CVE-2022-42985 The ScratchLogin extension through 1.1 for MediaWiki does not escape verification failure messages, which allows users with administrator privileges to perform XSS attacks.

These messages are displayed as HTML instead of the expected warning banner. To exploit this vulnerability, a user with administrator privileges could embed malicious JavaScript code in the message.

Extension developers are encouraged to review the source of their extensions to confirm that user input is not being cut and pasted from the browser console.

CVE-2023-42986

These messages are displayed as HTML instead of the expected warning banner. To exploit this vulnerability, a user with administrator privileges could embed malicious JavaScript code in the message.

Extension developers are encouraged to review the source of their extensions to confirm that user input is not being cut and pasted from the browser console.

Critical: Arbitrary code execution vulnerability

An arbitrary JavaScript execution vulnerability has been discovered in the extension. The vulnerability is triggered when a user clicks on an embedded link that points to a website controlled by an attacker. To exploit this vulnerability, the user must have administrator privileges and the message being sent must have HTML content.

Timeline

Published on: 11/17/2022 05:15:00 UTC
Last modified on: 11/17/2022 22:26:00 UTC

References

• https://github.com/InternationalScratchWiki/mediawiki-scratch-login/blob/4d2c1229b558b9cd685961274f20b621d114f4db/ScratchLogin.common.php#L104
• https://github.com/InternationalScratchWiki/mediawiki-scratch-login/pull/22
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-42985