There is an XSS vulnerability in the FormWizard gadget on enwiki. If an attacker adds certain wikitext to a page in the Wikipedia namespace, then when a user clicks on that wikitext the attacker's code is run. The gadget is loaded by default, and so the vulnerability affects all logged-in users who haven't explicitly disabled it.
Steps to reproduce:
- Log into the English Wikipedia, and make sure that the FormWizard gadget is enabled in your preferences.
- Go to any page in the Wikipedia namespace in edit mode (for example, Wikipedia:Sandbox).
- Enter the text <div class="wp-formsGadget" data-type="foo&title=User:Mr._Stradivarius/gadgets/alerttest.js" style="font-size:xxx-large;color:blue;text-decoration:underline">Click me</div> in the edit window and click Preview.
- Click on the "Click me" pseudo-link that appears in the preview pane.
This loads User:Mr. Stradivarius/gadgets/alerttest.js, which is set to display an alert with the text "Running JS from User:Mr. Stradivarius/gadgets/alerttest.js".
This is tested on Firefox 95.0.1.
The vulnerability is caused by not escaping the configFullPath variable on line 975 of the gadget when it is added to the config URL. This URL is then loaded with jQuery.getScript on line 988. Both the gadget namespace portion and the gadget type portion of the configFullPath variable can be controlled by an attacker; the gadget namespace portion is controlled through the page title, and the gadget type portion is controlled through the data-type attribute of any element on the page with the class "wp-formsGadget". I have chosen the latter for the example above, as it can be used on any page in the Wikipedia namespace.
By injecting a second "title" parameter into the URL, the attacker can override the initial title (a subpage of MediaWiki:Gadget-formWizard) and specify a title of their choice. This makes it possible to run user scripts, as done in the example.
The fix is simple enough (encode configFullPath using encodeURIComponent on line 975), but I am not sure if copies of the gadget are being used on other wikis, and if the fix needs to be coordinated with them.