MediaWiki MsUpload Extension Stored Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in the MsUpload extension for MediaWiki. This issue arises from the msu-continue system message, which is injected into the DOM without adequate sanitization. The vulnerability is present in the file upload user interface when a file with the same name as an already uploaded file is uploaded twice. This affects MsUpload versions for MediaWiki 1.39.X prior to 1.39.13, 1.42.X prior to 1.42.7, and 1.43.X prior to 1.43.2.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user.

Reproduction

To reproduce this vulnerability, ensure that the WikiEditor and MsUpload extensions are enabled. Then, either edit a page and upload a file with a name that matches an already uploaded file, or manually inject a script into the 'Msu-continue' system message before uploading a file with a duplicate name.

Remediation

Users can update to MsUpload versions 1.39.13, 1.42.7, or 1.43.2 to address this vulnerability.