While looking over the code for the most recent version of Semantic Forms I noticed some issues with lack of escaping and some quick tests verified that there were XSS issues in the extension on Special:CreateForm and Special:FormEdit. I haven't looked over all of the extension yet, so there are possibly more. As far as I know, this extension is only enabled on wikitech, but many third parties using Semantic MediaWiki have it installed.
URLs with examples of the vulnerable parameters (tested in Firefox, can be confirmed while logged in or logged out):
- https://wikitech.wikimedia.org/wiki/Special:CreateForm?section_foo=%22%3E%3Cscript%3Ealert%280%29;%3C/script%3E
- https://wikitech.wikimedia.org/wiki/Special:FormEdit?form=Server&target=%22%20onmouseover=%22alert%280%29;&alt_form=foo (hover over the foo link)
- https://wikitech.wikimedia.org/wiki/Special:FormEdit?form=Server&target=foo&alt_form=%22%20onmouseover=%22alert%281%29;%22%20%22 (hover over the foo link)