CVE-2024-23178 is a medium severity cross-site scripting (XSS) vulnerability identified in the Phonos extension of MediaWiki versions prior to 1.40.2. The vulnerability arises from improper sanitization in the PhonosButton.js script, specifically related to the handling of the phonos-purge-needed-error message, which is internationalization (i18n) based. This flaw allows an attacker to inject malicious scripts via crafted i18n messages that are not properly escaped or sanitized before being rendered in the user's browser. The vulnerability is classified under CWE-79, indicating a classic reflected or stored XSS issue. The CVSS v3.1 base score is 5.4, reflecting a medium severity level, with the vector indicating network attack vector (AV:N), low attack complexity (AC:L), requiring low privileges (PR:L), user interaction (UI:R), scope changed (S:C), and limited impact on confidentiality and integrity (C:L/I:L) but no impact on availability (A:N). Exploitation requires the attacker to have some level of privileges (low) and the victim to interact with the malicious content, which could be delivered through manipulated i18n messages or error messages in the Phonos extension interface. No known exploits are currently reported in the wild, and no patch links are provided in the data, but upgrading to MediaWiki 1.40.2 or later is implied as a remediation step. This vulnerability could be leveraged to execute arbitrary JavaScript in the context of the victim’s browser session, potentially leading to session hijacking, credential theft, or other malicious actions within the scope of the MediaWiki application.

For European organizations using MediaWiki with the Phonos extension, this vulnerability poses a risk of client-side script injection that can compromise user sessions and data confidentiality. Since MediaWiki is widely used for internal documentation, knowledge bases, and collaborative platforms, exploitation could lead to unauthorized access to sensitive organizational information or disruption of collaborative workflows. The requirement for low privileges and user interaction means that internal users or contributors could be targeted via crafted messages or links, increasing the risk of insider threats or spear-phishing attacks within corporate environments. The scope change in the CVSS vector indicates that the vulnerability can affect resources beyond the initially vulnerable component, potentially impacting other parts of the MediaWiki installation. While the impact on availability is none, the confidentiality and integrity impacts, although limited, can still be significant in environments where sensitive or proprietary information is stored or shared. European organizations with strict data protection regulations (e.g., GDPR) must consider the potential for data leakage or unauthorized access resulting from this vulnerability.

1. Upgrade MediaWiki installations to version 1.40.2 or later, where the Phonos extension vulnerability has been addressed. 2. If immediate upgrade is not feasible, implement strict input validation and output encoding for all i18n messages, especially those related to error handling in the Phonos extension. 3. Restrict privileges for users who can modify or inject i18n messages or error content to minimize the risk of malicious input. 4. Employ Content Security Policy (CSP) headers to limit the execution of unauthorized scripts in the MediaWiki environment. 5. Conduct regular security audits and code reviews focusing on extensions and custom scripts that handle user-generated or localized content. 6. Educate users about the risks of interacting with untrusted links or messages within the MediaWiki platform to reduce the likelihood of successful social engineering attacks. 7. Monitor logs for unusual activity related to the Phonos extension or unexpected script execution attempts.