Wikimedia Foundation MediaWiki MintyDocs Extension Stored Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in the Wikimedia Foundation MediaWiki MintyDocs Extension, specifically in versions 1.39.X, 1.42.X, and 1.43.X prior to 1.43.2. This vulnerability arises from improper input sanitization during web page generation, allowing users to inject malicious JavaScript that is saved and executed later.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user viewing the page.

Reproduction

The vulnerability can be reproduced by using the MintyDocs topic parser function to insert JavaScript into a Wikitext field that does not properly escape or sanitize the input. This injected script is then executed when the page is viewed, demonstrating the stored cross-site scripting flaw.

Remediation

Users can update to MintyDocs Extension versions 1.43.2 or later to address this vulnerability.