As reported via Aidil Arief to security@ on 2021-10-16:
There appears to be an XSS via the caption fields for a given media file
in Special:UploadWizard. I've tested a couple of variations of the provided payload ("><img src=x onerror=prompt()>) which do not seem to execute, but the provided payload definitely does.
Steps to reproduce
- Log in to commons.wikimedia.org
- Upload your media file at https://commons.wikimedia.org/wiki/Special:UploadWizard, or work with an existing media file
- Input "><img src=x onerror=prompt()> or similar as a value for one or more caption fields for the media file