MediaWiki TitleIcon Extension Stored Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in the TitleIcon extension for MediaWiki. This issue arises from the #titleicon_unicode parser function, which allows user input to be injected without proper sanitization. The unvalidated input is then wrapped in an HtmlArmor object and rendered directly into the page header, enabling the injection of arbitrary JavaScript. This vulnerability affects TitleIcon extension versions 1.39.X prior to 1.39.13, 1.42.X prior to 1.42.7, and 1.43.X prior to 1.43.2.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user viewing the page.

Reproduction

To reproduce this vulnerability, first enable the Title Icon extension. Then, insert a payload containing JavaScript, such as an alert script, into a page using the #titleicon_unicode parser function. After saving the page, the injected script will execute, demonstrating the cross-site scripting vulnerability.

Remediation

Users can update to TitleIcon extension versions 1.39.13, 1.42.7, or 1.43.2 to address this vulnerability.