Wikimedia Foundation MediaWiki Wikibase Media Info Extension Cross-Site Scripting Vulnerability

A Cross-Site Scripting (XSS) vulnerability has been identified in the Wikimedia Foundation's MediaWiki Wikibase Media Info Extension, affecting versions 1.39 through 1.43. This vulnerability arises from improper input validation, allowing malicious Wikitext to be serialized and executed as JavaScript on file pages.

Impact

Exploitation of this vulnerability allows for Cross-Site Scripting (XSS) attacks, where an attacker can inject malicious scripts that are executed in the context of the user's browser.

Reproduction

To reproduce this vulnerability, upload a file to Commons and add a Wikitext caption that includes an image tag with an 'onerror' attribute. This will trigger an alert box when the Wikitext is processed, demonstrating the XSS payload execution.

Remediation

Users can update to the latest version of the Wikibase Media Info Extension, where this vulnerability has been fixed. Instructions for updating can be found in the MediaWiki documentation.