MediaWiki CheckUser Extension Special:CheckUser Reflected Cross-Site Scripting Vulnerability

A reflected cross-site scripting vulnerability has been identified in the CheckUser extension of MediaWiki, specifically within the Special:CheckUser interface. This issue arises from the rev-deleted-user message, which is not properly escaped, allowing the injection of JavaScript through the uselang=x-xss language override. The vulnerability affects CheckUser extension versions 1.42.X prior to 1.42.7 and 1.43.X prior to 1.43.2.

Impact

Exploitation of this vulnerability allows for reflected cross-site scripting, where an attacker can inject malicious scripts that are executed in the context of the user's browser.

Reproduction

To reproduce this vulnerability, set the configuration option $wgUseXssLanguage to true. Then, create a user account and suppress it to simulate a rev-deleted user. Access the Special:CheckUser page and modify the POST request to include a hidden input field that sets the uselang parameter to 'x-xss'. Submit the form, and the injected JavaScript will execute, demonstrating the cross-site scripting vulnerability.

Remediation

Users can update to CheckUser extension versions 1.42.7 or 1.43.2 to address this vulnerability.