Wikimedia Foundation MediaWiki WebAuthn Extension Stored Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in the WebAuthn extension for MediaWiki, specifically in versions 1.39, 1.43, and 1.44. This vulnerability arises from improper input sanitization during web page generation, allowing malicious scripts to be injected and executed.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user.

Reproduction

To reproduce this vulnerability, log into an account without two-factor authentication enabled and activate WebAuthn. When prompted to name the key, enter a name containing a script, such as 'oops' followed by a script tag including JavaScript code, such as an alert. Complete the process, which redirects to the Special:AccountSecurity page. The injected script will execute an alert each time this page is visited. Although this XSS may not be highly exploitable, it could potentially allow user scripts to run on the Special:AccountSecurity page, where such scripts are normally disabled.

Remediation

Users can update to the patched versions of the WebAuthn extension available in the MediaWiki Gerrit repository.