GHSA-P85Q-MWW9-GWQF

Vulnerability from github – Published: 2025-07-03 21:38 – Updated: 2025-07-03 21:38
VLAI?
Summary
Citizen Short Description stored XSS vulnerability through wikitext
Details

Summary

Short descriptions are not properly sanitized by the ShortDescription before being inserted as HTML using mw.util.addSubtitle, allowing any user to insert arbitrary HTML into the DOM by editing a page.

Details

The description provided by the user via the {{SHORTDESC:}} parser function is insufficiently sanitized by the sanitize() function, as html entities are decoded: https://github.com/StarCitizenTools/mediawiki-extensions-ShortDescription/blob/7244b1e8b5cb6dbd7e546c5be7fed8a56e33d065/includes/Hooks/ParserHooks.php#L147-L159 Via JS, the short description is then passed to mw.util.addSubtitle, which inserts it as raw HTML: https://github.com/StarCitizenTools/mediawiki-extensions-ShortDescription/blob/7244b1e8b5cb6dbd7e546c5be7fed8a56e33d065/modules/ext.shortDescription.js#L8 https://github.com/wikimedia/mediawiki/blob/96372101b3c579d9992e8a31a3ccd90a937cac47/resources/src/mediawiki.util/util.js#L552-L563

PoC

  1. Enable ShortDescription
  2. Make sure $wgShortDescriptionEnableTagline is set to true (this is the default)
  3. Create a page and insert the following wikitext: {{SHORTDESC:<img src="" onerror="alert('shortdescription xss')">}}
  4. Visit the page

image image

Impact

Arbitrary HTML can be inserted into the DOM by any user, allowing for JavaScript to be executed.

Severity ?
8.6 (High)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "starcitizentools/short-description"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.0.0"
            },
            {
              "fixed": "4.0.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-53369"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-79"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-07-03T21:38:37Z",
    "nvd_published_at": "2025-07-03T20:15:23Z",
    "severity": "HIGH"
  },
  "details": "### Summary\nShort descriptions are not properly sanitized by the ShortDescription before being inserted as HTML using `mw.util.addSubtitle`, allowing any user to insert arbitrary HTML into the DOM by editing a page.\n\n### Details\nThe description provided by the user via the `{{SHORTDESC:}}` parser function is insufficiently sanitized by the `sanitize()` function, as html entities are decoded:\nhttps://github.com/StarCitizenTools/mediawiki-extensions-ShortDescription/blob/7244b1e8b5cb6dbd7e546c5be7fed8a56e33d065/includes/Hooks/ParserHooks.php#L147-L159\nVia JS, the short description is then passed to `mw.util.addSubtitle`, which inserts it as raw HTML:\nhttps://github.com/StarCitizenTools/mediawiki-extensions-ShortDescription/blob/7244b1e8b5cb6dbd7e546c5be7fed8a56e33d065/modules/ext.shortDescription.js#L8\nhttps://github.com/wikimedia/mediawiki/blob/96372101b3c579d9992e8a31a3ccd90a937cac47/resources/src/mediawiki.util/util.js#L552-L563\n\n### PoC\n1. Enable ShortDescription\n2. Make sure `$wgShortDescriptionEnableTagline` is set to `true` (this is the default)\n3. Create a page and insert the following wikitext: `{{SHORTDESC:\u0026lt;img src=\"\" onerror=\"alert(\u0027shortdescription xss\u0027)\"\u0026gt;}}`\n4. Visit the page\n\n![image](https://github.com/user-attachments/assets/8e467f28-3bb5-4462-b28b-14e145be743f)\n![image](https://github.com/user-attachments/assets/39e132c3-6a92-4f24-8aef-b915e8560f63)\n\n\n### Impact\nArbitrary HTML can be inserted into the DOM by any user, allowing for JavaScript to be executed.",
  "id": "GHSA-p85q-mww9-gwqf",
  "modified": "2025-07-03T21:38:37Z",
  "published": "2025-07-03T21:38:37Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/StarCitizenTools/mediawiki-extensions-ShortDescription/security/advisories/GHSA-p85q-mww9-gwqf"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-53369"
    },
    {
      "type": "WEB",
      "url": "https://github.com/StarCitizenTools/mediawiki-extensions-ShortDescription/commit/bc4fdbaeb1dff127fb6d08c0d385b64aa128c8f8"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/StarCitizenTools/mediawiki-extensions-ShortDescription"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Citizen Short Description stored XSS vulnerability through wikitext"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.