The JS implementation for portlets in the Vector skin (both 2022 and legacy) inserts the text of portlet labels as HTML, allowing for stored XSS through system messages.
Reproduction
Via system messages
<script> tags do not work here due to the way the HTML is inserted.
- Edit MediaWiki:vector-feature-custom-font-size-name to <img src="" onerror="alert('vector-feature-custom-font-size-name')">
- Edit MediaWiki:vector-feature-limited-width-name to <img src="" onerror="alert('vector-feature-limited-width-name')">
- Visit any page using Vector 2022.
Via JS
- Run the following code in the browser console: mw.util.addPortlet( 'p-mytest', '<img src="" onerror="alert(1)">', '#p-views' ); (<script> tags do not work here due to the way the HTML is inserted)
Cause
In what appears to be code that wraps a portlet label in a div, the textContent of the label is taken and inserted into the innerHtml of a div, essentially unsanitizing any text inside of it:
Legacy: https://github.com/wikimedia/mediawiki-skins-Vector/blob/9567e80c627110d42d56ccdc832ecd476dd86ded/resources/skins.vector.legacy.js/portlets.js#L27
2022: https://github.com/wikimedia/mediawiki-skins-Vector/blob/9567e80c627110d42d56ccdc832ecd476dd86ded/resources/skins.vector.js/portlets.js#L28
Additional information
I discovered and reported a similar XSS in the Citizen skin earlier today, and both the vulnerability and the fix are already public, since I was not aware that this affects Vector as well: https://github.com/StarCitizenTools/mediawiki-skins-Citizen/security/advisories/GHSA-jwr7-992g-68mh
I randomly stumbled upon the same code in Vector later today and quickly realized that it is therefore vulnerable to the same vulnerability.
There may be more affected system messages or even potentially user input that could allow for cross-site-scripting, depending on whether other extensions and user scripts supply unsanitized user input to the addPortlet function.