Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

github логотип

GHSA-jfj7-249r-7j2m

Опубликовано: 27 июн. 2025
Источник: github
Github: Прошло ревью
CVSS3: 8.6

Описание

TabberNeue vulnerable to Stored XSS through wikitext

Summary

Arbitrary HTML can be inserted into the DOM by inserting a payload into any allowed attribute of the <tabber> tag.

Details

The args provided within the wikitext as attributes to the <tabber> tag are passed to the TabberComponentTabs class: https://github.com/StarCitizenTools/mediawiki-extensions-TabberNeue/blob/3a23b703ce36cfc4128e7921841f68230be4059a/includes/Tabber.php#L76

In TabberComponentTabs, the attributes are validated before being supplied to the Tabs template. https://github.com/StarCitizenTools/mediawiki-extensions-TabberNeue/blob/3a23b703ce36cfc4128e7921841f68230be4059a/includes/Components/TabberComponentTabs.php#L15-L31 However, the validation is insufficient. What Sanitizer::validateTagAttributes does is call validateAttributes, which

* - Discards attributes not on the given list * - Unsafe style attributes are discarded * - Invalid id attributes are re-encoded

However, the attribute values are expected to be escaped when inserted into HTML.

The attribute values are then inserted into HTML without being escaped: https://github.com/StarCitizenTools/mediawiki-extensions-TabberNeue/blob/3a23b703ce36cfc4128e7921841f68230be4059a/includes/templates/Tabs.mustache#L1

PoC

XSS through attributes:

  1. Go to Special:ExpandTemplates and insert the following wikitext:
<tabber class='test123" onmouseenter="alert(1)"'> |-|First Tab Title= First tab content goes here. </tabber>
  1. Press "OK"
  2. Hover over the tabber

image

XSS through script tags:

  1. Go to Special:ExpandTemplates and insert the following wikitext:
<tabber class='test123"&gt;&lt;script&gt;alert(2)&lt;/script&gt;'> |-|First Tab Title= First tab content goes here. </tabber>
  1. Press "OK" image

Impact

Arbitrary HTML can be inserted into the DOM by any user, allowing for JavaScript to be executed.

Ссылки

Пакеты

Наименование

starcitizentools/tabber-neue

composer
Затронутые версииВерсия исправления

>= 3.0.0, < 3.1.1

3.1.1

EPSS

Процентиль: 23%
0.00078
Низкий

8.6 High

CVSS3

CVE ID

CVE-2025-53093

Дефекты

CWE-79
CWE-80

Связанные уязвимости

nvd логотип

CVE-2025-53093

CVSS3: 8.6
nvd
7 месяцев назад

TabberNeue is a MediaWiki extension that allows the wiki to create tabs. Starting in version 3.0.0 and prior to version 3.1.1, any user can insert arbitrary HTMLinto the DOM by inserting a payload into any allowed attribute of the `<tabber>` tag. Version 3.1.1 contains a patch for the bug.

EPSS

Процентиль: 23%
0.00078
Низкий

8.6 High

CVSS3

CVE ID

CVE-2025-53093

Дефекты

CWE-79
CWE-80