Wikimedia Foundation MediaWiki DataTransfer Extension Cross-Site Request Forgery and Cross-Site Scripting Vulnerability

A vulnerability in the Wikimedia Foundation MediaWiki DataTransfer Extension allows for Cross-Site Request Forgery (CSRF) and Cross-Site Scripting (XSS) attacks. This issue affects MediaWiki DataTransfer Extension versions 1.39.X prior to 1.39.11, 1.41.X prior to 1.41.3, and 1.42.X prior to 1.42.2.

Impact

Exploitation of this vulnerability could lead to unauthorized actions being performed on behalf of a user (CSRF) and the injection of malicious scripts that could be executed in the context of the user's browser (XSS).

Reproduction

To reproduce this vulnerability, import a CSV file using the 'Import CSV' feature in the DataTransfer extension. The import process lacks proper Cross-Site Request Forgery (CSRF) protections, allowing malicious actors to exploit this vulnerability by sending unauthorized requests on behalf of users.

Remediation

Users can update to the latest version of the MediaWiki DataTransfer Extension to address this vulnerability.