Wikimedia Foundation MediaWiki Wikibase Extension Stored Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in the Wikimedia Foundation MediaWiki Wikibase Extension, affecting versions 1.39, 1.43, 1.44, and 1.45. This vulnerability arises from improper handling of input in system messages, which are parsed and inserted into autocomments. The issue allows for the execution of malicious scripts, particularly in edit summaries, and can be exploited by users with certain privileges.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user viewing the affected content.

Reproduction

To reproduce this vulnerability, enable the WikibaseRepository. Then, edit the MediaWiki:Wikibase-entity-summary-wbsetdescription-set page to include a payload in a specific format. After that, edit the description of an item and review the revision history, where the payload will execute. This vulnerability can also be reproduced through the WikibaseClient, although it requires specific conditions to be met.

Remediation

This vulnerability has been addressed by escaping system messages before they are parsed and inserted into autocomments. Users can update to the latest version of the Wikibase Extension to apply this fix.