Wikimedia MediaWiki PageForms Extension Stored Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in the Wikimedia Foundation's MediaWiki PageForms extension, specifically in version 1.44. This issue arises from the improper handling of system messages, which are inserted as raw HTML, allowing for the injection of malicious scripts that are stored and executed later.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user viewing the affected page.

Reproduction

To reproduce this vulnerability, upload a file containing a malicious script to the Wikimedia Commons. Then, create a form in the PageForms extension that includes a 'Date' field. After that, go to the 'Special:MultiPageEdit' page, select the form you created, and add a row to the spreadsheet. Fill in the table cells with the 'Date' field and the uploaded file, then save the changes. The injected script will be executed when the page is viewed.

Remediation

Users can update to the latest version of the MediaWiki PageForms extension, where this vulnerability has been addressed.