[ CVE-2021-46146 ] Stored XSS via WikibaseMediaInfo caption fields at commons.wikimedia.org

Hi everyone,

On Oct 16 2021, we discovered this XSS STORED vulnerability at https://commons.wikimedia.org/ and at that time we immediately reported it to Team WikiMedia. Let’s take a minute to look at this.

At that time, we found a subdomain https://commons.wikimedia.org/ , and there was a File upload feature.

Then we tried to upload the file there, then we were redirected to filling out the form in the form of :

Of course the first thing we did was scan the XSS there by entering the commonly used XSS payload, namely:

At first we weren’t sure about looking for XSS there, because it’s impossible for plain text to be passed as HTML there. But this is beyond our expectations, so the result is that plain Text carrying XSS payloads is passed as HTML there, and of course that will trigger XSS there.

We found a pop up there.

We then tried to contact the Wikimedia Security team to report the findings.

Then, on Oct 19 2021, the finding was fixed by the Wikimedia team, and it was very fast.

Quoting the source from snyksec :

How to fix?

Upgrade mediawiki/core to version 1.35.5/1.36.3/1.37.1 or higher.

source :

Thank you to all the teams involved, both the Wikimedia Team, and others that I can’t mention here. Have a nice day.

Pemburu Bug & Pengujian Penetrasi