CVE-2025-25287 (GCVE-0-2025-25287)
Vulnerability from cvelistv5 – Published: 2025-02-13 15:28 – Updated: 2025-07-21 12:37
VLAI?
Title
Lakeus vulnerable to stored XSS via system messages
Summary
Lakeus is a simple skin made for MediaWiki. Starting in version 1.0.8 and prior to versions 1.3.1+REL1.39, 1.3.1+REL1.42, and 1.4.0, Lakeus is vulnerable to store cross-site scripting via malicious system messages, though editing the messages requires high privileges. Those with `(editinterface)` rights can edit system messages that are improperly handled in order to send raw HTML. In the case of `lakeus-footermessage`, this will affect all users if the server is configured to link back to this repository. Otherwise, the system messages in themeDesigner.js are only used when the user enables it in their preferences. Versions 1.3.1+REL1.39, 1.3.1+REL1.42, and 1.4.0 contain a patch.
Severity ?
4.7 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| lakejason0 | mediawiki-skins-Lakeus |
Affected:
>= 1.0.8, < 1.3.1+REL1.39
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-25287",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-13T16:08:33.744492Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-13T16:08:46.755Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "mediawiki-skins-Lakeus",
"vendor": "lakejason0",
"versions": [
{
"status": "affected",
"version": "\u003e= 1.0.8, \u003c 1.3.1+REL1.39"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Lakeus is a simple skin made for MediaWiki. Starting in version 1.0.8 and prior to versions 1.3.1+REL1.39, 1.3.1+REL1.42, and 1.4.0, Lakeus is vulnerable to store cross-site scripting via malicious system messages, though editing the messages requires high privileges. Those with `(editinterface)` rights can edit system messages that are improperly handled in order to send raw HTML. In the case of `lakeus-footermessage`, this will affect all users if the server is configured to link back to this repository. Otherwise, the system messages in themeDesigner.js are only used when the user enables it in their preferences. Versions 1.3.1+REL1.39, 1.3.1+REL1.42, and 1.4.0 contain a patch."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-21T12:37:21.292Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/lakejason0/mediawiki-skins-Lakeus/security/advisories/GHSA-mq77-3q68-v64v",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/lakejason0/mediawiki-skins-Lakeus/security/advisories/GHSA-mq77-3q68-v64v"
},
{
"name": "https://github.com/lakejason0/mediawiki-skins-Lakeus/commit/fb79928f06efa47677fff27e0f4755eb32b1c8d9",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/lakejason0/mediawiki-skins-Lakeus/commit/fb79928f06efa47677fff27e0f4755eb32b1c8d9"
},
{
"name": "https://github.com/lakejason0/mediawiki-skins-Lakeus/blob/82ad2cd341f85b814a6a0f37969e6210ebf2521d/includes/SkinLakeus.php#L27",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/lakejason0/mediawiki-skins-Lakeus/blob/82ad2cd341f85b814a6a0f37969e6210ebf2521d/includes/SkinLakeus.php#L27"
},
{
"name": "https://github.com/lakejason0/mediawiki-skins-Lakeus/blob/82ad2cd341f85b814a6a0f37969e6210ebf2521d/resources/themeDesigner.js",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/lakejason0/mediawiki-skins-Lakeus/blob/82ad2cd341f85b814a6a0f37969e6210ebf2521d/resources/themeDesigner.js"
}
],
"source": {
"advisory": "GHSA-mq77-3q68-v64v",
"discovery": "UNKNOWN"
},
"title": "Lakeus vulnerable to stored XSS via system messages"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-25287",
"datePublished": "2025-02-13T15:28:40.074Z",
"dateReserved": "2025-02-06T17:13:33.121Z",
"dateUpdated": "2025-07-21T12:37:21.292Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2025-25287\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2025-02-13T16:16:49.187\",\"lastModified\":\"2025-07-21T13:15:26.153\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Lakeus is a simple skin made for MediaWiki. Starting in version 1.0.8 and prior to versions 1.3.1+REL1.39, 1.3.1+REL1.42, and 1.4.0, Lakeus is vulnerable to store cross-site scripting via malicious system messages, though editing the messages requires high privileges. Those with `(editinterface)` rights can edit system messages that are improperly handled in order to send raw HTML. In the case of `lakeus-footermessage`, this will affect all users if the server is configured to link back to this repository. Otherwise, the system messages in themeDesigner.js are only used when the user enables it in their preferences. Versions 1.3.1+REL1.39, 1.3.1+REL1.42, and 1.4.0 contain a patch.\"},{\"lang\":\"es\",\"value\":\"Lakeus es una m\u00e1scara simple creada para MediaWiki. A partir de la versi\u00f3n 1.8.0 y antes de las versiones 1.3.1+REL1.39, 1.3.1+REL1.42 y 1.4.0, Lakeus es vulnerable a la ejecuci\u00f3n de cross-site scripting almacenado a trav\u00e9s de mensajes de sistema maliciosos, aunque la edici\u00f3n de los mensajes requiere privilegios elevados. Aquellos con derechos `(editinterface)` pueden editar los mensajes de sistema que se gestionan incorrectamente para enviar HTML sin formato. En el caso de `lakeus-footermessage`, esto afectar\u00e1 a todos los usuarios si el servidor est\u00e1 configurado para vincularse a este repositorio. De lo contrario, los mensajes de sistema en themeDesigner.js solo se utilizan cuando el usuario lo habilita en sus preferencias. Las versiones 1.3.1+REL1.39, 1.3.1+REL1.42 y 1.4.0 contienen un parche.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L\",\"baseScore\":4.7,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"HIGH\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"LOW\"},\"exploitabilityScore\":1.2,\"impactScore\":3.4}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-79\"}]}],\"references\":[{\"url\":\"https://github.com/lakejason0/mediawiki-skins-Lakeus/blob/82ad2cd341f85b814a6a0f37969e6210ebf2521d/includes/SkinLakeus.php#L27\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/lakejason0/mediawiki-skins-Lakeus/blob/82ad2cd341f85b814a6a0f37969e6210ebf2521d/resources/themeDesigner.js\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/lakejason0/mediawiki-skins-Lakeus/commit/fb79928f06efa47677fff27e0f4755eb32b1c8d9\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/lakejason0/mediawiki-skins-Lakeus/security/advisories/GHSA-mq77-3q68-v64v\",\"source\":\"security-advisories@github.com\"}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-25287\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-02-13T16:08:33.744492Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-02-13T16:08:42.964Z\"}}], \"cna\": {\"title\": \"Lakeus vulnerable to stored XSS via system messages\", \"source\": {\"advisory\": \"GHSA-mq77-3q68-v64v\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 4.7, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L\", \"integrityImpact\": \"LOW\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"LOW\", \"privilegesRequired\": \"HIGH\", \"confidentialityImpact\": \"LOW\"}}], \"affected\": [{\"vendor\": \"lakejason0\", \"product\": \"mediawiki-skins-Lakeus\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003e= 1.0.8, \u003c 1.3.1+REL1.39\"}]}], \"references\": [{\"url\": \"https://github.com/lakejason0/mediawiki-skins-Lakeus/security/advisories/GHSA-mq77-3q68-v64v\", \"name\": \"https://github.com/lakejason0/mediawiki-skins-Lakeus/security/advisories/GHSA-mq77-3q68-v64v\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/lakejason0/mediawiki-skins-Lakeus/commit/fb79928f06efa47677fff27e0f4755eb32b1c8d9\", \"name\": \"https://github.com/lakejason0/mediawiki-skins-Lakeus/commit/fb79928f06efa47677fff27e0f4755eb32b1c8d9\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/lakejason0/mediawiki-skins-Lakeus/blob/82ad2cd341f85b814a6a0f37969e6210ebf2521d/includes/SkinLakeus.php#L27\", \"name\": \"https://github.com/lakejason0/mediawiki-skins-Lakeus/blob/82ad2cd341f85b814a6a0f37969e6210ebf2521d/includes/SkinLakeus.php#L27\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/lakejason0/mediawiki-skins-Lakeus/blob/82ad2cd341f85b814a6a0f37969e6210ebf2521d/resources/themeDesigner.js\", \"name\": \"https://github.com/lakejason0/mediawiki-skins-Lakeus/blob/82ad2cd341f85b814a6a0f37969e6210ebf2521d/resources/themeDesigner.js\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Lakeus is a simple skin made for MediaWiki. Starting in version 1.0.8 and prior to versions 1.3.1+REL1.39, 1.3.1+REL1.42, and 1.4.0, Lakeus is vulnerable to store cross-site scripting via malicious system messages, though editing the messages requires high privileges. Those with `(editinterface)` rights can edit system messages that are improperly handled in order to send raw HTML. In the case of `lakeus-footermessage`, this will affect all users if the server is configured to link back to this repository. Otherwise, the system messages in themeDesigner.js are only used when the user enables it in their preferences. Versions 1.3.1+REL1.39, 1.3.1+REL1.42, and 1.4.0 contain a patch.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-79\", \"description\": \"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2025-07-21T12:37:21.292Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2025-25287\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-07-21T12:37:21.292Z\", \"dateReserved\": \"2025-02-06T17:13:33.121Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2025-02-13T15:28:40.074Z\", \"assignerShortName\": \"GitHub_M\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…