Wikimedia MediaWiki OpenBadges Extension Cross-Site Scripting Vulnerability

A cross-site scripting (XSS) vulnerability has been identified in the Wikimedia Foundation MediaWiki OpenBadges Extension. This issue arises from improper input sanitization during web page generation, allowing malicious users to inject harmful scripts. The vulnerability affects OpenBadges Extension versions 1.39.X prior to 1.39.11, 1.41.X prior to 1.41.3, and 1.42.X prior to 1.42.2.

Impact

Exploitation of this vulnerability allows for cross-site scripting, where an attacker can inject malicious scripts that are executed in the context of the user's browser.

Reproduction

The vulnerability can be reproduced by accessing the 'Special:BadgeView' page with a badge that includes unescaped system messages. This can be done by creating or modifying a badge to include such messages, which will then be rendered as executable script in the user's browser.

Remediation

Users can update to OpenBadges Extension versions 1.39.11, 1.41.3, or 1.42.2 to address this vulnerability.