MediaWiki Short Description Extension Stored Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in the MediaWiki Short Description extension, specifically in version 4.0.0. The issue arises because short descriptions are not properly sanitized before being added as HTML using 'mw.util.addSubtitle'. This flaw allows any user to inject arbitrary HTML into the DOM by editing a page. The vulnerability has been patched in version 4.0.1.

Impact

Exploitation of this vulnerability allows for the injection of arbitrary HTML into the DOM, which could include executing JavaScript.

Reproduction

To reproduce this vulnerability, enable the ShortDescription extension and ensure that the '$wgShortDescriptionEnableTagline' setting is set to true. Create a page and insert a short description using the 'SHORTDESC' parser function, including unescaped HTML such as an image tag with an 'onerror' attribute. When the page is viewed, the injected HTML will be executed, demonstrating the cross-site scripting vulnerability.

Remediation

Users can update to version 4.0.1 or later, where this vulnerability has been fixed.