Bug 1903776 (CVE-2020-25828)

Summary: CVE-2020-25828 mediawiki: non-jqueryMsg version of mw.message().parse() doesn't escape HTML leads to XSS
Product: [Other] Security Response Reporter: Dhananjay Arunesh <darunesh>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: aos-bugs, axel.thimm, bmontgom, eparis, jburrell, jokerman, mike, nstielau, puiterwijk, shurley, sponnaga
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: mediawiki-1.34.4, mediawiki-1.31.10 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-12-07 17:02:58 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 1903778    
Bug Blocks: 1903781    

Description Dhananjay Arunesh 2020-12-02 18:38:11 UTC
An issue was discovered in MediaWiki before 1.31.10 and 1.32.x through 1.34.x before 1.34.4. The non-jqueryMsg version of mw.message().parse() doesn't escape HTML. This affects both message contents (which are generally safe) and the parameters (which can be based on user input). (When jqueryMsg is loaded, it correctly accepts only whitelisted tags in message contents, and escapes all parameters. Situations with an unloaded jqueryMsg are rare in practice, but can for example occur for Special:SpecialPages on a wiki with no extensions installed.)

References:
https://lists.wikimedia.org/pipermail/mediawiki-announce
https://lists.wikimedia.org/pipermail/mediawiki-l/2020-September/048480.html
https://lists.wikimedia.org/pipermail/mediawiki-l/2020-September/048488.html

Comment 1 Dhananjay Arunesh 2020-12-02 18:38:51 UTC
Created mediawiki tracking bugs for this issue:

Affects: fedora-all [bug 1903778]

Comment 3 Przemyslaw Roguski 2020-12-07 16:45:16 UTC
Statement:

OpenShift Container Platform (OCP)  delivers the mediawiki package, but the vulnerable code is not bundled, therefore OCP is not affected by this flaw.

Comment 4 Przemyslaw Roguski 2020-12-07 16:45:19 UTC
External References:

https://phabricator.wikimedia.org/T115888

Comment 5 Product Security DevOps Team 2020-12-07 17:02:58 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-25828