CVE-2024-40600 identifies a stored cross-site scripting (XSS) vulnerability in the Metrolook skin for MediaWiki, a popular open-source wiki platform. The vulnerability exists in the handling of the MediaWiki:Sidebar top-level menu entries, where user-supplied input is improperly sanitized before being rendered. This flaw allows an attacker to inject malicious JavaScript code that is stored persistently and executed in the browsers of users who view the affected sidebar. The vulnerability is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation). The CVSS v3.1 base score is 6.1, reflecting a medium severity with the vector AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N, indicating network attack vector, low attack complexity, no privileges required, user interaction needed, scope changed, and low impact on confidentiality and integrity but no impact on availability. Since the Metrolook skin is an optional visual theme for MediaWiki, the vulnerability specifically affects deployments using this skin up to version 1.42.1. No patches or fixes have been published yet, and no active exploitation has been reported. The vulnerability could be exploited by an unauthenticated attacker who can edit or inject content into the sidebar entries, which may be possible if editing permissions are not properly restricted. Successful exploitation could lead to session hijacking, defacement, or redirection attacks targeting users of the wiki.

The primary impact of CVE-2024-40600 is the compromise of confidentiality and integrity for users accessing MediaWiki sites with the Metrolook skin. Attackers can execute arbitrary scripts in the context of the victim’s browser, potentially stealing session cookies, performing actions on behalf of the user, or delivering malicious payloads. While availability is not affected, the trustworthiness of the wiki content and user data is at risk. Organizations relying on MediaWiki for internal documentation, knowledge sharing, or public information dissemination could face reputational damage, data leakage, or unauthorized access. Since no authentication is required for exploitation, any visitor who views the sidebar could be targeted, increasing the attack surface. The scope is limited to MediaWiki instances using the Metrolook skin, but given MediaWiki’s widespread use in government, education, and open-source projects, the impact can be significant in those sectors. Lack of patches increases exposure time, and the stored nature of the XSS means the malicious payload persists until removed.

To mitigate CVE-2024-40600, organizations should immediately review and restrict editing permissions on the MediaWiki:Sidebar page and related top-level menu entries to trusted administrators only, preventing unauthorized content injection. Implement strict input validation and output encoding on all user-supplied content in the sidebar to neutralize malicious scripts. Monitor and audit sidebar content regularly for suspicious or unexpected code. Consider disabling or replacing the Metrolook skin with a less vulnerable alternative until a security patch is released. Employ Content Security Policy (CSP) headers to restrict script execution sources and reduce the impact of potential XSS attacks. Educate users about the risks of clicking on suspicious links or interacting with untrusted content within the wiki. Stay updated with MediaWiki security advisories and apply patches promptly once available. Additionally, use web application firewalls (WAFs) to detect and block XSS attack patterns targeting the sidebar.