Wikimedia Foundation MediaWiki SimpleCalendar Extension Cross-Site Scripting Vulnerability

A cross-site scripting (XSS) vulnerability has been identified in the Wikimedia Foundation's MediaWiki SimpleCalendar extension, affecting versions 1.39 through 1.43. This vulnerability arises from improper input validation, allowing malicious users to inject harmful scripts that could be executed in the context of the user viewing the page.

Impact

Exploitation of this vulnerability allows for cross-site scripting, where an attacker can inject malicious scripts that are executed in the context of the user's browser.

Reproduction

To reproduce this vulnerability, save a calendar template with specific day formats into a page. Then, edit the system messages corresponding to the calendar month or day format and view the page, or use a specific language code that triggers the XSS. Alternatively, inject a script into the calendar title parameter and view the page to see the script execution.

Remediation

Users can update to the patched versions of the SimpleCalendar extension available on Gerrit.