MediaWiki RenderBlocking Extension Stored Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in the MediaWiki RenderBlocking extension, specifically in versions through 0.1.0. The issue arises when the Inline Assets mode is enabled, allowing users with editsitecss permissions to inject malicious scripts into renderblocking-css. This vulnerability requires the '$wgRenderBlockingInlineAssets' setting to be true.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user viewing the affected page.

Reproduction

To reproduce this vulnerability, enable the Inline Assets mode by setting '$wgRenderBlockingInlineAssets' to true. Then, use an account with editsitecss permissions to save a payload, such as a script tag containing JavaScript (e.g., an alert), into 'MediaWiki:Renderblocking.css'. The injected script will be executed when the CSS page is loaded.

Remediation

Users can update to version 0.1.1 of the RenderBlocking extension, which addresses the vulnerability by sanitizing CSS inputs to prevent script injection.