Wikimedia Foundation MediaWiki PollNY Extension Stored Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in the PollNY extension for MediaWiki, specifically in versions 1.39, 1.43, and 1.44. This vulnerability arises from the improper handling of system messages, which are inserted as raw HTML, allowing malicious scripts to be executed when the message is rendered.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user viewing the poll.

Reproduction

To reproduce this vulnerability, set the 'wgUseXssLanguage' variable to true. Create a poll and navigate to the 'Special:AdminPoll' page with the 'uselang' parameter set to 'x-xss'. From there, either delete a poll or change its status, which will trigger the unescaped system message containing the injected script. The vulnerability can also be reproduced by editing the 'MediaWiki:Poll-finished' page to include a script, then creating a poll and navigating through the poll's pages until the script is executed.

Remediation

Users can update to the latest version of the PollNY extension, where this vulnerability has been fixed.