Impact
ScratchSig extension for MediaWiki allows stored Cross-Site Scripting. Using <script> tag inside tag, attackers with edit permission can execute scripts on visitors' browser. With MediaWiki JavaScript API, this can potentially lead to privilege escalation and/or account takeover.
Patches
This has been patched in release 1.0.1. This has already been deployed to all Scratch Wikis.
Workarounds
No workarounds exist other than disabling the extension completely.
Impact
ScratchSig extension for MediaWiki allows stored Cross-Site Scripting. Using <script> tag inside tag, attackers with edit permission can execute scripts on visitors' browser. With MediaWiki JavaScript API, this can potentially lead to privilege escalation and/or account takeover.
Patches
This has been patched in release 1.0.1. This has already been deployed to all Scratch Wikis.
Workarounds
No workarounds exist other than disabling the extension completely.