Page MenuHomePhabricator
Projects Vuln-CSRF

Vuln-CSRFBugs
ActivePublic
Watch Project

Members (1)

Watchers (1)

Details

Description

This tag is used to group security bugs by their general classification. These bugs allow an attacker to cause another user to take actions on the website without their knowledge. See OWASP Top 10 2013 - A8

Parent project: Security-Team

Recent Activity
View All

Sep 3 2025

Dreamy_Jazz moved T392341: CVE-2025-53483, CVE-2025-53484, CVE-2025-53485: SecurePoll is vulnerable to XSS, CSRF, and lack of authorisation from Needs QA to Done on the Trust and Safety Product Sprint (Sprint Princess Tarta (August 18 - September 5)) board.
Sep 3 2025, 1:07 PM · Trust and Safety Product Sprint (Sprint Princess Tarta (August 18 - September 5)), Essential-Work, Patch-For-Review, Trust and Safety Product Team, Vuln-BrokenAccessControl, affects-Miraheze, Vuln-CSRF, Vuln-XSS, MediaWiki-extensions-SecurePoll, Security, Security-Team

Aug 19 2025

sbassett moved T392341: CVE-2025-53483, CVE-2025-53484, CVE-2025-53485: SecurePoll is vulnerable to XSS, CSRF, and lack of authorisation from Watching to Our Part Is Done on the Security-Team board.
Aug 19 2025, 1:56 PM · Trust and Safety Product Sprint (Sprint Princess Tarta (August 18 - September 5)), Essential-Work, Patch-For-Review, Trust and Safety Product Team, Vuln-BrokenAccessControl, affects-Miraheze, Vuln-CSRF, Vuln-XSS, MediaWiki-extensions-SecurePoll, Security, Security-Team
STran closed T392341: CVE-2025-53483, CVE-2025-53484, CVE-2025-53485: SecurePoll is vulnerable to XSS, CSRF, and lack of authorisation as Resolved.

Closing this as there seems to be no other action needed on our part. @jrbs please re-open if there's a problem.

Aug 19 2025, 12:00 PM · Trust and Safety Product Sprint (Sprint Princess Tarta (August 18 - September 5)), Essential-Work, Patch-For-Review, Trust and Safety Product Team, Vuln-BrokenAccessControl, affects-Miraheze, Vuln-CSRF, Vuln-XSS, MediaWiki-extensions-SecurePoll, Security, Security-Team
OKryva-WMF moved T392341: CVE-2025-53483, CVE-2025-53484, CVE-2025-53485: SecurePoll is vulnerable to XSS, CSRF, and lack of authorisation from Priority Backlog to Needs QA on the Trust and Safety Product Sprint (Sprint Princess Tarta (August 18 - September 5)) board.
Aug 19 2025, 10:29 AM · Trust and Safety Product Sprint (Sprint Princess Tarta (August 18 - September 5)), Essential-Work, Patch-For-Review, Trust and Safety Product Team, Vuln-BrokenAccessControl, affects-Miraheze, Vuln-CSRF, Vuln-XSS, MediaWiki-extensions-SecurePoll, Security, Security-Team
OKryva-WMF edited projects for T392341: CVE-2025-53483, CVE-2025-53484, CVE-2025-53485: SecurePoll is vulnerable to XSS, CSRF, and lack of authorisation, added: Trust and Safety Product Sprint (Sprint Princess Tarta (August 18 - September 5)); removed Trust and Safety Product Sprint (Sprint Rum baba (July 28 - August 15)).
Aug 19 2025, 10:27 AM · Trust and Safety Product Sprint (Sprint Princess Tarta (August 18 - September 5)), Essential-Work, Patch-For-Review, Trust and Safety Product Team, Vuln-BrokenAccessControl, affects-Miraheze, Vuln-CSRF, Vuln-XSS, MediaWiki-extensions-SecurePoll, Security, Security-Team

Aug 14 2025

Dreamy_Jazz added a project to T392341: CVE-2025-53483, CVE-2025-53484, CVE-2025-53485: SecurePoll is vulnerable to XSS, CSRF, and lack of authorisation: Essential-Work.
Aug 14 2025, 10:30 AM · Trust and Safety Product Sprint (Sprint Princess Tarta (August 18 - September 5)), Essential-Work, Patch-For-Review, Trust and Safety Product Team, Vuln-BrokenAccessControl, affects-Miraheze, Vuln-CSRF, Vuln-XSS, MediaWiki-extensions-SecurePoll, Security, Security-Team

Jul 28 2025

Dreamy_Jazz moved T392341: CVE-2025-53483, CVE-2025-53484, CVE-2025-53485: SecurePoll is vulnerable to XSS, CSRF, and lack of authorisation from Priority Backlog to Needs QA on the Trust and Safety Product Sprint (Sprint Rum baba (July 28 - August 15)) board.
Jul 28 2025, 6:20 PM · Trust and Safety Product Sprint (Sprint Princess Tarta (August 18 - September 5)), Essential-Work, Patch-For-Review, Trust and Safety Product Team, Vuln-BrokenAccessControl, affects-Miraheze, Vuln-CSRF, Vuln-XSS, MediaWiki-extensions-SecurePoll, Security, Security-Team

Jul 25 2025

Niharika edited projects for T392341: CVE-2025-53483, CVE-2025-53484, CVE-2025-53485: SecurePoll is vulnerable to XSS, CSRF, and lack of authorisation, added: Trust and Safety Product Sprint (Sprint Rum baba (July 28 - August 15)); removed Trust and Safety Product Sprint (Sprint Cannoli (July 7 - July 25)).
Jul 25 2025, 3:27 PM · Trust and Safety Product Sprint (Sprint Princess Tarta (August 18 - September 5)), Essential-Work, Patch-For-Review, Trust and Safety Product Team, Vuln-BrokenAccessControl, affects-Miraheze, Vuln-CSRF, Vuln-XSS, MediaWiki-extensions-SecurePoll, Security, Security-Team

Jul 23 2025

Dreamy_Jazz reopened T392341: CVE-2025-53483, CVE-2025-53484, CVE-2025-53485: SecurePoll is vulnerable to XSS, CSRF, and lack of authorisation as "Open".

Re-opening so that we can track QA on this.

Jul 23 2025, 2:23 PM · Trust and Safety Product Sprint (Sprint Princess Tarta (August 18 - September 5)), Essential-Work, Patch-For-Review, Trust and Safety Product Team, Vuln-BrokenAccessControl, affects-Miraheze, Vuln-CSRF, Vuln-XSS, MediaWiki-extensions-SecurePoll, Security, Security-Team

Jul 8 2025

mmartorana renamed T392341: CVE-2025-53483, CVE-2025-53484, CVE-2025-53485: SecurePoll is vulnerable to XSS, CSRF, and lack of authorisation from CVE-2025-53484: SecurePoll is vulnerable to XSS, CSRF, and lack of authorisation to CVE-2025-53483, CVE-2025-53484, CVE-2025-53485: SecurePoll is vulnerable to XSS, CSRF, and lack of authorisation.
Jul 8 2025, 5:44 PM · Trust and Safety Product Sprint (Sprint Princess Tarta (August 18 - September 5)), Essential-Work, Patch-For-Review, Trust and Safety Product Team, Vuln-BrokenAccessControl, affects-Miraheze, Vuln-CSRF, Vuln-XSS, MediaWiki-extensions-SecurePoll, Security, Security-Team
mmartorana changed the visibility for T392341: CVE-2025-53483, CVE-2025-53484, CVE-2025-53485: SecurePoll is vulnerable to XSS, CSRF, and lack of authorisation.
Jul 8 2025, 5:43 PM · Trust and Safety Product Sprint (Sprint Princess Tarta (August 18 - September 5)), Essential-Work, Patch-For-Review, Trust and Safety Product Team, Vuln-BrokenAccessControl, affects-Miraheze, Vuln-CSRF, Vuln-XSS, MediaWiki-extensions-SecurePoll, Security, Security-Team
mmartorana closed T392341: CVE-2025-53483, CVE-2025-53484, CVE-2025-53485: SecurePoll is vulnerable to XSS, CSRF, and lack of authorisation as Resolved.
Jul 8 2025, 5:42 PM · Trust and Safety Product Sprint (Sprint Princess Tarta (August 18 - September 5)), Essential-Work, Patch-For-Review, Trust and Safety Product Team, Vuln-BrokenAccessControl, affects-Miraheze, Vuln-CSRF, Vuln-XSS, MediaWiki-extensions-SecurePoll, Security, Security-Team
mmartorana renamed T392341: CVE-2025-53483, CVE-2025-53484, CVE-2025-53485: SecurePoll is vulnerable to XSS, CSRF, and lack of authorisation from SecurePoll is vulnerable to XSS, CSRF, and lack of authorisation to CVE-2025-53484: SecurePoll is vulnerable to XSS, CSRF, and lack of authorisation.
Jul 8 2025, 5:41 PM · Trust and Safety Product Sprint (Sprint Princess Tarta (August 18 - September 5)), Essential-Work, Patch-For-Review, Trust and Safety Product Team, Vuln-BrokenAccessControl, affects-Miraheze, Vuln-CSRF, Vuln-XSS, MediaWiki-extensions-SecurePoll, Security, Security-Team

Jul 7 2025

gerritbot added a comment to T392341: CVE-2025-53483, CVE-2025-53484, CVE-2025-53485: SecurePoll is vulnerable to XSS, CSRF, and lack of authorisation.

Change #1166900 merged by jenkins-bot:

[mediawiki/extensions/SecurePoll@REL1_44] SECURITY: Require an edit token to clear voter eligibility lists

https://gerrit.wikimedia.org/r/1166900

Jul 7 2025, 8:45 PM · Trust and Safety Product Sprint (Sprint Princess Tarta (August 18 - September 5)), Essential-Work, Patch-For-Review, Trust and Safety Product Team, Vuln-BrokenAccessControl, affects-Miraheze, Vuln-CSRF, Vuln-XSS, MediaWiki-extensions-SecurePoll, Security, Security-Team
RhinosF1 updated subscribers of T392341: CVE-2025-53483, CVE-2025-53484, CVE-2025-53485: SecurePoll is vulnerable to XSS, CSRF, and lack of authorisation.
Jul 7 2025, 8:01 PM · Trust and Safety Product Sprint (Sprint Princess Tarta (August 18 - September 5)), Essential-Work, Patch-For-Review, Trust and Safety Product Team, Vuln-BrokenAccessControl, affects-Miraheze, Vuln-CSRF, Vuln-XSS, MediaWiki-extensions-SecurePoll, Security, Security-Team
gerritbot added a comment to T392341: CVE-2025-53483, CVE-2025-53484, CVE-2025-53485: SecurePoll is vulnerable to XSS, CSRF, and lack of authorisation.

Change #1166900 had a related patch set uploaded (by Dreamy Jazz; author: STran):

[mediawiki/extensions/SecurePoll@REL1_44] SECURITY: Require an edit token to clear voter eligibility lists

https://gerrit.wikimedia.org/r/1166900

Jul 7 2025, 6:43 PM · Trust and Safety Product Sprint (Sprint Princess Tarta (August 18 - September 5)), Essential-Work, Patch-For-Review, Trust and Safety Product Team, Vuln-BrokenAccessControl, affects-Miraheze, Vuln-CSRF, Vuln-XSS, MediaWiki-extensions-SecurePoll, Security, Security-Team
kostajh edited projects for T392341: CVE-2025-53483, CVE-2025-53484, CVE-2025-53485: SecurePoll is vulnerable to XSS, CSRF, and lack of authorisation, added: Trust and Safety Product Sprint (Sprint Cannoli (July 7 - July 25)); removed Trust and Safety Product Sprint (Sprint Baklava (June 16 - July 4)).
Jul 7 2025, 9:41 AM · Trust and Safety Product Sprint (Sprint Princess Tarta (August 18 - September 5)), Essential-Work, Patch-For-Review, Trust and Safety Product Team, Vuln-BrokenAccessControl, affects-Miraheze, Vuln-CSRF, Vuln-XSS, MediaWiki-extensions-SecurePoll, Security, Security-Team

Jul 2 2025

gerritbot added a comment to T392341: CVE-2025-53483, CVE-2025-53484, CVE-2025-53485: SecurePoll is vulnerable to XSS, CSRF, and lack of authorisation.

Change #1165927 merged by jenkins-bot:

[mediawiki/extensions/SecurePoll@REL1_44] SECURITY: Require an edit token to archive/unarchive elections

https://gerrit.wikimedia.org/r/1165927

Jul 2 2025, 3:49 PM · Trust and Safety Product Sprint (Sprint Princess Tarta (August 18 - September 5)), Essential-Work, Patch-For-Review, Trust and Safety Product Team, Vuln-BrokenAccessControl, affects-Miraheze, Vuln-CSRF, Vuln-XSS, MediaWiki-extensions-SecurePoll, Security, Security-Team
gerritbot added a comment to T392341: CVE-2025-53483, CVE-2025-53484, CVE-2025-53485: SecurePoll is vulnerable to XSS, CSRF, and lack of authorisation.

Change #1165927 had a related patch set uploaded (by Mmartorana; author: STran):

[mediawiki/extensions/SecurePoll@REL1_44] SECURITY: Require an edit token to archive/unarchive elections

https://gerrit.wikimedia.org/r/1165927

Jul 2 2025, 3:43 PM · Trust and Safety Product Sprint (Sprint Princess Tarta (August 18 - September 5)), Essential-Work, Patch-For-Review, Trust and Safety Product Team, Vuln-BrokenAccessControl, affects-Miraheze, Vuln-CSRF, Vuln-XSS, MediaWiki-extensions-SecurePoll, Security, Security-Team

Jun 18 2025

STran moved T392341: CVE-2025-53483, CVE-2025-53484, CVE-2025-53485: SecurePoll is vulnerable to XSS, CSRF, and lack of authorisation from Needs Review to Needs QA on the Trust and Safety Product Sprint (Sprint Baklava (June 16 - July 4)) board.
Jun 18 2025, 7:56 AM · Trust and Safety Product Sprint (Sprint Princess Tarta (August 18 - September 5)), Essential-Work, Patch-For-Review, Trust and Safety Product Team, Vuln-BrokenAccessControl, affects-Miraheze, Vuln-CSRF, Vuln-XSS, MediaWiki-extensions-SecurePoll, Security, Security-Team

Jun 16 2025

kostajh edited projects for T392341: CVE-2025-53483, CVE-2025-53484, CVE-2025-53485: SecurePoll is vulnerable to XSS, CSRF, and lack of authorisation, added: Trust and Safety Product Sprint (Sprint Baklava (June 16 - July 4)); removed Trust and Safety Product Sprint (Sprint Carrot Cake (May 26 - June 13)).
Jun 16 2025, 6:13 AM · Trust and Safety Product Sprint (Sprint Princess Tarta (August 18 - September 5)), Essential-Work, Patch-For-Review, Trust and Safety Product Team, Vuln-BrokenAccessControl, affects-Miraheze, Vuln-CSRF, Vuln-XSS, MediaWiki-extensions-SecurePoll, Security, Security-Team

Jun 12 2025

sbassett removed a project from T392341: CVE-2025-53483, CVE-2025-53484, CVE-2025-53485: SecurePoll is vulnerable to XSS, CSRF, and lack of authorisation: user-sbassett.
Jun 12 2025, 3:53 PM · Trust and Safety Product Sprint (Sprint Princess Tarta (August 18 - September 5)), Essential-Work, Patch-For-Review, Trust and Safety Product Team, Vuln-BrokenAccessControl, affects-Miraheze, Vuln-CSRF, Vuln-XSS, MediaWiki-extensions-SecurePoll, Security, Security-Team

Jun 3 2025

sbassett added a comment to T392341: CVE-2025-53483, CVE-2025-53484, CVE-2025-53485: SecurePoll is vulnerable to XSS, CSRF, and lack of authorisation.
In T392341#10880971, @Novem_Linguae wrote:

It looks like the last remaining security tickets will ride the train on Thursday.

Jun 3 2025, 8:41 PM · Trust and Safety Product Sprint (Sprint Princess Tarta (August 18 - September 5)), Essential-Work, Patch-For-Review, Trust and Safety Product Team, Vuln-BrokenAccessControl, affects-Miraheze, Vuln-CSRF, Vuln-XSS, MediaWiki-extensions-SecurePoll, Security, Security-Team
Novem_Linguae added a comment to T392341: CVE-2025-53483, CVE-2025-53484, CVE-2025-53485: SecurePoll is vulnerable to XSS, CSRF, and lack of authorisation.

It looks like the last remaining security patches will ride the train on Thursday. Is there a manual testing step after these ride the train, or can we close this ticket on Thursday? Also, will T378287: Enable SecurePoll extension and electionclerk user group on enwiki become unblocked on Thursday?

Jun 3 2025, 5:34 PM · Trust and Safety Product Sprint (Sprint Princess Tarta (August 18 - September 5)), Essential-Work, Patch-For-Review, Trust and Safety Product Team, Vuln-BrokenAccessControl, affects-Miraheze, Vuln-CSRF, Vuln-XSS, MediaWiki-extensions-SecurePoll, Security, Security-Team

May 28 2025

sbassett moved T392341: CVE-2025-53483, CVE-2025-53484, CVE-2025-53485: SecurePoll is vulnerable to XSS, CSRF, and lack of authorisation from Backlog to In Progress on the user-sbassett board.
May 28 2025, 3:19 PM · Trust and Safety Product Sprint (Sprint Princess Tarta (August 18 - September 5)), Essential-Work, Patch-For-Review, Trust and Safety Product Team, Vuln-BrokenAccessControl, affects-Miraheze, Vuln-CSRF, Vuln-XSS, MediaWiki-extensions-SecurePoll, Security, Security-Team
sbassett added a project to T392341: CVE-2025-53483, CVE-2025-53484, CVE-2025-53485: SecurePoll is vulnerable to XSS, CSRF, and lack of authorisation: user-sbassett.
May 28 2025, 3:19 PM · Trust and Safety Product Sprint (Sprint Princess Tarta (August 18 - September 5)), Essential-Work, Patch-For-Review, Trust and Safety Product Team, Vuln-BrokenAccessControl, affects-Miraheze, Vuln-CSRF, Vuln-XSS, MediaWiki-extensions-SecurePoll, Security, Security-Team
sbassett added a comment to T392341: CVE-2025-53483, CVE-2025-53484, CVE-2025-53485: SecurePoll is vulnerable to XSS, CSRF, and lack of authorisation.
In T392341#10860157, @gerritbot wrote:

Change #1149669 merged by jenkins-bot:

[mediawiki/extensions/SecurePoll@master] SECURITY: Escape links generated by the translation import results tab

https://gerrit.wikimedia.org/r/1149669

May 28 2025, 2:57 PM · Trust and Safety Product Sprint (Sprint Princess Tarta (August 18 - September 5)), Essential-Work, Patch-For-Review, Trust and Safety Product Team, Vuln-BrokenAccessControl, affects-Miraheze, Vuln-CSRF, Vuln-XSS, MediaWiki-extensions-SecurePoll, Security, Security-Team

May 27 2025

gerritbot added a comment to T392341: CVE-2025-53483, CVE-2025-53484, CVE-2025-53485: SecurePoll is vulnerable to XSS, CSRF, and lack of authorisation.

Change #1149669 merged by jenkins-bot:

[mediawiki/extensions/SecurePoll@master] SECURITY: Escape links generated by the translation import results tab

https://gerrit.wikimedia.org/r/1149669

May 27 2025, 4:11 PM · Trust and Safety Product Sprint (Sprint Princess Tarta (August 18 - September 5)), Essential-Work, Patch-For-Review, Trust and Safety Product Team, Vuln-BrokenAccessControl, affects-Miraheze, Vuln-CSRF, Vuln-XSS, MediaWiki-extensions-SecurePoll, Security, Security-Team

May 26 2025

Novem_Linguae updated the task description for T392341: CVE-2025-53483, CVE-2025-53484, CVE-2025-53485: SecurePoll is vulnerable to XSS, CSRF, and lack of authorisation.
May 26 2025, 10:35 PM · Trust and Safety Product Sprint (Sprint Princess Tarta (August 18 - September 5)), Essential-Work, Patch-For-Review, Trust and Safety Product Team, Vuln-BrokenAccessControl, affects-Miraheze, Vuln-CSRF, Vuln-XSS, MediaWiki-extensions-SecurePoll, Security, Security-Team

May 25 2025

kostajh edited projects for T392341: CVE-2025-53483, CVE-2025-53484, CVE-2025-53485: SecurePoll is vulnerable to XSS, CSRF, and lack of authorisation, added: Trust and Safety Product Sprint (Sprint Carrot Cake (May 26 - June 13)); removed Trust and Safety Product Sprint (Sprint Key Lime Pie (May 5 - May 23)).
May 25 2025, 6:58 PM · Trust and Safety Product Sprint (Sprint Princess Tarta (August 18 - September 5)), Essential-Work, Patch-For-Review, Trust and Safety Product Team, Vuln-BrokenAccessControl, affects-Miraheze, Vuln-CSRF, Vuln-XSS, MediaWiki-extensions-SecurePoll, Security, Security-Team

May 24 2025

sbassett added a comment to T392341: CVE-2025-53483, CVE-2025-53484, CVE-2025-53485: SecurePoll is vulnerable to XSS, CSRF, and lack of authorisation.

Ran scap remove-patch for the first 4 patches, which were merged in gerrit: https://sal.toolforge.org/log/bx7M_5YBffdvpiTrqZR4

May 24 2025, 12:59 AM · Trust and Safety Product Sprint (Sprint Princess Tarta (August 18 - September 5)), Essential-Work, Patch-For-Review, Trust and Safety Product Team, Vuln-BrokenAccessControl, affects-Miraheze, Vuln-CSRF, Vuln-XSS, MediaWiki-extensions-SecurePoll, Security, Security-Team
sbassett updated subscribers of T392341: CVE-2025-53483, CVE-2025-53484, CVE-2025-53485: SecurePoll is vulnerable to XSS, CSRF, and lack of authorisation.
May 24 2025, 12:54 AM · Trust and Safety Product Sprint (Sprint Princess Tarta (August 18 - September 5)), Essential-Work, Patch-For-Review, Trust and Safety Product Team, Vuln-BrokenAccessControl, affects-Miraheze, Vuln-CSRF, Vuln-XSS, MediaWiki-extensions-SecurePoll, Security, Security-Team
sbassett updated subscribers of T392341: CVE-2025-53483, CVE-2025-53484, CVE-2025-53485: SecurePoll is vulnerable to XSS, CSRF, and lack of authorisation.
May 24 2025, 12:54 AM · Trust and Safety Product Sprint (Sprint Princess Tarta (August 18 - September 5)), Essential-Work, Patch-For-Review, Trust and Safety Product Team, Vuln-BrokenAccessControl, affects-Miraheze, Vuln-CSRF, Vuln-XSS, MediaWiki-extensions-SecurePoll, Security, Security-Team
sbassett changed the status of T392341: CVE-2025-53483, CVE-2025-53484, CVE-2025-53485: SecurePoll is vulnerable to XSS, CSRF, and lack of authorisation from Open to In Progress.
May 24 2025, 12:43 AM · Trust and Safety Product Sprint (Sprint Princess Tarta (August 18 - September 5)), Essential-Work, Patch-For-Review, Trust and Safety Product Team, Vuln-BrokenAccessControl, affects-Miraheze, Vuln-CSRF, Vuln-XSS, MediaWiki-extensions-SecurePoll, Security, Security-Team
Jdlrobson-WMF merged task T73848: Ensure CSRF tokens are used upon various form submissions into Restricted Task.
May 24 2025, 12:01 AM · Vuln-CSRF, Collection

May 23 2025

SecurityPatchBot changed the status of T392341: CVE-2025-53483, CVE-2025-53484, CVE-2025-53485: SecurePoll is vulnerable to XSS, CSRF, and lack of authorisation from In Progress to Open.

Patch 01-T392341.patch is currently failing to apply for the most recent code in the mainline branch of extensions/SecurePoll. This is blocking MediaWiki release 1.45.0-wmf.3(T392173)

May 23 2025, 11:52 PM · Trust and Safety Product Sprint (Sprint Princess Tarta (August 18 - September 5)), Essential-Work, Patch-For-Review, Trust and Safety Product Team, Vuln-BrokenAccessControl, affects-Miraheze, Vuln-CSRF, Vuln-XSS, MediaWiki-extensions-SecurePoll, Security, Security-Team
gerritbot added a comment to T392341: CVE-2025-53483, CVE-2025-53484, CVE-2025-53485: SecurePoll is vulnerable to XSS, CSRF, and lack of authorisation.

Change #1149664 merged by jenkins-bot:

[mediawiki/extensions/SecurePoll@master] SECURITY: Require an edit token to clear voter eligibility lists

https://gerrit.wikimedia.org/r/1149664

May 23 2025, 3:02 PM · Trust and Safety Product Sprint (Sprint Princess Tarta (August 18 - September 5)), Essential-Work, Patch-For-Review, Trust and Safety Product Team, Vuln-BrokenAccessControl, affects-Miraheze, Vuln-CSRF, Vuln-XSS, MediaWiki-extensions-SecurePoll, Security, Security-Team
gerritbot added a comment to T392341: CVE-2025-53483, CVE-2025-53484, CVE-2025-53485: SecurePoll is vulnerable to XSS, CSRF, and lack of authorisation.

Change #1149668 merged by jenkins-bot:

[mediawiki/extensions/SecurePoll@master] SECURITY: Gate access to SetTranslationHandler

https://gerrit.wikimedia.org/r/1149668

May 23 2025, 3:02 PM · Trust and Safety Product Sprint (Sprint Princess Tarta (August 18 - September 5)), Essential-Work, Patch-For-Review, Trust and Safety Product Team, Vuln-BrokenAccessControl, affects-Miraheze, Vuln-CSRF, Vuln-XSS, MediaWiki-extensions-SecurePoll, Security, Security-Team
gerritbot added a comment to T392341: CVE-2025-53483, CVE-2025-53484, CVE-2025-53485: SecurePoll is vulnerable to XSS, CSRF, and lack of authorisation.

Change #1149618 merged by jenkins-bot:

[mediawiki/extensions/SecurePoll@master] SECURITY: Require an edit token to archive/unarchive elections

https://gerrit.wikimedia.org/r/1149618

May 23 2025, 3:02 PM · Trust and Safety Product Sprint (Sprint Princess Tarta (August 18 - September 5)), Essential-Work, Patch-For-Review, Trust and Safety Product Team, Vuln-BrokenAccessControl, affects-Miraheze, Vuln-CSRF, Vuln-XSS, MediaWiki-extensions-SecurePoll, Security, Security-Team
gerritbot added a comment to T392341: CVE-2025-53483, CVE-2025-53484, CVE-2025-53485: SecurePoll is vulnerable to XSS, CSRF, and lack of authorisation.

Change #1149655 merged by jenkins-bot:

[mediawiki/extensions/SecurePoll@master] SECURITY: Sanitize displayed STV option text

https://gerrit.wikimedia.org/r/1149655

May 23 2025, 2:46 PM · Trust and Safety Product Sprint (Sprint Princess Tarta (August 18 - September 5)), Essential-Work, Patch-For-Review, Trust and Safety Product Team, Vuln-BrokenAccessControl, affects-Miraheze, Vuln-CSRF, Vuln-XSS, MediaWiki-extensions-SecurePoll, Security, Security-Team
gerritbot added a comment to T392341: CVE-2025-53483, CVE-2025-53484, CVE-2025-53485: SecurePoll is vulnerable to XSS, CSRF, and lack of authorisation.

Change #1149669 had a related patch set uploaded (by STran; author: STran):

[mediawiki/extensions/SecurePoll@master] SECURITY: Escape links generated by the translation import results tab

https://gerrit.wikimedia.org/r/1149669

May 23 2025, 1:28 PM · Trust and Safety Product Sprint (Sprint Princess Tarta (August 18 - September 5)), Essential-Work, Patch-For-Review, Trust and Safety Product Team, Vuln-BrokenAccessControl, affects-Miraheze, Vuln-CSRF, Vuln-XSS, MediaWiki-extensions-SecurePoll, Security, Security-Team
gerritbot added a comment to T392341: CVE-2025-53483, CVE-2025-53484, CVE-2025-53485: SecurePoll is vulnerable to XSS, CSRF, and lack of authorisation.

Change #1149668 had a related patch set uploaded (by STran; author: STran):

[mediawiki/extensions/SecurePoll@master] SECURITY: Gate access to SetTranslationHandler

https://gerrit.wikimedia.org/r/1149668

May 23 2025, 1:28 PM · Trust and Safety Product Sprint (Sprint Princess Tarta (August 18 - September 5)), Essential-Work, Patch-For-Review, Trust and Safety Product Team, Vuln-BrokenAccessControl, affects-Miraheze, Vuln-CSRF, Vuln-XSS, MediaWiki-extensions-SecurePoll, Security, Security-Team
gerritbot added a comment to T392341: CVE-2025-53483, CVE-2025-53484, CVE-2025-53485: SecurePoll is vulnerable to XSS, CSRF, and lack of authorisation.

Change #1149664 had a related patch set uploaded (by STran; author: STran):

[mediawiki/extensions/SecurePoll@master] SECURITY: Require an edit token to clear voter eligibility lists

https://gerrit.wikimedia.org/r/1149664

May 23 2025, 1:26 PM · Trust and Safety Product Sprint (Sprint Princess Tarta (August 18 - September 5)), Essential-Work, Patch-For-Review, Trust and Safety Product Team, Vuln-BrokenAccessControl, affects-Miraheze, Vuln-CSRF, Vuln-XSS, MediaWiki-extensions-SecurePoll, Security, Security-Team
gerritbot added a comment to T392341: CVE-2025-53483, CVE-2025-53484, CVE-2025-53485: SecurePoll is vulnerable to XSS, CSRF, and lack of authorisation.

Change #1149655 had a related patch set uploaded (by STran; author: STran):

[mediawiki/extensions/SecurePoll@master] SECURITY: Sanitize displayed STV option text

https://gerrit.wikimedia.org/r/1149655

May 23 2025, 12:44 PM · Trust and Safety Product Sprint (Sprint Princess Tarta (August 18 - September 5)), Essential-Work, Patch-For-Review, Trust and Safety Product Team, Vuln-BrokenAccessControl, affects-Miraheze, Vuln-CSRF, Vuln-XSS, MediaWiki-extensions-SecurePoll, Security, Security-Team
gerritbot added a comment to T392341: CVE-2025-53483, CVE-2025-53484, CVE-2025-53485: SecurePoll is vulnerable to XSS, CSRF, and lack of authorisation.

Change #1149618 had a related patch set uploaded (by STran; author: STran):

[mediawiki/extensions/SecurePoll@master] SECURITY: Require an edit token to archive/unarchive elections

https://gerrit.wikimedia.org/r/1149618

May 23 2025, 9:34 AM · Trust and Safety Product Sprint (Sprint Princess Tarta (August 18 - September 5)), Essential-Work, Patch-For-Review, Trust and Safety Product Team, Vuln-BrokenAccessControl, affects-Miraheze, Vuln-CSRF, Vuln-XSS, MediaWiki-extensions-SecurePoll, Security, Security-Team

May 21 2025

STran added a comment to T392341: CVE-2025-53483, CVE-2025-53484, CVE-2025-53485: SecurePoll is vulnerable to XSS, CSRF, and lack of authorisation.

Confirmed that:

May 21 2025, 2:37 PM · Trust and Safety Product Sprint (Sprint Princess Tarta (August 18 - September 5)), Essential-Work, Patch-For-Review, Trust and Safety Product Team, Vuln-BrokenAccessControl, affects-Miraheze, Vuln-CSRF, Vuln-XSS, MediaWiki-extensions-SecurePoll, Security, Security-Team
sbassett added a comment to T392341: CVE-2025-53483, CVE-2025-53484, CVE-2025-53485: SecurePoll is vulnerable to XSS, CSRF, and lack of authorisation.
In T392341#10843834, @STran wrote:

New 04 patch

04-T392341.patch3 KBDownload

May 21 2025, 2:31 PM · Trust and Safety Product Sprint (Sprint Princess Tarta (August 18 - September 5)), Essential-Work, Patch-For-Review, Trust and Safety Product Team, Vuln-BrokenAccessControl, affects-Miraheze, Vuln-CSRF, Vuln-XSS, MediaWiki-extensions-SecurePoll, Security, Security-Team
STran added a comment to T392341: CVE-2025-53483, CVE-2025-53484, CVE-2025-53485: SecurePoll is vulnerable to XSS, CSRF, and lack of authorisation.

In addition to the updated 04 patch, QA needs to wait on I1b4fbcabbca7cc5475c7bbd429cb8ab068bc4ee3 to be backported, which I've scheduled for the upcoming window.

May 21 2025, 12:16 PM · Trust and Safety Product Sprint (Sprint Princess Tarta (August 18 - September 5)), Essential-Work, Patch-For-Review, Trust and Safety Product Team, Vuln-BrokenAccessControl, affects-Miraheze, Vuln-CSRF, Vuln-XSS, MediaWiki-extensions-SecurePoll, Security, Security-Team
STran added a comment to T392341: CVE-2025-53483, CVE-2025-53484, CVE-2025-53485: SecurePoll is vulnerable to XSS, CSRF, and lack of authorisation.

New 04 patch

May 21 2025, 12:13 PM · Trust and Safety Product Sprint (Sprint Princess Tarta (August 18 - September 5)), Essential-Work, Patch-For-Review, Trust and Safety Product Team, Vuln-BrokenAccessControl, affects-Miraheze, Vuln-CSRF, Vuln-XSS, MediaWiki-extensions-SecurePoll, Security, Security-Team
mszabo added a comment to T392341: CVE-2025-53483, CVE-2025-53484, CVE-2025-53485: SecurePoll is vulnerable to XSS, CSRF, and lack of authorisation.

We'll need to update patch #4 due to T394900.

May 21 2025, 10:24 AM · Trust and Safety Product Sprint (Sprint Princess Tarta (August 18 - September 5)), Essential-Work, Patch-For-Review, Trust and Safety Product Team, Vuln-BrokenAccessControl, affects-Miraheze, Vuln-CSRF, Vuln-XSS, MediaWiki-extensions-SecurePoll, Security, Security-Team
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits