GHSA-jfj7-249r-7j2m
Suggest an improvement- Source
- https://github.com/advisories/GHSA-jfj7-249r-7j2m
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/06/GHSA-jfj7-249r-7j2m/GHSA-jfj7-249r-7j2m.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/GHSA-jfj7-249r-7j2m
- Aliases
- Published
- 2025-06-27T20:50:40Z
- Modified
- 2025-06-27T21:29:36.144853Z
- Severity
-
- 8.6 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L CVSS Calculator
- Summary
- TabberNeue vulnerable to Stored XSS through wikitext
- Details
-
Summary
Arbitrary HTML can be inserted into the DOM by inserting a payload into any allowed attribute of the
<tabber>tag.Details
The
argsprovided within the wikitext as attributes to the<tabber>tag are passed to the TabberComponentTabs class: https://github.com/StarCitizenTools/mediawiki-extensions-TabberNeue/blob/3a23b703ce36cfc4128e7921841f68230be4059a/includes/Tabber.php#L76In TabberComponentTabs, the attributes are validated before being supplied to the Tabs template. https://github.com/StarCitizenTools/mediawiki-extensions-TabberNeue/blob/3a23b703ce36cfc4128e7921841f68230be4059a/includes/Components/TabberComponentTabs.php#L15-L31 However, the validation is insufficient. What
Sanitizer::validateTagAttributesdoes is callvalidateAttributes, which* - Discards attributes not on the given list * - Unsafe style attributes are discarded * - Invalid id attributes are re-encodedHowever, the attribute values are expected to be escaped when inserted into HTML.
The attribute values are then inserted into HTML without being escaped: https://github.com/StarCitizenTools/mediawiki-extensions-TabberNeue/blob/3a23b703ce36cfc4128e7921841f68230be4059a/includes/templates/Tabs.mustache#L1
PoC
XSS through attributes:
- Go to Special:ExpandTemplates and insert the following wikitext:
<tabber class='test123" onmouseenter="alert(1)"'> |-|First Tab Title= First tab content goes here. </tabber> - Press "OK"
- Hover over the tabber
XSS through script tags:
- Go to Special:ExpandTemplates and insert the following wikitext:
<tabber class='test123"><script>alert(2)</script>'> |-|First Tab Title= First tab content goes here. </tabber> - Press "OK"
Impact
Arbitrary HTML can be inserted into the DOM by any user, allowing for JavaScript to be executed.
- Go to Special:ExpandTemplates and insert the following wikitext:
- Database specific
{ "github_reviewed": true, "nvd_published_at": "2025-06-27T18:15:50Z", "severity": "HIGH", "cwe_ids": [ "CWE-79", "CWE-80" ], "github_reviewed_at": "2025-06-27T20:50:40Z" }- References
-
- https://github.com/StarCitizenTools/mediawiki-extensions-TabberNeue/security/advisories/GHSA-jfj7-249r-7j2m
- https://nvd.nist.gov/vuln/detail/CVE-2025-53093
- https://github.com/StarCitizenTools/mediawiki-extensions-TabberNeue/commit/4cdf217ef96da74a1503d1dd0bb0ed898fc2a612
- https://github.com/StarCitizenTools/mediawiki-extensions-TabberNeue/commit/62ce0fcdf32bd3cfa77f92ff6b940459a14315fa
- https://github.com/StarCitizenTools/mediawiki-extensions-TabberNeue
- https://github.com/StarCitizenTools/mediawiki-extensions-TabberNeue/blob/3a23b703ce36cfc4128e7921841f68230be4059a/includes/Components/TabberComponentTabs.php#L15-L31
- https://github.com/StarCitizenTools/mediawiki-extensions-TabberNeue/blob/3a23b703ce36cfc4128e7921841f68230be4059a/includes/Tabber.php#L76
- https://github.com/StarCitizenTools/mediawiki-extensions-TabberNeue/blob/3a23b703ce36cfc4128e7921841f68230be4059a/includes/templates/Tabs.mustache#L1
Affected packages
Packagist / starcitizentools/tabber-neue
Package
- Name
- starcitizentools/tabber-neue
- Purl
- pkg:composer/starcitizentools/tabber-neue