ghsa-p85q-mww9-gwqf
Vulnerability from github
Summary
Short descriptions are not properly sanitized by the ShortDescription before being inserted as HTML using mw.util.addSubtitle
, allowing any user to insert arbitrary HTML into the DOM by editing a page.
Details
The description provided by the user via the {{SHORTDESC:}}
parser function is insufficiently sanitized by the sanitize()
function, as html entities are decoded:
https://github.com/StarCitizenTools/mediawiki-extensions-ShortDescription/blob/7244b1e8b5cb6dbd7e546c5be7fed8a56e33d065/includes/Hooks/ParserHooks.php#L147-L159
Via JS, the short description is then passed to mw.util.addSubtitle
, which inserts it as raw HTML:
https://github.com/StarCitizenTools/mediawiki-extensions-ShortDescription/blob/7244b1e8b5cb6dbd7e546c5be7fed8a56e33d065/modules/ext.shortDescription.js#L8
https://github.com/wikimedia/mediawiki/blob/96372101b3c579d9992e8a31a3ccd90a937cac47/resources/src/mediawiki.util/util.js#L552-L563
PoC
- Enable ShortDescription
- Make sure
$wgShortDescriptionEnableTagline
is set totrue
(this is the default) - Create a page and insert the following wikitext:
{{SHORTDESC:<img src="" onerror="alert('shortdescription xss')">}}
- Visit the page
Impact
Arbitrary HTML can be inserted into the DOM by any user, allowing for JavaScript to be executed.
{ "affected": [ { "package": { "ecosystem": "Packagist", "name": "starcitizentools/short-description" }, "ranges": [ { "events": [ { "introduced": "4.0.0" }, { "fixed": "4.0.1" } ], "type": "ECOSYSTEM" } ] } ], "aliases": [ "CVE-2025-53369" ], "database_specific": { "cwe_ids": [ "CWE-79" ], "github_reviewed": true, "github_reviewed_at": "2025-07-03T21:38:37Z", "nvd_published_at": "2025-07-03T20:15:23Z", "severity": "HIGH" }, "details": "### Summary\nShort descriptions are not properly sanitized by the ShortDescription before being inserted as HTML using `mw.util.addSubtitle`, allowing any user to insert arbitrary HTML into the DOM by editing a page.\n\n### Details\nThe description provided by the user via the `{{SHORTDESC:}}` parser function is insufficiently sanitized by the `sanitize()` function, as html entities are decoded:\nhttps://github.com/StarCitizenTools/mediawiki-extensions-ShortDescription/blob/7244b1e8b5cb6dbd7e546c5be7fed8a56e33d065/includes/Hooks/ParserHooks.php#L147-L159\nVia JS, the short description is then passed to `mw.util.addSubtitle`, which inserts it as raw HTML:\nhttps://github.com/StarCitizenTools/mediawiki-extensions-ShortDescription/blob/7244b1e8b5cb6dbd7e546c5be7fed8a56e33d065/modules/ext.shortDescription.js#L8\nhttps://github.com/wikimedia/mediawiki/blob/96372101b3c579d9992e8a31a3ccd90a937cac47/resources/src/mediawiki.util/util.js#L552-L563\n\n### PoC\n1. Enable ShortDescription\n2. Make sure `$wgShortDescriptionEnableTagline` is set to `true` (this is the default)\n3. Create a page and insert the following wikitext: `{{SHORTDESC:\u0026lt;img src=\"\" onerror=\"alert(\u0027shortdescription xss\u0027)\"\u0026gt;}}`\n4. Visit the page\n\n\n\n\n\n### Impact\nArbitrary HTML can be inserted into the DOM by any user, allowing for JavaScript to be executed.", "id": "GHSA-p85q-mww9-gwqf", "modified": "2025-07-03T21:38:37Z", "published": "2025-07-03T21:38:37Z", "references": [ { "type": "WEB", "url": "https://github.com/StarCitizenTools/mediawiki-extensions-ShortDescription/security/advisories/GHSA-p85q-mww9-gwqf" }, { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-53369" }, { "type": "WEB", "url": "https://github.com/StarCitizenTools/mediawiki-extensions-ShortDescription/commit/bc4fdbaeb1dff127fb6d08c0d385b64aa128c8f8" }, { "type": "PACKAGE", "url": "https://github.com/StarCitizenTools/mediawiki-extensions-ShortDescription" } ], "schema_version": "1.4.0", "severity": [ { "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L", "type": "CVSS_V3" } ], "summary": "Citizen Short Description stored XSS vulnerability through wikitext" }
Sightings
Author | Source | Type | Date |
---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.