Wikimedia MediaWiki GlobalBlocking Extension Stored Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in the GlobalBlocking extension of MediaWiki, specifically in versions 1.43 and 1.44. This issue arises from improper input sanitization during web page generation, allowing malicious scripts to be embedded and executed.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user.

Reproduction

The vulnerability can be reproduced by navigating to the Special:GlobalBlockList page with a version of MediaWiki that has the GlobalBlocking extension installed, specifically versions 1.43 or 1.44. The problematic message keys, 'globalblocking-block-flag-account-creation-disabled' and 'globalblocking-block-flag-autoblock-disabled', trigger the stored XSS when they are not properly escaped.

Remediation

Users can update to MediaWiki GlobalBlocking extension versions 1.45.0-wmf.18 or later, where this vulnerability has been addressed.