Wikimedia Foundation MediaWiki FlaggedRevs Extension Cross-Site Scripting Vulnerability
Vulnerability
A cross-site scripting (XSS) vulnerability has been identified in the FlaggedRevs extension of MediaWiki, specifically in versions 1.43.X prior to 1.43.2. This vulnerability arises from improper input sanitization during web page generation, allowing malicious users to inject harmful scripts that could be executed in the context of the user's browser.
Impact
Exploitation of this vulnerability allows for cross-site scripting, where an attacker can inject malicious scripts that are executed in the context of the victim's user session.
Reproduction
To reproduce this vulnerability, navigate to the Special:PendingChanges page while using the 'x-xss' language, which highlights messages that are not properly escaped. Several popups will indicate the presence of internationalization (i18n) XSS, including messages related to pending changes review and table captions.
Remediation
Users can update to FlaggedRevs extension versions 1.43.2 or later to address this vulnerability.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.