CVE-2024-34500 is a cross-site scripting (XSS) vulnerability identified in the UnlinkedWikibase extension of MediaWiki, affecting versions before 1.39.6, 1.40.x prior to 1.40.2, and 1.41.x before 1.41.1. The vulnerability stems from improper sanitization of error messages within the getError() function of the Hooks class. Specifically, error messages stored in the $err variable are passed directly to Html::rawElement() without escaping, which allows malicious input to be rendered as executable HTML/JavaScript in the user’s browser. This flaw is classified under CWE-79, indicating a classic reflected or stored XSS issue. The vulnerability can be triggered via interface messages, which may be manipulated by an attacker to inject arbitrary scripts. The CVSS 3.1 base score is 6.1 (medium severity), reflecting that the attack vector is network-based (AV:N), requires no privileges (PR:N), but does require user interaction (UI:R). The scope is changed (S:C), meaning the vulnerability affects components beyond the initially vulnerable component, and the impact affects confidentiality and integrity partially (C:L/I:L) but not availability (A:N). No public exploits have been reported yet, but the vulnerability could be leveraged to steal user credentials, perform session hijacking, or conduct phishing attacks within the affected MediaWiki environment. The issue is resolved in MediaWiki releases 1.39.6, 1.40.2, and 1.41.1 and later.

For European organizations, this vulnerability poses a risk primarily to those using MediaWiki installations with the UnlinkedWikibase extension in the affected versions. Exploitation could allow attackers to execute malicious scripts in the context of users’ browsers, potentially leading to theft of authentication tokens, session hijacking, or unauthorized actions performed on behalf of legitimate users. This can compromise the confidentiality and integrity of sensitive organizational data stored or managed via MediaWiki platforms. Since MediaWiki is widely used for internal knowledge management, documentation, and collaboration, an XSS attack could disrupt business processes and lead to data leakage or reputational damage. The lack of availability impact means systems remain operational, but trust in the platform could be undermined. The requirement for user interaction (e.g., clicking a crafted link) means social engineering could be used to facilitate attacks. Given the collaborative nature of MediaWiki, attackers might also use this vector to spread malware or phishing content internally.

European organizations should immediately verify if their MediaWiki installations use the UnlinkedWikibase extension and identify the version in use. Upgrading to MediaWiki versions 1.39.6, 1.40.2, or 1.41.1 and later is the primary mitigation step to eliminate this vulnerability. If immediate upgrading is not feasible, organizations should implement strict Content Security Policy (CSP) headers to restrict script execution and reduce the impact of XSS. Additionally, administrators should audit interface messages and error handling code to ensure proper escaping and sanitization of user-controllable inputs. User awareness training to recognize suspicious links or messages can reduce the risk of social engineering exploitation. Monitoring web server logs for unusual requests targeting interface messages or error generation endpoints can help detect attempted exploitation. Finally, consider isolating MediaWiki instances behind VPNs or internal networks to limit exposure to external attackers.