[CVE-2021–44855] Blind Stored XSS in VisualEditor media dialog at Wikipedia
Assalamualaikum Bug Hunter & Hi Everyone
This time we want to write an article about “CVE-2021–44855 Blind Stored XSS in VisualEditor media dialog” which we found on Wikipedia.
On October 16, 2021, we discovered the XSS STORED vulnerability issue at https://commons.wikimedia.org/ (https://phabricator.wikimedia.org/T293556CVE-2021-44855) and at the same time this is the main cause for the finding of “CVE -2021–44855 Blind Stored XSS in VisualEditor media dialog”.
We then stumbled across the VisualEditor media dialog feature on Wikipedia, and we saw that there the VisualEditor media dialog on Wikipedia fetches HTML from the API (where the payload escapes safely), then removes all formatting from it and treats the generated plain text as if it were HTML, which leads to XSS BLIND STORED.
After we found the vulnerability point, we tried to insert an image at https://commons.wikimedia.org/ that carried the XSS payload.
Here’s the picture:
And see the result :
From the screenshot above, it can be seen that plain text that carries HTML content is escaped.
We didn’t want to see that for long either, which we then reported to Wikimedia.
Here’s the report:
Without further ado, on October 18, 2021, the Wikimedia team confirmed they had made a fix for the vulnerability to us. And it was really fast, amazing.
We also tried to double check the fix, and it seems that XSS is no longer being triggered in the VisualEditor media dialog.
We quote from pages CVE-2021–44855 , the affected versions are versions before 1.35.5, 1.36.x before 1.36.3, and 1.37.x before 1.37.1.
Now that Wikimedia has released Security for some vulnerabilities, let’s take your time to have a look at the url below :
Thank you to the Mediawiki team for responding quickly to this vulnerability issue, and thank you also to each of us who took the time to read this article.
Hall Of Fame :
