Hi everyone, On Oct 16 2021, we discovered this XSS STORED vulnerability at https://commons.wikimedia.org/ and at that time we immediately reported it to Team WikiMedia. Let’s take a minute to look at this. At that time, we found a subdomain https://commons.wikimedia.org/ , and there was a File upload feature.
![[ CVE-2021-46146 ] Stored XSS via WikibaseMediaInfo caption fields at commons.wikimedia.org](https://miro.medium.com/fit/c/224/224/1*KVZ6sPCivS11tV3kA3SFJA.jpeg)
![[ CVE-2021-46146 ] Stored XSS via WikibaseMediaInfo caption fields at commons.wikimedia.org](https://miro.medium.com/fit/c/160/112/1*KVZ6sPCivS11tV3kA3SFJA.jpeg)
![[CVE-2021–44855] Blind Stored XSS in VisualEditor media dialog at Wikipedia](https://miro.medium.com/fit/c/224/224/1*ooqo_zh1AD-JWpgC0mpk7Q.jpeg)
![[CVE-2021–44855] Blind Stored XSS in VisualEditor media dialog at Wikipedia](https://miro.medium.com/fit/c/160/112/1*ooqo_zh1AD-JWpgC0mpk7Q.jpeg)
