Wikimedia Foundation MediaWiki HTML Injection Vulnerability in Api Feed Contributions

A vulnerability allowing HTML injection has been identified in the Wikimedia Foundation MediaWiki API, specifically within the 'feedcontributions' action of the 'ApiFeedContributions' class. This issue affects MediaWiki versions prior to 1.39.13, as well as 1.42.7, 1.43.2, and 1.44.0. The vulnerability arises because internationalization (i18n) messages are not properly escaped before being outputted, potentially allowing for the injection of unescaped script tags into the feed contributions API response.

Impact

Exploitation of this vulnerability allows for HTML injection, where unescaped HTML or script tags can be inserted into the API response. This could lead to cross-site scripting (XSS) vulnerabilities if the injected content is rendered by a feed reader or another application that processes the feed without proper sanitization.

Reproduction

To reproduce this vulnerability, set the '$wgLanguageCode' variable to 'x-xss' to trigger the injection. Then, make a request to the API 'feedcontributions' action, specifying a user such as 'Administrator' and including the 'uselang' parameter set to 'x-xss'. The response will contain the injected script tags in the 'title' and 'description' fields, demonstrating the HTML injection.

Remediation

The vulnerability has been addressed in MediaWiki versions 1.39.13, 1.42.7, 1.43.2, and 1.44.0. Users should update to one of these versions to mitigate the vulnerability.