Vulnerability-Lookup

CVE-2025-49578 (GCVE-0-2025-49578)

Vulnerability from cvelistv5 – Published: 2025-06-12 18:50 – Updated: 2025-06-12 19:12

Title

Citizen allows stored XSS in user registration date message

Summary

Citizen is a MediaWiki skin that makes extensions part of the cohesive experience. Various date messages returned by `Language::userDate` are inserted into raw HTML, allowing anybody who can edit those messages to insert arbitrary HTML into the DOM. This impacts wikis where a group has the `editinterface` but not the `editsitejs` user right. This vulnerability is fixed in 3.3.1.

Severity

6.5 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N

CWE

CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Assigner

GitHub_M

References

3 references

URL	Tags
https://github.com/StarCitizenTools/mediawiki-ski…	x_refsource_CONFIRM
https://github.com/StarCitizenTools/mediawiki-ski…	x_refsource_MISC
https://github.com/StarCitizenTools/mediawiki-ski…	x_refsource_MISC

Impacted products

1 product

Vendor	Product	Version
StarCitizenTools	mediawiki-skins-Citizen	Affected: >= 64cb5d7ab3a6dc0381fae54b31e8fc4afadc8beb, < 93c36ac778397e0e7c46cf7adb1e5d848265f1bd Affected: >= 3.3.0, < 3.3.1

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-49578",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-06-12T19:11:37.150490Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-06-12T19:12:17.575Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "mediawiki-skins-Citizen",
          "vendor": "StarCitizenTools",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 64cb5d7ab3a6dc0381fae54b31e8fc4afadc8beb, \u003c 93c36ac778397e0e7c46cf7adb1e5d848265f1bd"
            },
            {
              "status": "affected",
              "version": "\u003e= 3.3.0, \u003c 3.3.1"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Citizen is a MediaWiki skin that makes extensions part of the cohesive experience. Various date messages returned by `Language::userDate` are inserted into raw HTML, allowing anybody who can edit those messages to insert arbitrary HTML into the DOM. This impacts wikis where a group has the `editinterface` but not the `editsitejs` user right. This vulnerability is fixed in 3.3.1."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "HIGH",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-79",
              "description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-06-12T18:50:49.300Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/StarCitizenTools/mediawiki-skins-Citizen/security/advisories/GHSA-2v3v-3whp-953h",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/StarCitizenTools/mediawiki-skins-Citizen/security/advisories/GHSA-2v3v-3whp-953h"
        },
        {
          "name": "https://github.com/StarCitizenTools/mediawiki-skins-Citizen/commit/64cb5d7ab3a6dc0381fae54b31e8fc4afadc8beb",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/StarCitizenTools/mediawiki-skins-Citizen/commit/64cb5d7ab3a6dc0381fae54b31e8fc4afadc8beb"
        },
        {
          "name": "https://github.com/StarCitizenTools/mediawiki-skins-Citizen/commit/93c36ac778397e0e7c46cf7adb1e5d848265f1bd",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/StarCitizenTools/mediawiki-skins-Citizen/commit/93c36ac778397e0e7c46cf7adb1e5d848265f1bd"
        }
      ],
      "source": {
        "advisory": "GHSA-2v3v-3whp-953h",
        "discovery": "UNKNOWN"
      },
      "title": "Citizen allows stored XSS in user registration date message"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2025-49578",
    "datePublished": "2025-06-12T18:50:49.300Z",
    "dateReserved": "2025-06-06T15:44:21.555Z",
    "dateUpdated": "2025-06-12T19:12:17.575Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2025-49578",
      "date": "2026-05-27",
      "epss": "0.00156",
      "percentile": "0.35909"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-49578\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2025-06-12T19:15:20.610\",\"lastModified\":\"2025-08-22T18:48:29.597\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Citizen is a MediaWiki skin that makes extensions part of the cohesive experience. Various date messages returned by `Language::userDate` are inserted into raw HTML, allowing anybody who can edit those messages to insert arbitrary HTML into the DOM. This impacts wikis where a group has the `editinterface` but not the `editsitejs` user right. This vulnerability is fixed in 3.3.1.\"},{\"lang\":\"es\",\"value\":\"Citizen es una interfaz de MediaWiki que integra las extensiones en la experiencia cohesiva. Varios mensajes de fecha devueltos por `Language::userDate` se insertan en HTML sin formato, lo que permite que cualquiera que pueda editarlos inserte HTML arbitrario en el DOM. Esto afecta a las wikis donde un grupo tiene el permiso de usuario `editinterface` pero no el de `editsitejs`. Esta vulnerabilidad se corrigi\u00f3 en la versi\u00f3n 3.3.1.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N\",\"baseScore\":6.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"HIGH\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":1.2,\"impactScore\":5.2},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N\",\"baseScore\":5.4,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"REQUIRED\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.3,\"impactScore\":2.7}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-79\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:starcitizen.tools:citizen:*:*:*:*:*:mediawiki:*:*\",\"versionEndExcluding\":\"3.3.1\",\"matchCriteriaId\":\"02337D0B-F229-4068-85B2-AB0A2C13C77E\"}]}]}],\"references\":[{\"url\":\"https://github.com/StarCitizenTools/mediawiki-skins-Citizen/commit/64cb5d7ab3a6dc0381fae54b31e8fc4afadc8beb\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/StarCitizenTools/mediawiki-skins-Citizen/commit/93c36ac778397e0e7c46cf7adb1e5d848265f1bd\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/StarCitizenTools/mediawiki-skins-Citizen/security/advisories/GHSA-2v3v-3whp-953h\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Vendor Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-49578\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-06-12T19:11:37.150490Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-06-12T19:11:40.964Z\"}}], \"cna\": {\"title\": \"Citizen allows stored XSS in user registration date message\", \"source\": {\"advisory\": \"GHSA-2v3v-3whp-953h\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 6.5, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"HIGH\", \"confidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"StarCitizenTools\", \"product\": \"mediawiki-skins-Citizen\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003e= 64cb5d7ab3a6dc0381fae54b31e8fc4afadc8beb, \u003c 93c36ac778397e0e7c46cf7adb1e5d848265f1bd\"}, {\"status\": \"affected\", \"version\": \"\u003e= 3.3.0, \u003c 3.3.1\"}]}], \"references\": [{\"url\": \"https://github.com/StarCitizenTools/mediawiki-skins-Citizen/security/advisories/GHSA-2v3v-3whp-953h\", \"name\": \"https://github.com/StarCitizenTools/mediawiki-skins-Citizen/security/advisories/GHSA-2v3v-3whp-953h\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/StarCitizenTools/mediawiki-skins-Citizen/commit/64cb5d7ab3a6dc0381fae54b31e8fc4afadc8beb\", \"name\": \"https://github.com/StarCitizenTools/mediawiki-skins-Citizen/commit/64cb5d7ab3a6dc0381fae54b31e8fc4afadc8beb\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/StarCitizenTools/mediawiki-skins-Citizen/commit/93c36ac778397e0e7c46cf7adb1e5d848265f1bd\", \"name\": \"https://github.com/StarCitizenTools/mediawiki-skins-Citizen/commit/93c36ac778397e0e7c46cf7adb1e5d848265f1bd\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Citizen is a MediaWiki skin that makes extensions part of the cohesive experience. Various date messages returned by `Language::userDate` are inserted into raw HTML, allowing anybody who can edit those messages to insert arbitrary HTML into the DOM. This impacts wikis where a group has the `editinterface` but not the `editsitejs` user right. This vulnerability is fixed in 3.3.1.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-79\", \"description\": \"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2025-06-12T18:50:49.300Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2025-49578\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-06-12T19:12:17.575Z\", \"dateReserved\": \"2025-06-06T15:44:21.555Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2025-06-12T18:50:49.300Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}

FKIE_CVE-2025-49578

Vulnerability from fkie_nvd - Published: 2025-06-12 19:15 - Updated: 2025-08-22 18:48

Severity

6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Summary

References

URL	Tags
security-advisories@github.com	https://github.com/StarCitizenTools/mediawiki-skins-Citizen/commit/64cb5d7ab3a6dc0381fae54b31e8fc4afadc8beb	Patch
security-advisories@github.com	https://github.com/StarCitizenTools/mediawiki-skins-Citizen/commit/93c36ac778397e0e7c46cf7adb1e5d848265f1bd	Patch
security-advisories@github.com	https://github.com/StarCitizenTools/mediawiki-skins-Citizen/security/advisories/GHSA-2v3v-3whp-953h	Exploit, Vendor Advisory

Impacted products

	Vendor	Product	Version
	starcitizen.tools	citizen	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:starcitizen.tools:citizen:*:*:*:*:*:mediawiki:*:*",
              "matchCriteriaId": "02337D0B-F229-4068-85B2-AB0A2C13C77E",
              "versionEndExcluding": "3.3.1",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Citizen is a MediaWiki skin that makes extensions part of the cohesive experience. Various date messages returned by `Language::userDate` are inserted into raw HTML, allowing anybody who can edit those messages to insert arbitrary HTML into the DOM. This impacts wikis where a group has the `editinterface` but not the `editsitejs` user right. This vulnerability is fixed in 3.3.1."
    },
    {
      "lang": "es",
      "value": "Citizen es una interfaz de MediaWiki que integra las extensiones en la experiencia cohesiva. Varios mensajes de fecha devueltos por `Language::userDate` se insertan en HTML sin formato, lo que permite que cualquiera que pueda editarlos inserte HTML arbitrario en el DOM. Esto afecta a las wikis donde un grupo tiene el permiso de usuario `editinterface` pero no el de `editsitejs`. Esta vulnerabilidad se corrigi\u00f3 en la versi\u00f3n 3.3.1."
    }
  ],
  "id": "CVE-2025-49578",
  "lastModified": "2025-08-22T18:48:29.597",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 6.5,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "HIGH",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 1.2,
        "impactScore": 5.2,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 5.4,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "LOW",
          "privilegesRequired": "LOW",
          "scope": "CHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.3,
        "impactScore": 2.7,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2025-06-12T19:15:20.610",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/StarCitizenTools/mediawiki-skins-Citizen/commit/64cb5d7ab3a6dc0381fae54b31e8fc4afadc8beb"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/StarCitizenTools/mediawiki-skins-Citizen/commit/93c36ac778397e0e7c46cf7adb1e5d848265f1bd"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Exploit",
        "Vendor Advisory"
      ],
      "url": "https://github.com/StarCitizenTools/mediawiki-skins-Citizen/security/advisories/GHSA-2v3v-3whp-953h"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-79"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    }
  ]
}

GHSA-2V3V-3WHP-953H

Vulnerability from github – Published: 2025-06-13 14:09 – Updated: 2025-06-13 14:09

Summary

starcitizentools/citizen-skin allows stored XSS in user registration date message

Details

Summary

Various date messages returned by Language::userDate are inserted into raw HTML, allowing anybody who can edit those messages to insert arbitrary HTML into the DOM.

Details

The result of $this->lang->userDate( $timestamp, $this->user ) returns unescaped values, but is inserted as raw HTML by Citizen: https://github.com/StarCitizenTools/mediawiki-skins-Citizen/blob/072e4365e9084e4b153eac62d3666566c06f5a49/includes/Components/CitizenComponentUserInfo.php#L55-L60

PoC

Go to any page using citizen with the uselang parameter set to x-xss and while being logged in Depending on the registration date of the account you're logged in with, various messages can be shown. In my case, it's november:

Impact

This impacts wikis where a group has the editinterface but not the editsitejs user right.

Severity

6.5 (Medium)


                  
                    CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "starcitizentools/citizen-skin"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.3.0"
            },
            {
              "fixed": "3.3.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-49578"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-79"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-06-13T14:09:00Z",
    "nvd_published_at": "2025-06-12T19:15:20Z",
    "severity": "MODERATE"
  },
  "details": "### Summary\nVarious date messages returned by `Language::userDate` are inserted into raw HTML, allowing anybody who can edit those messages to insert arbitrary HTML into the DOM.\n\n### Details\nThe result of `$this-\u003elang-\u003euserDate( $timestamp, $this-\u003euser )` returns unescaped values, but is inserted as raw HTML by Citizen:\nhttps://github.com/StarCitizenTools/mediawiki-skins-Citizen/blob/072e4365e9084e4b153eac62d3666566c06f5a49/includes/Components/CitizenComponentUserInfo.php#L55-L60\n\n### PoC\n1. Go to any page using citizen with the uselang parameter set to x-xss and while being logged in\nDepending on the registration date of the account you\u0027re logged in with, various messages can be shown. In my case, it\u0027s `november`:\n![image](https://github.com/user-attachments/assets/252a3453-99c8-4ce1-b6d6-a8485b7a9a43)\n\n\n### Impact\nThis impacts wikis where a group has the `editinterface` but not the `editsitejs` user right.",
  "id": "GHSA-2v3v-3whp-953h",
  "modified": "2025-06-13T14:09:00Z",
  "published": "2025-06-13T14:09:00Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/StarCitizenTools/mediawiki-skins-Citizen/security/advisories/GHSA-2v3v-3whp-953h"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-49578"
    },
    {
      "type": "WEB",
      "url": "https://github.com/StarCitizenTools/mediawiki-skins-Citizen/commit/64cb5d7ab3a6dc0381fae54b31e8fc4afadc8beb"
    },
    {
      "type": "WEB",
      "url": "https://github.com/StarCitizenTools/mediawiki-skins-Citizen/commit/93c36ac778397e0e7c46cf7adb1e5d848265f1bd"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/StarCitizenTools/mediawiki-skins-Citizen"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "starcitizentools/citizen-skin allows stored XSS in user registration date message"
}

WID-SEC-W-2025-1525

Vulnerability from csaf_certbund - Published: 2025-07-09 22:00 - Updated: 2025-07-23 22:00

Summary

MediaWiki Extensions und Skins: Mehrere Schwachstellen

Severity

Hoch

Notes

Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.

Produktbeschreibung: MediaWiki ist ein freies Wiki, das ursprünglich für den Einsatz auf Wikipedia entwickelt wurde.

Angriff: Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in MediaWiki ausnutzen, um SQL-Injection- und XSS-Angriffe durchzuführen, Sicherheitsmechanismen zu umgehen, vertrauliche Informationen offenzulegen oder sich unbefugt höhere Berechtigungen zu verschaffen.

Betroffene Betriebssysteme: - Linux - Sonstiges - UNIX - Windows

CVE-2025-32956

Affected products

Known affected 4 products

Product	Identifier	Version
Open Source MediaWiki <1.43.2 Open Source / MediaWiki		<1.43.2
Open Source MediaWiki <1.42.7 Open Source / MediaWiki		<1.42.7
Debian Linux Debian	`cpe:/o:debian:debian_linux:-`	—
Open Source MediaWiki <1.39.13 Open Source / MediaWiki		<1.39.13

CVE-2025-32964

Affected products

Known affected 4 products

Product	Identifier	Version
Open Source MediaWiki <1.43.2 Open Source / MediaWiki		<1.43.2
Open Source MediaWiki <1.42.7 Open Source / MediaWiki		<1.42.7
Debian Linux Debian	`cpe:/o:debian:debian_linux:-`	—
Open Source MediaWiki <1.39.13 Open Source / MediaWiki		<1.39.13

CVE-2025-43861

Affected products

Known affected 4 products

Product	Identifier	Version
Open Source MediaWiki <1.43.2 Open Source / MediaWiki		<1.43.2
Open Source MediaWiki <1.42.7 Open Source / MediaWiki		<1.42.7
Debian Linux Debian	`cpe:/o:debian:debian_linux:-`	—
Open Source MediaWiki <1.39.13 Open Source / MediaWiki		<1.39.13

CVE-2025-49575

Affected products

Known affected 4 products

Product	Identifier	Version
Open Source MediaWiki <1.43.2 Open Source / MediaWiki		<1.43.2
Open Source MediaWiki <1.42.7 Open Source / MediaWiki		<1.42.7
Debian Linux Debian	`cpe:/o:debian:debian_linux:-`	—
Open Source MediaWiki <1.39.13 Open Source / MediaWiki		<1.39.13

CVE-2025-49576

Affected products

Known affected 4 products

Product	Identifier	Version
Open Source MediaWiki <1.43.2 Open Source / MediaWiki		<1.43.2
Open Source MediaWiki <1.42.7 Open Source / MediaWiki		<1.42.7
Debian Linux Debian	`cpe:/o:debian:debian_linux:-`	—
Open Source MediaWiki <1.39.13 Open Source / MediaWiki		<1.39.13

CVE-2025-49577

Affected products

Known affected 4 products

Product	Identifier	Version
Open Source MediaWiki <1.43.2 Open Source / MediaWiki		<1.43.2
Open Source MediaWiki <1.42.7 Open Source / MediaWiki		<1.42.7
Debian Linux Debian	`cpe:/o:debian:debian_linux:-`	—
Open Source MediaWiki <1.39.13 Open Source / MediaWiki		<1.39.13

CVE-2025-49578

Affected products

Known affected 4 products

Product	Identifier	Version
Open Source MediaWiki <1.43.2 Open Source / MediaWiki		<1.43.2
Open Source MediaWiki <1.42.7 Open Source / MediaWiki		<1.42.7
Debian Linux Debian	`cpe:/o:debian:debian_linux:-`	—
Open Source MediaWiki <1.39.13 Open Source / MediaWiki		<1.39.13

CVE-2025-49579

Affected products

Known affected 4 products

Product	Identifier	Version
Open Source MediaWiki <1.43.2 Open Source / MediaWiki		<1.43.2
Open Source MediaWiki <1.42.7 Open Source / MediaWiki		<1.42.7
Debian Linux Debian	`cpe:/o:debian:debian_linux:-`	—
Open Source MediaWiki <1.39.13 Open Source / MediaWiki		<1.39.13

CVE-2025-53093

Affected products

Known affected 4 products

Product	Identifier	Version
Open Source MediaWiki <1.43.2 Open Source / MediaWiki		<1.43.2
Open Source MediaWiki <1.42.7 Open Source / MediaWiki		<1.42.7
Debian Linux Debian	`cpe:/o:debian:debian_linux:-`	—
Open Source MediaWiki <1.39.13 Open Source / MediaWiki		<1.39.13

CVE-2025-53368

Affected products

Known affected 4 products

Product	Identifier	Version
Open Source MediaWiki <1.43.2 Open Source / MediaWiki		<1.43.2
Open Source MediaWiki <1.42.7 Open Source / MediaWiki		<1.42.7
Debian Linux Debian	`cpe:/o:debian:debian_linux:-`	—
Open Source MediaWiki <1.39.13 Open Source / MediaWiki		<1.39.13

CVE-2025-53369

Affected products

Known affected 4 products

Product	Identifier	Version
Open Source MediaWiki <1.43.2 Open Source / MediaWiki		<1.43.2
Open Source MediaWiki <1.42.7 Open Source / MediaWiki		<1.42.7
Debian Linux Debian	`cpe:/o:debian:debian_linux:-`	—
Open Source MediaWiki <1.39.13 Open Source / MediaWiki		<1.39.13

CVE-2025-53370

Affected products

Known affected 4 products

Product	Identifier	Version
Open Source MediaWiki <1.43.2 Open Source / MediaWiki		<1.43.2
Open Source MediaWiki <1.42.7 Open Source / MediaWiki		<1.42.7
Debian Linux Debian	`cpe:/o:debian:debian_linux:-`	—
Open Source MediaWiki <1.39.13 Open Source / MediaWiki		<1.39.13

CVE-2025-53478

Affected products

Known affected 4 products

Product	Identifier	Version
Open Source MediaWiki <1.43.2 Open Source / MediaWiki		<1.43.2
Open Source MediaWiki <1.42.7 Open Source / MediaWiki		<1.42.7
Debian Linux Debian	`cpe:/o:debian:debian_linux:-`	—
Open Source MediaWiki <1.39.13 Open Source / MediaWiki		<1.39.13

CVE-2025-53479

Affected products

Known affected 4 products

Product	Identifier	Version
Open Source MediaWiki <1.43.2 Open Source / MediaWiki		<1.43.2
Open Source MediaWiki <1.42.7 Open Source / MediaWiki		<1.42.7
Debian Linux Debian	`cpe:/o:debian:debian_linux:-`	—
Open Source MediaWiki <1.39.13 Open Source / MediaWiki		<1.39.13

CVE-2025-53480

Affected products

Known affected 4 products

Product	Identifier	Version
Open Source MediaWiki <1.43.2 Open Source / MediaWiki		<1.43.2
Open Source MediaWiki <1.42.7 Open Source / MediaWiki		<1.42.7
Debian Linux Debian	`cpe:/o:debian:debian_linux:-`	—
Open Source MediaWiki <1.39.13 Open Source / MediaWiki		<1.39.13

CVE-2025-53481

Affected products

Known affected 4 products

Product	Identifier	Version
Open Source MediaWiki <1.43.2 Open Source / MediaWiki		<1.43.2
Open Source MediaWiki <1.42.7 Open Source / MediaWiki		<1.42.7
Debian Linux Debian	`cpe:/o:debian:debian_linux:-`	—
Open Source MediaWiki <1.39.13 Open Source / MediaWiki		<1.39.13

CVE-2025-53482

Affected products

Known affected 4 products

Product	Identifier	Version
Open Source MediaWiki <1.43.2 Open Source / MediaWiki		<1.43.2
Open Source MediaWiki <1.42.7 Open Source / MediaWiki		<1.42.7
Debian Linux Debian	`cpe:/o:debian:debian_linux:-`	—
Open Source MediaWiki <1.39.13 Open Source / MediaWiki		<1.39.13

CVE-2025-53483

Affected products

Known affected 4 products

Product	Identifier	Version
Open Source MediaWiki <1.43.2 Open Source / MediaWiki		<1.43.2
Open Source MediaWiki <1.42.7 Open Source / MediaWiki		<1.42.7
Debian Linux Debian	`cpe:/o:debian:debian_linux:-`	—
Open Source MediaWiki <1.39.13 Open Source / MediaWiki		<1.39.13

CVE-2025-53484

Affected products

Known affected 4 products

Product	Identifier	Version
Open Source MediaWiki <1.43.2 Open Source / MediaWiki		<1.43.2
Open Source MediaWiki <1.42.7 Open Source / MediaWiki		<1.42.7
Debian Linux Debian	`cpe:/o:debian:debian_linux:-`	—
Open Source MediaWiki <1.39.13 Open Source / MediaWiki		<1.39.13

CVE-2025-53485

Affected products

Known affected 4 products

Product	Identifier	Version
Open Source MediaWiki <1.43.2 Open Source / MediaWiki		<1.43.2
Open Source MediaWiki <1.42.7 Open Source / MediaWiki		<1.42.7
Debian Linux Debian	`cpe:/o:debian:debian_linux:-`	—
Open Source MediaWiki <1.39.13 Open Source / MediaWiki		<1.39.13

CVE-2025-53486

Affected products

Known affected 4 products

Product	Identifier	Version
Open Source MediaWiki <1.43.2 Open Source / MediaWiki		<1.43.2
Open Source MediaWiki <1.42.7 Open Source / MediaWiki		<1.42.7
Debian Linux Debian	`cpe:/o:debian:debian_linux:-`	—
Open Source MediaWiki <1.39.13 Open Source / MediaWiki		<1.39.13

CVE-2025-53487

Affected products

Known affected 4 products

Product	Identifier	Version
Open Source MediaWiki <1.43.2 Open Source / MediaWiki		<1.43.2
Open Source MediaWiki <1.42.7 Open Source / MediaWiki		<1.42.7
Debian Linux Debian	`cpe:/o:debian:debian_linux:-`	—
Open Source MediaWiki <1.39.13 Open Source / MediaWiki		<1.39.13

CVE-2025-53488

Affected products

Known affected 4 products

Product	Identifier	Version
Open Source MediaWiki <1.43.2 Open Source / MediaWiki		<1.43.2
Open Source MediaWiki <1.42.7 Open Source / MediaWiki		<1.42.7
Debian Linux Debian	`cpe:/o:debian:debian_linux:-`	—
Open Source MediaWiki <1.39.13 Open Source / MediaWiki		<1.39.13

CVE-2025-53489

Affected products

Known affected 4 products

Product	Identifier	Version
Open Source MediaWiki <1.43.2 Open Source / MediaWiki		<1.43.2
Open Source MediaWiki <1.42.7 Open Source / MediaWiki		<1.42.7
Debian Linux Debian	`cpe:/o:debian:debian_linux:-`	—
Open Source MediaWiki <1.39.13 Open Source / MediaWiki		<1.39.13

CVE-2025-53490

Affected products

Known affected 4 products

Product	Identifier	Version
Open Source MediaWiki <1.43.2 Open Source / MediaWiki		<1.43.2
Open Source MediaWiki <1.42.7 Open Source / MediaWiki		<1.42.7
Debian Linux Debian	`cpe:/o:debian:debian_linux:-`	—
Open Source MediaWiki <1.39.13 Open Source / MediaWiki		<1.39.13

CVE-2025-53491

Affected products

Known affected 4 products

Product	Identifier	Version
Open Source MediaWiki <1.43.2 Open Source / MediaWiki		<1.43.2
Open Source MediaWiki <1.42.7 Open Source / MediaWiki		<1.42.7
Debian Linux Debian	`cpe:/o:debian:debian_linux:-`	—
Open Source MediaWiki <1.39.13 Open Source / MediaWiki		<1.39.13

CVE-2025-53492

Affected products

Known affected 4 products

Product	Identifier	Version
Open Source MediaWiki <1.43.2 Open Source / MediaWiki		<1.43.2
Open Source MediaWiki <1.42.7 Open Source / MediaWiki		<1.42.7
Debian Linux Debian	`cpe:/o:debian:debian_linux:-`	—
Open Source MediaWiki <1.39.13 Open Source / MediaWiki		<1.39.13

CVE-2025-53493

Affected products

Known affected 4 products

Product	Identifier	Version
Open Source MediaWiki <1.43.2 Open Source / MediaWiki		<1.43.2
Open Source MediaWiki <1.42.7 Open Source / MediaWiki		<1.42.7
Debian Linux Debian	`cpe:/o:debian:debian_linux:-`	—
Open Source MediaWiki <1.39.13 Open Source / MediaWiki		<1.39.13

CVE-2025-53494

Affected products

Known affected 4 products

Product	Identifier	Version
Open Source MediaWiki <1.43.2 Open Source / MediaWiki		<1.43.2
Open Source MediaWiki <1.42.7 Open Source / MediaWiki		<1.42.7
Debian Linux Debian	`cpe:/o:debian:debian_linux:-`	—
Open Source MediaWiki <1.39.13 Open Source / MediaWiki		<1.39.13

CVE-2025-53495

Affected products

Known affected 4 products

Product	Identifier	Version
Open Source MediaWiki <1.43.2 Open Source / MediaWiki		<1.43.2
Open Source MediaWiki <1.42.7 Open Source / MediaWiki		<1.42.7
Debian Linux Debian	`cpe:/o:debian:debian_linux:-`	—
Open Source MediaWiki <1.39.13 Open Source / MediaWiki		<1.39.13

CVE-2025-53496

Affected products

Known affected 4 products

Product	Identifier	Version
Open Source MediaWiki <1.43.2 Open Source / MediaWiki		<1.43.2
Open Source MediaWiki <1.42.7 Open Source / MediaWiki		<1.42.7
Debian Linux Debian	`cpe:/o:debian:debian_linux:-`	—
Open Source MediaWiki <1.39.13 Open Source / MediaWiki		<1.39.13

CVE-2025-53497

Affected products

Known affected 4 products

Product	Identifier	Version
Open Source MediaWiki <1.43.2 Open Source / MediaWiki		<1.43.2
Open Source MediaWiki <1.42.7 Open Source / MediaWiki		<1.42.7
Debian Linux Debian	`cpe:/o:debian:debian_linux:-`	—
Open Source MediaWiki <1.39.13 Open Source / MediaWiki		<1.39.13

CVE-2025-53498

Affected products

Known affected 4 products

Product	Identifier	Version
Open Source MediaWiki <1.43.2 Open Source / MediaWiki		<1.43.2
Open Source MediaWiki <1.42.7 Open Source / MediaWiki		<1.42.7
Debian Linux Debian	`cpe:/o:debian:debian_linux:-`	—
Open Source MediaWiki <1.39.13 Open Source / MediaWiki		<1.39.13

CVE-2025-53499

Affected products

Known affected 4 products

Product	Identifier	Version
Open Source MediaWiki <1.43.2 Open Source / MediaWiki		<1.43.2
Open Source MediaWiki <1.42.7 Open Source / MediaWiki		<1.42.7
Debian Linux Debian	`cpe:/o:debian:debian_linux:-`	—
Open Source MediaWiki <1.39.13 Open Source / MediaWiki		<1.39.13

CVE-2025-53500

Affected products

Known affected 4 products

Product	Identifier	Version
Open Source MediaWiki <1.43.2 Open Source / MediaWiki		<1.43.2
Open Source MediaWiki <1.42.7 Open Source / MediaWiki		<1.42.7
Debian Linux Debian	`cpe:/o:debian:debian_linux:-`	—
Open Source MediaWiki <1.39.13 Open Source / MediaWiki		<1.39.13

CVE-2025-53501

Affected products

Known affected 4 products

Product	Identifier	Version
Open Source MediaWiki <1.43.2 Open Source / MediaWiki		<1.43.2
Open Source MediaWiki <1.42.7 Open Source / MediaWiki		<1.42.7
Debian Linux Debian	`cpe:/o:debian:debian_linux:-`	—
Open Source MediaWiki <1.39.13 Open Source / MediaWiki		<1.39.13

CVE-2025-53502

Affected products

Known affected 4 products

Product	Identifier	Version
Open Source MediaWiki <1.43.2 Open Source / MediaWiki		<1.43.2
Open Source MediaWiki <1.42.7 Open Source / MediaWiki		<1.42.7
Debian Linux Debian	`cpe:/o:debian:debian_linux:-`	—
Open Source MediaWiki <1.39.13 Open Source / MediaWiki		<1.39.13

CVE-2025-6926

Affected products

Known affected 4 products

Product	Identifier	Version
Open Source MediaWiki <1.43.2 Open Source / MediaWiki		<1.43.2
Open Source MediaWiki <1.42.7 Open Source / MediaWiki		<1.42.7
Debian Linux Debian	`cpe:/o:debian:debian_linux:-`	—
Open Source MediaWiki <1.39.13 Open Source / MediaWiki		<1.39.13

CVE-2025-7056

Affected products

Known affected 4 products

Product	Identifier	Version
Open Source MediaWiki <1.43.2 Open Source / MediaWiki		<1.43.2
Open Source MediaWiki <1.42.7 Open Source / MediaWiki		<1.42.7
Debian Linux Debian	`cpe:/o:debian:debian_linux:-`	—
Open Source MediaWiki <1.39.13 Open Source / MediaWiki		<1.39.13

CVE-2025-7057

Affected products

Known affected 4 products

Product	Identifier	Version
Open Source MediaWiki <1.43.2 Open Source / MediaWiki		<1.43.2
Open Source MediaWiki <1.42.7 Open Source / MediaWiki		<1.42.7
Debian Linux Debian	`cpe:/o:debian:debian_linux:-`	—
Open Source MediaWiki <1.39.13 Open Source / MediaWiki		<1.39.13

CVE-2025-7362

Affected products

Known affected 4 products

Product	Identifier	Version
Open Source MediaWiki <1.43.2 Open Source / MediaWiki		<1.43.2
Open Source MediaWiki <1.42.7 Open Source / MediaWiki		<1.42.7
Debian Linux Debian	`cpe:/o:debian:debian_linux:-`	—
Open Source MediaWiki <1.39.13 Open Source / MediaWiki		<1.39.13

CVE-2025-7363

Affected products

Known affected 4 products

Product	Identifier	Version
Open Source MediaWiki <1.43.2 Open Source / MediaWiki		<1.43.2
Open Source MediaWiki <1.42.7 Open Source / MediaWiki		<1.42.7
Debian Linux Debian	`cpe:/o:debian:debian_linux:-`	—
Open Source MediaWiki <1.39.13 Open Source / MediaWiki		<1.39.13

References

4 references

URL	Category
https://wid.cert-bund.de/.well-known/csaf/white/2…	self
https://wid.cert-bund.de/portal/wid/securityadvis…	self
https://lists.wikimedia.org/hyperkitty/list/media…	external
https://lists.debian.org/debian-lts-announce/2025…	external

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "text": "hoch"
    },
    "category": "csaf_base",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "de-DE",
    "notes": [
      {
        "category": "legal_disclaimer",
        "text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
      },
      {
        "category": "description",
        "text": "MediaWiki ist ein freies Wiki, das urspr\u00fcnglich f\u00fcr den Einsatz auf Wikipedia entwickelt wurde.",
        "title": "Produktbeschreibung"
      },
      {
        "category": "summary",
        "text": "Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in MediaWiki ausnutzen, um SQL-Injection- und XSS-Angriffe durchzuf\u00fchren, Sicherheitsmechanismen zu umgehen, vertrauliche Informationen offenzulegen oder sich unbefugt h\u00f6here Berechtigungen zu verschaffen.",
        "title": "Angriff"
      },
      {
        "category": "general",
        "text": "- Linux\n- Sonstiges\n- UNIX\n- Windows",
        "title": "Betroffene Betriebssysteme"
      }
    ],
    "publisher": {
      "category": "other",
      "contact_details": "csaf-provider@cert-bund.de",
      "name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
      "namespace": "https://www.bsi.bund.de"
    },
    "references": [
      {
        "category": "self",
        "summary": "WID-SEC-W-2025-1525 - CSAF Version",
        "url": "https://wid.cert-bund.de/.well-known/csaf/white/2025/wid-sec-w-2025-1525.json"
      },
      {
        "category": "self",
        "summary": "WID-SEC-2025-1525 - Portal Version",
        "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2025-1525"
      },
      {
        "category": "external",
        "summary": "MediaWiki Extensions and Skins Security Release Supplement vom 2025-07-09",
        "url": "https://lists.wikimedia.org/hyperkitty/list/mediawiki-announce@lists.wikimedia.org/thread/B757OC4UOPKOO4EYXNPUKQY2BS4CQE2E/"
      },
      {
        "category": "external",
        "summary": "Debian Security Advisory DLA-4249 vom 2025-07-23",
        "url": "https://lists.debian.org/debian-lts-announce/2025/07/msg00012.html"
      }
    ],
    "source_lang": "en-US",
    "title": "MediaWiki Extensions und Skins: Mehrere Schwachstellen",
    "tracking": {
      "current_release_date": "2025-07-23T22:00:00.000+00:00",
      "generator": {
        "date": "2025-07-24T07:52:25.673+00:00",
        "engine": {
          "name": "BSI-WID",
          "version": "1.4.0"
        }
      },
      "id": "WID-SEC-W-2025-1525",
      "initial_release_date": "2025-07-09T22:00:00.000+00:00",
      "revision_history": [
        {
          "date": "2025-07-09T22:00:00.000+00:00",
          "number": "1",
          "summary": "Initiale Fassung"
        },
        {
          "date": "2025-07-23T22:00:00.000+00:00",
          "number": "2",
          "summary": "Neue Updates von Debian aufgenommen"
        }
      ],
      "status": "final",
      "version": "2"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "category": "product_name",
            "name": "Debian Linux",
            "product": {
              "name": "Debian Linux",
              "product_id": "2951",
              "product_identification_helper": {
                "cpe": "cpe:/o:debian:debian_linux:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "Debian"
      },
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003c1.39.13",
                "product": {
                  "name": "Open Source MediaWiki \u003c1.39.13",
                  "product_id": "T044971"
                }
              },
              {
                "category": "product_version",
                "name": "1.39.13",
                "product": {
                  "name": "Open Source MediaWiki 1.39.13",
                  "product_id": "T044971-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:mediawiki:mediawiki:1.39.13"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003c1.42.7",
                "product": {
                  "name": "Open Source MediaWiki \u003c1.42.7",
                  "product_id": "T044972"
                }
              },
              {
                "category": "product_version",
                "name": "1.42.7",
                "product": {
                  "name": "Open Source MediaWiki 1.42.7",
                  "product_id": "T044972-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:mediawiki:mediawiki:1.42.7"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003c1.43.2",
                "product": {
                  "name": "Open Source MediaWiki \u003c1.43.2",
                  "product_id": "T044973"
                }
              },
              {
                "category": "product_version",
                "name": "1.43.2",
                "product": {
                  "name": "Open Source MediaWiki 1.43.2",
                  "product_id": "T044973-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:mediawiki:mediawiki:1.43.2"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "MediaWiki"
          }
        ],
        "category": "vendor",
        "name": "Open Source"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2025-32956",
      "product_status": {
        "known_affected": [
          "T044973",
          "T044972",
          "2951",
          "T044971"
        ]
      },
      "release_date": "2025-07-09T22:00:00.000+00:00",
      "title": "CVE-2025-32956"
    },
    {
      "cve": "CVE-2025-32964",
      "product_status": {
        "known_affected": [
          "T044973",
          "T044972",
          "2951",
          "T044971"
        ]
      },
      "release_date": "2025-07-09T22:00:00.000+00:00",
      "title": "CVE-2025-32964"
    },
    {
      "cve": "CVE-2025-43861",
      "product_status": {
        "known_affected": [
          "T044973",
          "T044972",
          "2951",
          "T044971"
        ]
      },
      "release_date": "2025-07-09T22:00:00.000+00:00",
      "title": "CVE-2025-43861"
    },
    {
      "cve": "CVE-2025-49575",
      "product_status": {
        "known_affected": [
          "T044973",
          "T044972",
          "2951",
          "T044971"
        ]
      },
      "release_date": "2025-07-09T22:00:00.000+00:00",
      "title": "CVE-2025-49575"
    },
    {
      "cve": "CVE-2025-49576",
      "product_status": {
        "known_affected": [
          "T044973",
          "T044972",
          "2951",
          "T044971"
        ]
      },
      "release_date": "2025-07-09T22:00:00.000+00:00",
      "title": "CVE-2025-49576"
    },
    {
      "cve": "CVE-2025-49577",
      "product_status": {
        "known_affected": [
          "T044973",
          "T044972",
          "2951",
          "T044971"
        ]
      },
      "release_date": "2025-07-09T22:00:00.000+00:00",
      "title": "CVE-2025-49577"
    },
    {
      "cve": "CVE-2025-49578",
      "product_status": {
        "known_affected": [
          "T044973",
          "T044972",
          "2951",
          "T044971"
        ]
      },
      "release_date": "2025-07-09T22:00:00.000+00:00",
      "title": "CVE-2025-49578"
    },
    {
      "cve": "CVE-2025-49579",
      "product_status": {
        "known_affected": [
          "T044973",
          "T044972",
          "2951",
          "T044971"
        ]
      },
      "release_date": "2025-07-09T22:00:00.000+00:00",
      "title": "CVE-2025-49579"
    },
    {
      "cve": "CVE-2025-53093",
      "product_status": {
        "known_affected": [
          "T044973",
          "T044972",
          "2951",
          "T044971"
        ]
      },
      "release_date": "2025-07-09T22:00:00.000+00:00",
      "title": "CVE-2025-53093"
    },
    {
      "cve": "CVE-2025-53368",
      "product_status": {
        "known_affected": [
          "T044973",
          "T044972",
          "2951",
          "T044971"
        ]
      },
      "release_date": "2025-07-09T22:00:00.000+00:00",
      "title": "CVE-2025-53368"
    },
    {
      "cve": "CVE-2025-53369",
      "product_status": {
        "known_affected": [
          "T044973",
          "T044972",
          "2951",
          "T044971"
        ]
      },
      "release_date": "2025-07-09T22:00:00.000+00:00",
      "title": "CVE-2025-53369"
    },
    {
      "cve": "CVE-2025-53370",
      "product_status": {
        "known_affected": [
          "T044973",
          "T044972",
          "2951",
          "T044971"
        ]
      },
      "release_date": "2025-07-09T22:00:00.000+00:00",
      "title": "CVE-2025-53370"
    },
    {
      "cve": "CVE-2025-53478",
      "product_status": {
        "known_affected": [
          "T044973",
          "T044972",
          "2951",
          "T044971"
        ]
      },
      "release_date": "2025-07-09T22:00:00.000+00:00",
      "title": "CVE-2025-53478"
    },
    {
      "cve": "CVE-2025-53479",
      "product_status": {
        "known_affected": [
          "T044973",
          "T044972",
          "2951",
          "T044971"
        ]
      },
      "release_date": "2025-07-09T22:00:00.000+00:00",
      "title": "CVE-2025-53479"
    },
    {
      "cve": "CVE-2025-53480",
      "product_status": {
        "known_affected": [
          "T044973",
          "T044972",
          "2951",
          "T044971"
        ]
      },
      "release_date": "2025-07-09T22:00:00.000+00:00",
      "title": "CVE-2025-53480"
    },
    {
      "cve": "CVE-2025-53481",
      "product_status": {
        "known_affected": [
          "T044973",
          "T044972",
          "2951",
          "T044971"
        ]
      },
      "release_date": "2025-07-09T22:00:00.000+00:00",
      "title": "CVE-2025-53481"
    },
    {
      "cve": "CVE-2025-53482",
      "product_status": {
        "known_affected": [
          "T044973",
          "T044972",
          "2951",
          "T044971"
        ]
      },
      "release_date": "2025-07-09T22:00:00.000+00:00",
      "title": "CVE-2025-53482"
    },
    {
      "cve": "CVE-2025-53483",
      "product_status": {
        "known_affected": [
          "T044973",
          "T044972",
          "2951",
          "T044971"
        ]
      },
      "release_date": "2025-07-09T22:00:00.000+00:00",
      "title": "CVE-2025-53483"
    },
    {
      "cve": "CVE-2025-53484",
      "product_status": {
        "known_affected": [
          "T044973",
          "T044972",
          "2951",
          "T044971"
        ]
      },
      "release_date": "2025-07-09T22:00:00.000+00:00",
      "title": "CVE-2025-53484"
    },
    {
      "cve": "CVE-2025-53485",
      "product_status": {
        "known_affected": [
          "T044973",
          "T044972",
          "2951",
          "T044971"
        ]
      },
      "release_date": "2025-07-09T22:00:00.000+00:00",
      "title": "CVE-2025-53485"
    },
    {
      "cve": "CVE-2025-53486",
      "product_status": {
        "known_affected": [
          "T044973",
          "T044972",
          "2951",
          "T044971"
        ]
      },
      "release_date": "2025-07-09T22:00:00.000+00:00",
      "title": "CVE-2025-53486"
    },
    {
      "cve": "CVE-2025-53487",
      "product_status": {
        "known_affected": [
          "T044973",
          "T044972",
          "2951",
          "T044971"
        ]
      },
      "release_date": "2025-07-09T22:00:00.000+00:00",
      "title": "CVE-2025-53487"
    },
    {
      "cve": "CVE-2025-53488",
      "product_status": {
        "known_affected": [
          "T044973",
          "T044972",
          "2951",
          "T044971"
        ]
      },
      "release_date": "2025-07-09T22:00:00.000+00:00",
      "title": "CVE-2025-53488"
    },
    {
      "cve": "CVE-2025-53489",
      "product_status": {
        "known_affected": [
          "T044973",
          "T044972",
          "2951",
          "T044971"
        ]
      },
      "release_date": "2025-07-09T22:00:00.000+00:00",
      "title": "CVE-2025-53489"
    },
    {
      "cve": "CVE-2025-53490",
      "product_status": {
        "known_affected": [
          "T044973",
          "T044972",
          "2951",
          "T044971"
        ]
      },
      "release_date": "2025-07-09T22:00:00.000+00:00",
      "title": "CVE-2025-53490"
    },
    {
      "cve": "CVE-2025-53491",
      "product_status": {
        "known_affected": [
          "T044973",
          "T044972",
          "2951",
          "T044971"
        ]
      },
      "release_date": "2025-07-09T22:00:00.000+00:00",
      "title": "CVE-2025-53491"
    },
    {
      "cve": "CVE-2025-53492",
      "product_status": {
        "known_affected": [
          "T044973",
          "T044972",
          "2951",
          "T044971"
        ]
      },
      "release_date": "2025-07-09T22:00:00.000+00:00",
      "title": "CVE-2025-53492"
    },
    {
      "cve": "CVE-2025-53493",
      "product_status": {
        "known_affected": [
          "T044973",
          "T044972",
          "2951",
          "T044971"
        ]
      },
      "release_date": "2025-07-09T22:00:00.000+00:00",
      "title": "CVE-2025-53493"
    },
    {
      "cve": "CVE-2025-53494",
      "product_status": {
        "known_affected": [
          "T044973",
          "T044972",
          "2951",
          "T044971"
        ]
      },
      "release_date": "2025-07-09T22:00:00.000+00:00",
      "title": "CVE-2025-53494"
    },
    {
      "cve": "CVE-2025-53495",
      "product_status": {
        "known_affected": [
          "T044973",
          "T044972",
          "2951",
          "T044971"
        ]
      },
      "release_date": "2025-07-09T22:00:00.000+00:00",
      "title": "CVE-2025-53495"
    },
    {
      "cve": "CVE-2025-53496",
      "product_status": {
        "known_affected": [
          "T044973",
          "T044972",
          "2951",
          "T044971"
        ]
      },
      "release_date": "2025-07-09T22:00:00.000+00:00",
      "title": "CVE-2025-53496"
    },
    {
      "cve": "CVE-2025-53497",
      "product_status": {
        "known_affected": [
          "T044973",
          "T044972",
          "2951",
          "T044971"
        ]
      },
      "release_date": "2025-07-09T22:00:00.000+00:00",
      "title": "CVE-2025-53497"
    },
    {
      "cve": "CVE-2025-53498",
      "product_status": {
        "known_affected": [
          "T044973",
          "T044972",
          "2951",
          "T044971"
        ]
      },
      "release_date": "2025-07-09T22:00:00.000+00:00",
      "title": "CVE-2025-53498"
    },
    {
      "cve": "CVE-2025-53499",
      "product_status": {
        "known_affected": [
          "T044973",
          "T044972",
          "2951",
          "T044971"
        ]
      },
      "release_date": "2025-07-09T22:00:00.000+00:00",
      "title": "CVE-2025-53499"
    },
    {
      "cve": "CVE-2025-53500",
      "product_status": {
        "known_affected": [
          "T044973",
          "T044972",
          "2951",
          "T044971"
        ]
      },
      "release_date": "2025-07-09T22:00:00.000+00:00",
      "title": "CVE-2025-53500"
    },
    {
      "cve": "CVE-2025-53501",
      "product_status": {
        "known_affected": [
          "T044973",
          "T044972",
          "2951",
          "T044971"
        ]
      },
      "release_date": "2025-07-09T22:00:00.000+00:00",
      "title": "CVE-2025-53501"
    },
    {
      "cve": "CVE-2025-53502",
      "product_status": {
        "known_affected": [
          "T044973",
          "T044972",
          "2951",
          "T044971"
        ]
      },
      "release_date": "2025-07-09T22:00:00.000+00:00",
      "title": "CVE-2025-53502"
    },
    {
      "cve": "CVE-2025-6926",
      "product_status": {
        "known_affected": [
          "T044973",
          "T044972",
          "2951",
          "T044971"
        ]
      },
      "release_date": "2025-07-09T22:00:00.000+00:00",
      "title": "CVE-2025-6926"
    },
    {
      "cve": "CVE-2025-7056",
      "product_status": {
        "known_affected": [
          "T044973",
          "T044972",
          "2951",
          "T044971"
        ]
      },
      "release_date": "2025-07-09T22:00:00.000+00:00",
      "title": "CVE-2025-7056"
    },
    {
      "cve": "CVE-2025-7057",
      "product_status": {
        "known_affected": [
          "T044973",
          "T044972",
          "2951",
          "T044971"
        ]
      },
      "release_date": "2025-07-09T22:00:00.000+00:00",
      "title": "CVE-2025-7057"
    },
    {
      "cve": "CVE-2025-7362",
      "product_status": {
        "known_affected": [
          "T044973",
          "T044972",
          "2951",
          "T044971"
        ]
      },
      "release_date": "2025-07-09T22:00:00.000+00:00",
      "title": "CVE-2025-7362"
    },
    {
      "cve": "CVE-2025-7363",
      "product_status": {
        "known_affected": [
          "T044973",
          "T044972",
          "2951",
          "T044971"
        ]
      },
      "release_date": "2025-07-09T22:00:00.000+00:00",
      "title": "CVE-2025-7363"
    }
  ]
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2025-49578 (GCVE-0-2025-49578)

FKIE_CVE-2025-49578

GHSA-2V3V-3WHP-953H

Summary

Details

PoC

Impact

WID-SEC-W-2025-1525

Tags

Sightings

Nomenclature