Wikimedia Foundation MediaWiki and Parsoid Unicode Normalization Vulnerability Allowing JavaScript Injection

A vulnerability exists in certain versions of Wikimedia Foundation MediaWiki and Parsoid, where improper handling of Unicode normalization in the Action API can lead to JavaScript injection. This issue is present in MediaWiki versions prior to 1.39.12, 1.42.6, and 1.43.1, as well as Parsoid versions prior to 0.16.5, 0.19.2, and 0.20.2. The vulnerability arises because the Action API normalizes output to Unicode Normalization Form C, which is unsafe for HTML strings. This normalization can break HTML tags and potentially allow injection attacks.

Impact

Exploitation of this vulnerability could lead to unauthorized JavaScript execution in the context of the user.

Reproduction

To reproduce this vulnerability, use the MediaWiki Action API to send a request that includes a payload with a U+0338 COMBINING LONG SOLIDUS OVERLAY character immediately after a '>' symbol, effectively breaking out of an HTML tag. This can be done through the VisualEditor 'parsefragment' action or by directly calling the 'categorytree' action, which also processes HTML that could be injected with JavaScript.

Remediation

Users can update to MediaWiki versions 1.39.12, 1.42.6, or 1.43.1, and Parsoid versions 0.16.5, 0.19.2, or 0.20.2.