Wikimedia MediaWiki RefreshSpecial Extension Cross-Site Scripting Vulnerability

A cross-site scripting (XSS) vulnerability has been identified in the RefreshSpecial extension for MediaWiki. This issue affects versions 1.39.X prior to 1.39.11, 1.41.X prior to 1.41.3, and 1.42.X prior to 1.42.2. The vulnerability arises from improper input sanitization during web page generation, allowing malicious users to inject harmful scripts that could be executed in the context of the user's browser.

Impact

Exploitation of this vulnerability allows for cross-site scripting, where an attacker can inject malicious scripts that are executed in the context of the victim's browser.

Reproduction

The vulnerability can be reproduced by accessing the Special:RefreshSpecial page in an affected version of MediaWiki with the RefreshSpecial extension enabled. The injected script can be delivered through a crafted message that is not properly sanitized before being displayed.

Remediation

Users can update to MediaWiki RefreshSpecial Extension versions 1.39.11, 1.41.3, or 1.42.2 to address this vulnerability.