#php

### Summary Short descriptions are not properly sanitized by the ShortDescription before being inserted as HTML using `mw.util.addSubtitle`, allowing any user to insert arbitrary HTML into the DOM by editing a page. ### Details The description provided by the user via the `{{SHORTDESC:}}` parser function is insufficiently sanitized by the `sanitize()` function, as html entities are decoded: https://github.com/StarCitizenTools/mediawiki-extensions-ShortDescription/blob/7244b1e8b5cb6dbd7e546c5be7fed8a56e33d065/includes/Hooks/ParserHooks.php#L147-L159 Via JS, the short description is then passed to `mw.util.addSubtitle`, which inserts it as raw HTML: https://github.com/StarCitizenTools/mediawiki-extensions-ShortDescription/blob/7244b1e8b5cb6dbd7e546c5be7fed8a56e33d065/modules/ext.shortDescription.js#L8 https://github.com/wikimedia/mediawiki/blob/96372101b3c579d9992e8a31a3ccd90a937cac47/resources/src/mediawiki.util/util.js#L552-L563 ### PoC 1. Enable ShortDescription 2. Make sure `$wgSho...

### Summary Short descriptions set via the [ShortDescription extension](https://www.mediawiki.org/wiki/Extension:ShortDescription) are inserted as raw HTML by the Citizen skin, allowing any user to insert arbitrary HTML into the DOM by editing a page. ### Details The `shortdesc` property, which contains unsanitized user input, is retrieved from the OutputPage and returned as the tagline: https://github.com/StarCitizenTools/mediawiki-skins-Citizen/blob/0d8a44011e02a081618359a1e90f462478e807aa/includes/Components/CitizenComponentPageHeading.php#L249-L251 The tagline is then provided to the template data: https://github.com/StarCitizenTools/mediawiki-skins-Citizen/blob/0d8a44011e02a081618359a1e90f462478e807aa/includes/Components/CitizenComponentPageHeading.php#L270-L275 The template then inserts the tagline into raw HTML without doing any escaping: https://github.com/StarCitizenTools/mediawiki-skins-Citizen/blob/0d8a44011e02a081618359a1e90f462478e807aa/templates/PageHeading.mustache#L12 ...

### Summary Page descriptions are inserted into raw HTML without proper sanitization by the Citizen skin when using the old search bar. ### Details The descriptions, which are unsanitized, are inserted as raw HTML: https://github.com/StarCitizenTools/mediawiki-skins-Citizen/blob/d4dfc3697a82948b3b9c4d44e9a273c79bc86b87/resources/skins.citizen.search/templates/TypeaheadListItem.mustache#L18 ### PoC All of the reproduction methods require the command palette to be disabled via `$wgCitizenEnableCommandPalette = false;`. Additionally, the action API must be used as the Search Gateway via `$wgCitizenSearchGateway = 'mwActionApi';`. #### TextExtracts as the description source * Enable the TextExtracts extension * Add `$wgCitizenSearchDescriptionSource = 'textextracts';` to your LocalSettings.php * Create a page called `CitizenXSSTextExtracts` and insert `<img src="" onerror="alert('citizen search xss')">` into it * Open the search modal and search for `CitizenXSSTextExtracts` ![ima...

### Summary Arbitrary HTML can be inserted into the DOM by inserting a payload into any allowed attribute of the `<tabber>` tag. ### Details The `args` provided within the wikitext as attributes to the `<tabber>` tag are passed to the TabberComponentTabs class: https://github.com/StarCitizenTools/mediawiki-extensions-TabberNeue/blob/3a23b703ce36cfc4128e7921841f68230be4059a/includes/Tabber.php#L76 In TabberComponentTabs, the attributes are validated before being supplied to the Tabs template. https://github.com/StarCitizenTools/mediawiki-extensions-TabberNeue/blob/3a23b703ce36cfc4128e7921841f68230be4059a/includes/Components/TabberComponentTabs.php#L15-L31 However, the validation is insufficient. What `Sanitizer::validateTagAttributes` does is call `validateAttributes`, which ``` * - Discards attributes not on the given list * - Unsafe style attributes are discarded * - Invalid id attributes are re-encoded ``` However, the attribute values are expected to be escaped when inserte...

RaspAP raspap-webgui 3.3.1 is vulnerable to Directory Traversal in ajax/networking/get_wgkey.php. An authenticated attacker can send a crafted POST request with a path traversal payload in the `entity` parameter to overwrite arbitrary files writable by the web server via abuse of the `tee` command used in shell execution.

Wordfence exposes a sophisticated WordPress malware campaign using a rogue WordPress Core plugin. Active since 2023, it steals credit cards and credentials with advanced anti-detection.

### Impact goodby-csv could be used as part of a chain of methods that is exploitable when an insecure deserialization vulnerability exists in an application. This so-called "gadget chain" presents no direct threat but is a vector that can be used to achieve remote code execution if the application deserializes untrusted data due to another vulnerability. ### Patches Has the problem been patched? What versions should users upgrade to? The problem is patched with Version 1.4.3 ### Workarounds Patch `src/Goodby/CSV/Export/Standard/Collection /CallbackCollection.php`: ```diff + public function __wakeup() { + throw new \BadMethodCallException('Cannot unserialize ' . __CLASS__); + } ``` However, this is not directly exploitable; a separate vulnerability must be present to allow an attacker to pass unsafe input to unserialize(). There are no such known exploits in goodby-csv. ### References _Are there any links users can visit to find out more?_

### Summary Various date messages returned by `Language::userDate` are inserted into raw HTML, allowing anybody who can edit those messages to insert arbitrary HTML into the DOM. ### Details The result of `$this->lang->userDate( $timestamp, $this->user )` returns unescaped values, but is inserted as raw HTML by Citizen: https://github.com/StarCitizenTools/mediawiki-skins-Citizen/blob/072e4365e9084e4b153eac62d3666566c06f5a49/includes/Components/CitizenComponentUserInfo.php#L55-L60 ### PoC 1. Go to any page using citizen with the uselang parameter set to x-xss and while being logged in Depending on the registration date of the account you're logged in with, various messages can be shown. In my case, it's `november`:  ### Impact This impacts wikis where a group has the `editinterface` but not the `editsitejs` user right.

Various system messages are inserted by the Citizen skin in multiple places without proper sanitization. ## 1 - Command Palette Tips ### Summary Multiple system messages are inserted into the CommandPaletteFooter as raw HTML, allowing anybody who can edit those messages to insert arbitrary HTML into the DOM. ### Details The messages are retrieved using the `plain()` output mode: https://github.com/StarCitizenTools/mediawiki-skins-Citizen/blob/072e4365e9084e4b153eac62d3666566c06f5a49/resources/skins.citizen.commandPalette/components/CommandPaletteFooter.vue#L61-L66 `currentTip` is set to one of these messages: https://github.com/StarCitizenTools/mediawiki-skins-Citizen/blob/072e4365e9084e4b153eac62d3666566c06f5a49/resources/skins.citizen.commandPalette/components/CommandPaletteFooter.vue#L69 `currentTip` is inserted as raw HTML (`vue/no-v-html` should *not* be ignored here): https://github.com/StarCitizenTools/mediawiki-skins-Citizen/blob/072e4365e9084e4b153eac62d3666566c06f5a49/reso...

### Summary Missing checks allow for SSRF to specific targets using the TestWfsPost enpoint. ### Mitigation To manage the proxy base value as a system administrator, use the parameter ``PROXY_BASE_URL`` to provide a non-empty value that cannot be overridden by the user interface or incoming request.[thomsmith](https://github.com/thomsmith). ### Resolution The TestWfsPost has been replaced in GeoServer 2.25.2 and GeoServer 2.24.4 with a JavaScript [Demo Requests](https://docs.geoserver.org/latest/en/user/configuration/demos/index.html#demo-requests) page to test OGC Web Services. ### References * [CVE-2024-29198](https://github.com/geoserver/geoserver/security/advisories/GHSA-5gw5-jccf-6hxw) Unauthenticated SSRF via TestWfsPost