Executive Summary

[{'type': 'paragraph', 'content': "CVE-2026-30917 is a stored Cross-Site Scripting (XSS) vulnerability in the Bucket extension for MediaWiki versions prior to 2.1.1. It allows an attacker to inject malicious scripts into any Bucket table field that has a PAGE type. These scripts execute whenever a user views the corresponding Bucket namespace page, potentially compromising the user's browser security."}, {'type': 'paragraph', 'content': 'The vulnerability arises because user input was not properly sanitized before being displayed as HTML. Specifically, the extension used a method that rendered raw HTML without escaping, enabling script injection. The issue was fixed by changing the code to properly escape user input before outputting it, preventing malicious scripts from executing.'}] [1, 3]

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can impact you by allowing attackers to execute arbitrary scripts in your browser when you view affected Bucket namespace pages. This can lead to unauthorized disclosure of information, such as theft of sensitive data or session hijacking.

The impact on confidentiality is high, meaning sensitive information could be exposed. The impact on integrity and availability is low, indicating limited unauthorized modification or disruption of service.

Because the attack requires no privileges and no user interaction, it can be exploited remotely and easily, increasing the risk to users of vulnerable versions.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability involves stored cross-site scripting (XSS) in the Bucket extension for MediaWiki, specifically in fields of type PAGE. Detection involves checking if your MediaWiki installation uses the Bucket extension version prior to 2.1.1 and if any Bucket table fields of type PAGE contain unsanitized or suspicious HTML or script content.'}, {'type': 'paragraph', 'content': 'Since this is a stored XSS vulnerability, detection can be done by inspecting the content of Bucket tables for injected scripts or by reviewing the version of the Bucket extension installed.'}, {'type': 'paragraph', 'content': 'Suggested commands to detect the vulnerable version or suspicious content include:'}, {'type': 'list_item', 'content': 'Check the installed Bucket extension version in MediaWiki: `php maintenance/showVersion.php` or check the extension version in the MediaWiki Special:Version page.'}, {'type': 'list_item', 'content': "Search the database for suspicious script tags in Bucket table fields of type PAGE, for example using SQL commands like: `SELECT * FROM bucket_table WHERE page_field LIKE '%<script>%'` (replace `bucket_table` and `page_field` with actual table and field names)."}, {'type': 'list_item', 'content': 'Review web pages in the Bucket namespace for unexpected script execution or injected HTML.'}] [3]

Useful 0 Not Useful 0

Mitigation Strategies

The primary mitigation step is to upgrade the Bucket extension for MediaWiki to version 2.1.1 or later, where the vulnerability is fixed.

The fix involves proper sanitization of user input in the `formatValue` method to prevent unsanitized HTML output that leads to XSS.

If immediate upgrade is not possible, consider:

• Manually sanitize or remove any suspicious or untrusted content in Bucket table fields of type PAGE.
• Restrict access to the Bucket namespace pages to trusted users only.
• Monitor and audit user inputs to Bucket tables to prevent injection of malicious scripts.

Useful 0 Not Useful 0