Lakeus Skin for MediaWiki Stored Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in the Lakeus skin for MediaWiki, affecting versions 1.0.8 through 1.3.1+REL1.39, 1.3.1+REL1.42, and 1.4.0. The issue arises from the skin's handling of system messages, which can be edited to include malicious HTML. Users with '(editinterface)' rights can exploit this by injecting scripts into certain messages, such as 'lakeus-footermessage', which will then be executed for all users if the repository link is enabled. Alternatively, other system messages used in the theme designer can be targeted, but this requires user preference adjustments.

Impact

Exploitation allows for stored cross-site scripting, where injected scripts are executed in the context of the user.

Reproduction

To reproduce this vulnerability, a user with '(editinterface)' rights can edit a system message that is used by the Lakeus skin, such as 'lakeus-footermessage'. The message can be modified to include an XSS payload, like a script tag containing JavaScript code, such as an alert. Once saved, the payload will be executed when the message is rendered, demonstrating the cross-site scripting vulnerability.

Remediation

Users can update to Lakeus versions 1.3.1+REL1.39, 1.3.1+REL1.42, or 1.4.0, all of which include a patch for this vulnerability.