TabberNeue vulnerable to Stored XSS through wikitext
Details

Summary

Arbitrary HTML can be inserted into the DOM by inserting a payload into any allowed attribute of the <tabber> tag.

Details

The args provided within the wikitext as attributes to the <tabber> tag are passed to the TabberComponentTabs class: https://github.com/StarCitizenTools/mediawiki-extensions-TabberNeue/blob/3a23b703ce36cfc4128e7921841f68230be4059a/includes/Tabber.php#L76

In TabberComponentTabs, the attributes are validated before being supplied to the Tabs template. https://github.com/StarCitizenTools/mediawiki-extensions-TabberNeue/blob/3a23b703ce36cfc4128e7921841f68230be4059a/includes/Components/TabberComponentTabs.php#L15-L31 However, the validation is insufficient. What Sanitizer::validateTagAttributes does is call validateAttributes, which * - Discards attributes not on the given list * - Unsafe style attributes are discarded * - Invalid id attributes are re-encoded However, the attribute values are expected to be escaped when inserted into HTML.

The attribute values are then inserted into HTML without being escaped: https://github.com/StarCitizenTools/mediawiki-extensions-TabberNeue/blob/3a23b703ce36cfc4128e7921841f68230be4059a/includes/templates/Tabs.mustache#L1

PoC

XSS through attributes:

  1. Go to Special:ExpandTemplates and insert the following wikitext: <tabber class='test123" onmouseenter="alert(1)"'> |-|First Tab Title= First tab content goes here. </tabber>
  2. Press "OK"
  3. Hover over the tabber

image

XSS through script tags:

  1. Go to Special:ExpandTemplates and insert the following wikitext: <tabber class='test123"&gt;&lt;script&gt;alert(2)&lt;/script&gt;'> |-|First Tab Title= First tab content goes here. </tabber>
  2. Press "OK" image

Impact

Arbitrary HTML can be inserted into the DOM by any user, allowing for JavaScript to be executed.

Show details on source website

To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "starcitizentools/tabber-neue"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.0.0"
            },
            {
              "fixed": "3.1.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-53093"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-79",
      "CWE-80"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-06-27T20:50:40Z",
    "nvd_published_at": "2025-06-27T18:15:50Z",
    "severity": "HIGH"
  },
  "details": "### Summary\nArbitrary HTML can be inserted into the DOM by inserting a payload into any allowed attribute of the `\u003ctabber\u003e` tag.\n\n### Details\n\nThe `args` provided within the wikitext as attributes to the `\u003ctabber\u003e` tag are passed to the TabberComponentTabs class:\nhttps://github.com/StarCitizenTools/mediawiki-extensions-TabberNeue/blob/3a23b703ce36cfc4128e7921841f68230be4059a/includes/Tabber.php#L76\n\nIn TabberComponentTabs, the attributes are validated before being supplied to the Tabs template.\nhttps://github.com/StarCitizenTools/mediawiki-extensions-TabberNeue/blob/3a23b703ce36cfc4128e7921841f68230be4059a/includes/Components/TabberComponentTabs.php#L15-L31\nHowever, the validation is insufficient.\nWhat `Sanitizer::validateTagAttributes` does is call `validateAttributes`, which\n```\n\t * - Discards attributes not on the given list\n\t * - Unsafe style attributes are discarded\n\t * - Invalid id attributes are re-encoded\n```\nHowever, the attribute values are expected to be escaped when inserted into HTML.\n\nThe attribute values are then inserted into HTML without being escaped:\nhttps://github.com/StarCitizenTools/mediawiki-extensions-TabberNeue/blob/3a23b703ce36cfc4128e7921841f68230be4059a/includes/templates/Tabs.mustache#L1\n\n### PoC\n#### XSS through attributes:\n1. Go to Special:ExpandTemplates and insert the following wikitext:\n```\n\u003ctabber class=\u0027test123\" onmouseenter=\"alert(1)\"\u0027\u003e\n|-|First Tab Title=\nFirst tab content goes here.\n\u003c/tabber\u003e\n```\n2. Press \"OK\"\n3. Hover over the tabber\n\n![image](https://github.com/user-attachments/assets/bb65a587-e277-4936-b9f9-400ad7c39040)\n\n\n#### XSS through script tags:\n1. Go to Special:ExpandTemplates and insert the following wikitext:\n```\n\u003ctabber class=\u0027test123\"\u0026gt;\u0026lt;script\u0026gt;alert(2)\u0026lt;/script\u0026gt;\u0027\u003e\n|-|First Tab Title=\nFirst tab content goes here.\n\u003c/tabber\u003e\n```\n2. Press \"OK\"\n![image](https://github.com/user-attachments/assets/a51ede5c-f9a0-49be-875e-37d30a083721)\n\n### Impact\nArbitrary HTML can be inserted into the DOM by any user, allowing for JavaScript to be executed.",
  "id": "GHSA-jfj7-249r-7j2m",
  "modified": "2025-06-27T20:50:40Z",
  "published": "2025-06-27T20:50:40Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/StarCitizenTools/mediawiki-extensions-TabberNeue/security/advisories/GHSA-jfj7-249r-7j2m"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-53093"
    },
    {
      "type": "WEB",
      "url": "https://github.com/StarCitizenTools/mediawiki-extensions-TabberNeue/commit/4cdf217ef96da74a1503d1dd0bb0ed898fc2a612"
    },
    {
      "type": "WEB",
      "url": "https://github.com/StarCitizenTools/mediawiki-extensions-TabberNeue/commit/62ce0fcdf32bd3cfa77f92ff6b940459a14315fa"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/StarCitizenTools/mediawiki-extensions-TabberNeue"
    },
    {
      "type": "WEB",
      "url": "https://github.com/StarCitizenTools/mediawiki-extensions-TabberNeue/blob/3a23b703ce36cfc4128e7921841f68230be4059a/includes/Components/TabberComponentTabs.php#L15-L31"
    },
    {
      "type": "WEB",
      "url": "https://github.com/StarCitizenTools/mediawiki-extensions-TabberNeue/blob/3a23b703ce36cfc4128e7921841f68230be4059a/includes/Tabber.php#L76"
    },
    {
      "type": "WEB",
      "url": "https://github.com/StarCitizenTools/mediawiki-extensions-TabberNeue/blob/3a23b703ce36cfc4128e7921841f68230be4059a/includes/templates/Tabs.mustache#L1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "TabberNeue vulnerable to Stored XSS through wikitext"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.