CVE-2024-23172: Several not properly escaped messages in the CheckUser extension Status: Closed, Resolved Assigned To: Mstylers Tags: - Security-Team - CheckUser - Vuln-XSS - Patch-For-Review - MW-1.42-notes (1.42.0-wmf.14; 2024-01-16) Description: - Issue: Several messages in CheckUser extension are not properly escaped, leading to XSS vulnerabilities. - Affected messages: - Special:CheckUserLog: checkuser-log-entry-userips, checkuser-log-entry-ipedits, checkuser-log-entry-ipusers, checkuser-log-entry-ipedits-xff, checkuser-log-entry-ipusers-xff, checkuser-log-entry-useredits, checkuser-log-entry-investigate, parentheses - Special:CheckUser:Get users': checkuser-massblock-text - Special:Investigate 'Timeline': september - Some messages with prefix contain HTML but are not in RawHtmlMessages config. Risk Rating: Low Author Affiliation: WMF Technology Related Changes in Gerrit: - SECURITY: Address many XSS vectors via message definitions - Addressed in mediawiki/extensions/CheckUser Related Objects: - Patch submissions and discussions - Testing and deployment plans Comments and Updates: - Discussion on proper escaping methods and patch updates - Collaboration between multiple contributors and security team -沉迷分布和讨论研究。