Wikimedia MediaWiki CampaignEvents Extension Cross-Site Scripting Vulnerability

A cross-site scripting (XSS) vulnerability has been identified in the CampaignEvents extension of MediaWiki, specifically in versions 1.43.7, 1.44.4, and 1.45.2. The issue arises from improper handling of input during web page generation, allowing malicious users to inject harmful scripts that could be executed in the context of the user's browser.

Impact

Exploitation of this vulnerability allows for cross-site scripting, where an attacker can inject malicious scripts that are executed in the context of the victim's browser.

Reproduction

The vulnerability can be reproduced by accessing the 'Contributions' tab of 'Special:EventDetails' while using a version of the MediaWiki CampaignEvents extension that is affected by this vulnerability. Localized wiki names displayed in this tab are sourced from project-localized-name messages and are output without proper escaping, creating an opportunity for XSS.

Remediation

Users can update to the latest version of the MediaWiki CampaignEvents extension, where this vulnerability has been addressed.