Wikimedia Foundation Vector Cross-Site Scripting Vulnerability in Portlet Labels

A cross-site scripting (XSS) vulnerability has been identified in the Wikimedia Foundation Vector skin, both in the 2022 version and the legacy version. This issue arises because the JavaScript implementation for portlets in the Vector skin improperly sanitizes portlet label text, inserting it as HTML. As a result, malicious scripts can be embedded and executed, particularly through system messages. The vulnerability affects Vector versions 1.40.0 prior to 1.42.7, as well as 1.43.2 and 1.44.0.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user.

Reproduction

To reproduce this vulnerability, edit the MediaWiki:vector-feature-custom-font-size-name and MediaWiki:vector-feature-limited-width-name pages. Insert an image tag with an 'onerror' attribute that triggers a JavaScript alert. After saving the changes, visit any page using the Vector 2022 skin to see the alert. Alternatively, the vulnerability can be reproduced by using the 'mw.util.addPortlet' function in the browser console to inject similar payloads into a portlet.

Remediation

Users can update to Vector versions 1.42.7, 1.43.2, or 1.44.0, where this vulnerability has been fixed.