CVE-2021-42047 An issue was discovered in the Growth extension in MediaWiki through 1.36.2

This results in a page takeover, allowing for arbitrary JavaScript to be executed on the page. For example, remote code execution can be achieved by injecting a script: alert('Hi ' + victim);

Impacted sites include those with the Growth extension enabled, such as sites using the MediaWiki software package. Sites that allow users to create topics, or mentor other users, are at risk.
Red Hat released a security advisory on the issue: https://www.redhat.com/security/data safety/mediawiki-growth-extension-xss/ A workaround is to disable the feature.

CVE-2021-42048

This results in a possible information disclosure of the form {"'id': '

Update Instructions

1) Open your browser and navigate to the wiki you’re using.
2) Click "Edit," then choose "Settings" from the top of the screen.
3) Toggle off the "Growth extension" feature.

CVE-2022-42048

This results in a cross-site scripting (XSS) vulnerability. For example, it might be possible to execute JavaScript in other users' browsers when they visit the affected site through social media sharing buttons.
Red Hat released a security advisory on the issue: https://www.redhat.com/security/data safety/mediawiki-cross-site-scripting/ A workaround is to disable the feature.

Base64 encoding and JavaScript injection

Base64 encoding is a method of translating binary data into text, or the other way around. This process is often used to convert binary files into a human-readable format, such as by embedding them in an HTML document.
In general, it can also be used to encode and decode binary information on the fly. In practice, Base64 encoding is widely supported in most programming languages and web browsers.
Page takesovers are a type of XSS attack that target insecure web applications that allow users to upload content without verifying it first. The attacker replaces values stored on the server with their own malicious code which then executes when viewing the page in question.
A Base64 encoded data string will have some unusual characters at its end, like ‘=' and '='. These characters should not be included when Base64 encoding a string, but if they're present, they'll be displayed as '=' instead of '='.
Base64 encodes data by representing each byte as four hexadecimal characters (00-FF), starting from the least significant bit (leftmost bit).

Timeline

Published on: 09/29/2022 03:15:00 UTC
Last modified on: 09/30/2022 16:37:00 UTC

References

• https://phabricator.wikimedia.org/T289063
• https://gerrit.wikimedia.org/r/c/mediawiki/extensions/GrowthExperiments/+/720088
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-42047