Wikimedia MediaWiki Breadcrumbs2 Extension Cross-Site Scripting Vulnerability

A cross-site scripting (XSS) vulnerability has been identified in the Wikimedia Foundation MediaWiki Breadcrumbs2 extension. This issue affects versions 1.39.X prior to 1.39.11, 1.41.X prior to 1.41.5, and 1.42.X prior to 1.42.4. The vulnerability arises from improper input sanitization during web page generation, allowing malicious users to inject scripts that could be executed in the context of the user's browser.

Impact

Exploitation of this vulnerability allows for cross-site scripting, where an attacker can inject malicious scripts that are executed in the context of the victim's browser.

Reproduction

To reproduce this vulnerability, install the Breadcrumbs2 extension and configure MediaWiki to allow display titles. Save a page with a crafted display title that includes both HTML and JavaScript elements. When the page is loaded, the injected script will execute, demonstrating the cross-site scripting vulnerability.

Remediation

Users can update to Breadcrumbs2 versions 1.39.11, 1.41.5, or 1.42.4 to address this vulnerability.