[ CVE-2021-46146 ] Stored XSS via WikibaseMediaInfo caption fields at commons.wikimedia.org

Aidil Arief
3 min readJan 11, 2022

Hi everyone,

On Oct 16 2021, we discovered this XSS STORED vulnerability at https://commons.wikimedia.org/ and at that time we immediately reported it to Team WikiMedia. Let’s take a minute to look at this.

At that time, we found a subdomain https://commons.wikimedia.org/ , and there was a File upload feature.

Then we tried to upload the file there, then we were redirected to filling out the form in the form of :

Of course the first thing we did was scan the XSS there by entering the commonly used XSS payload, namely:

“><img src=x onerror=prompt(document.domain)>

At first we weren’t sure about looking for XSS there, because it’s impossible for plain text to be passed as HTML there. But this is beyond our expectations, so the result is that plain Text carrying XSS payloads is passed as HTML there, and of course that will trigger XSS there.

We found a pop up there.

We then tried to contact the Wikimedia Security team to report the findings.

Then, on Oct 19 2021, the finding was fixed by the Wikimedia team, and it was very fast.

Quoting the source from snyksec :

Issues found on MediaWiki prior to 1.35.5, 1.36.x prior to 1.36.3, and 1.37.x prior to 1.37.1. The WikibaseMediaInfo component is vulnerable to XSS via text fields for certain media files.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS). The WikibaseMediaInfo component is vulnerable to cross-site scripting via text fields for certain media files.

Only users using the WikibaseMediaInfo extension are vulnerable to this issue.

How to fix?

Upgrade mediawiki/core to version 1.35.5/1.36.3/1.37.1 or higher.

source :

Thank you to all the teams involved, both the Wikimedia Team, and others that I can’t mention here. Have a nice day.