Wikimedia Foundation MultimediaViewer Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in the Wikimedia Foundation's MultimediaViewer extension. This issue affects versions prior to 1.39.13, as well as 1.42.7, 1.43.2, and 1.44.0. The vulnerability arises from improper handling of system messages, which allows for the injection of malicious scripts that are executed when the messages are displayed.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user viewing the affected content.

Reproduction

To reproduce this vulnerability, upload a file to a wiki and add it to a page. Then, access the page with the 'uselang=x-xss' parameter, which injects script tags into the localized UI elements of MultimediaViewer. Click on a thumbnail to open the image in MultimediaViewer, and the injected script will execute. This vulnerability can also be reproduced by clicking the 'Download' button in MultimediaViewer, which triggers the same cross-site scripting execution.

Remediation

Users can update to MultimediaViewer versions 1.39.13, 1.42.7, 1.43.2, or 1.44.0 to address this vulnerability.