Miggo Logo

CVE-2021-30458: Wikimedia Parsoid vulnerable to Cross-site Scripting (XSS)

6.1

CVSS Score
3.1

Basic Information

EPSS Score
0.44138%
Published
5/24/2022
Updated
6/7/2024
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
wikimedia/parsoidcomposer>= 0.12, < 0.12.20.12.2
wikimedia/parsoidcomposer< 0.11.10.11.1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from how Parsoid's WTUtils.php handled HTML comments containing JSON data. The functions reinsertFosterableContent and decodeComment failed to distinguish between legitimate internal comments and user-controlled comments containing specially crafted JSON with '@type' keys. This allowed attackers to inject <meta> tags post-sanitization. The Phabricator ticket T279451 explicitly discusses these functions' roles in comment processing and the security patch's focus on modifying key validation (changing '@type' to a protected '-type' key). The high confidence comes from direct references to these functions in the vulnerability discussion and patch details.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*n issu* w*s *is*ov*r** in Wikim**i* P*rsoi* ***or* *.**.* *n* *.**.x ***or* *.**.*. *n *tt**k*r **n s*n* *r**t** wikit*xt t**t Utils/WTUtils.p*p will tr*ns*orm *y usin* * <m*t*> t**, *yp*ssin* s*nitiz*tion st*ps, *n* pot*nti*lly *llowin* *or XSS.

Reasoning

T** vuln*r**ility st*ms *rom *ow P*rsoi*'s `WTUtils.p*p` **n*l** *TML *omm*nts *ont*inin* JSON **t*. T** *un*tions `r*ins*rt*ost*r**l**ont*nt` *n* `***o***omm*nt` **il** to *istin*uis* **tw**n l**itim*t* int*rn*l *omm*nts *n* us*r-*ontroll** *omm*nts