ghsa-p85q-mww9-gwqf
Vulnerability from github
Published
2025-07-03 21:38
Modified
2025-07-03 21:38
Summary
Citizen Short Description stored XSS vulnerability through wikitext
Details

Summary

Short descriptions are not properly sanitized by the ShortDescription before being inserted as HTML using mw.util.addSubtitle, allowing any user to insert arbitrary HTML into the DOM by editing a page.

Details

The description provided by the user via the {{SHORTDESC:}} parser function is insufficiently sanitized by the sanitize() function, as html entities are decoded: https://github.com/StarCitizenTools/mediawiki-extensions-ShortDescription/blob/7244b1e8b5cb6dbd7e546c5be7fed8a56e33d065/includes/Hooks/ParserHooks.php#L147-L159 Via JS, the short description is then passed to mw.util.addSubtitle, which inserts it as raw HTML: https://github.com/StarCitizenTools/mediawiki-extensions-ShortDescription/blob/7244b1e8b5cb6dbd7e546c5be7fed8a56e33d065/modules/ext.shortDescription.js#L8 https://github.com/wikimedia/mediawiki/blob/96372101b3c579d9992e8a31a3ccd90a937cac47/resources/src/mediawiki.util/util.js#L552-L563

PoC

  1. Enable ShortDescription
  2. Make sure $wgShortDescriptionEnableTagline is set to true (this is the default)
  3. Create a page and insert the following wikitext: {{SHORTDESC:<img src="" onerror="alert('shortdescription xss')">}}
  4. Visit the page

image image

Impact

Arbitrary HTML can be inserted into the DOM by any user, allowing for JavaScript to be executed.

Show details on source website


{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "starcitizentools/short-description"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.0.0"
            },
            {
              "fixed": "4.0.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-53369"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-79"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-07-03T21:38:37Z",
    "nvd_published_at": "2025-07-03T20:15:23Z",
    "severity": "HIGH"
  },
  "details": "### Summary\nShort descriptions are not properly sanitized by the ShortDescription before being inserted as HTML using `mw.util.addSubtitle`, allowing any user to insert arbitrary HTML into the DOM by editing a page.\n\n### Details\nThe description provided by the user via the `{{SHORTDESC:}}` parser function is insufficiently sanitized by the `sanitize()` function, as html entities are decoded:\nhttps://github.com/StarCitizenTools/mediawiki-extensions-ShortDescription/blob/7244b1e8b5cb6dbd7e546c5be7fed8a56e33d065/includes/Hooks/ParserHooks.php#L147-L159\nVia JS, the short description is then passed to `mw.util.addSubtitle`, which inserts it as raw HTML:\nhttps://github.com/StarCitizenTools/mediawiki-extensions-ShortDescription/blob/7244b1e8b5cb6dbd7e546c5be7fed8a56e33d065/modules/ext.shortDescription.js#L8\nhttps://github.com/wikimedia/mediawiki/blob/96372101b3c579d9992e8a31a3ccd90a937cac47/resources/src/mediawiki.util/util.js#L552-L563\n\n### PoC\n1. Enable ShortDescription\n2. Make sure `$wgShortDescriptionEnableTagline` is set to `true` (this is the default)\n3. Create a page and insert the following wikitext: `{{SHORTDESC:\u0026lt;img src=\"\" onerror=\"alert(\u0027shortdescription xss\u0027)\"\u0026gt;}}`\n4. Visit the page\n\n![image](https://github.com/user-attachments/assets/8e467f28-3bb5-4462-b28b-14e145be743f)\n![image](https://github.com/user-attachments/assets/39e132c3-6a92-4f24-8aef-b915e8560f63)\n\n\n### Impact\nArbitrary HTML can be inserted into the DOM by any user, allowing for JavaScript to be executed.",
  "id": "GHSA-p85q-mww9-gwqf",
  "modified": "2025-07-03T21:38:37Z",
  "published": "2025-07-03T21:38:37Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/StarCitizenTools/mediawiki-extensions-ShortDescription/security/advisories/GHSA-p85q-mww9-gwqf"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-53369"
    },
    {
      "type": "WEB",
      "url": "https://github.com/StarCitizenTools/mediawiki-extensions-ShortDescription/commit/bc4fdbaeb1dff127fb6d08c0d385b64aa128c8f8"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/StarCitizenTools/mediawiki-extensions-ShortDescription"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Citizen Short Description stored XSS vulnerability through wikitext"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.


Loading…

Loading…