Wikimedia Foundation MediaWiki Monaco Skin Cross-Site Scripting Vulnerability

A cross-site scripting (XSS) vulnerability has been identified in the Wikimedia Foundation MediaWiki Monaco Skin, affecting versions 1.39, 1.43, 1.44, and 1.45. This vulnerability arises from improper input handling during web page generation, allowing malicious users to inject harmful scripts that could be executed in the context of the user's browser.

Impact

Exploitation of this vulnerability allows for cross-site scripting, where an attacker can inject malicious scripts that are executed in the context of the victim's browser.

Reproduction

To reproduce this vulnerability, add a specific category to the Monaco sidebar or create a user page with certain content that triggers the XSS. This can be done by manipulating the 'Monaco-footer-improve-linktext', 'Monaco-view-history', or 'permalink' features, which are all vulnerable to XSS injection.

Remediation

Users can update to the latest version of the MediaWiki Monaco Skin, where this vulnerability has been addressed.