csaf_certbund - wid-sec-w-2025-0098

wid-sec-w-2025-0098

Vulnerability from csaf_certbund

Published

2025-01-14 23:00

Modified

2025-01-14 23:00

Summary

MediaWiki: Mehrere Schwachstellen

Notes

Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.

Produktbeschreibung

MediaWiki ist ein freies Wiki, das ursprünglich für den Einsatz auf Wikipedia entwickelt wurde.

Angriff

Ein Angreifer kann mehrere Schwachstellen in MediaWiki ausnutzen, um einen Cross-Site Scripting Angriff durchzuführen, um Dateien zu manipulieren oder vertrauliche Informationen offenzulegen.

Betroffene Betriebssysteme

- Sonstiges - UNIX - Windows

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "text": "mittel"
    },
    "category": "csaf_base",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "de-DE",
    "notes": [
      {
        "category": "legal_disclaimer",
        "text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
      },
      {
        "category": "description",
        "text": "MediaWiki ist ein freies Wiki, das urspr\u00fcnglich f\u00fcr den Einsatz auf Wikipedia entwickelt wurde.",
        "title": "Produktbeschreibung"
      },
      {
        "category": "summary",
        "text": "Ein Angreifer kann mehrere Schwachstellen in MediaWiki ausnutzen, um einen Cross-Site Scripting Angriff durchzuf\u00fchren, um Dateien zu manipulieren oder vertrauliche Informationen offenzulegen.",
        "title": "Angriff"
      },
      {
        "category": "general",
        "text": "- Sonstiges\n- UNIX\n- Windows",
        "title": "Betroffene Betriebssysteme"
      }
    ],
    "publisher": {
      "category": "other",
      "contact_details": "csaf-provider@cert-bund.de",
      "name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
      "namespace": "https://www.bsi.bund.de"
    },
    "references": [
      {
        "category": "self",
        "summary": "WID-SEC-W-2025-0098 - CSAF Version",
        "url": "https://wid.cert-bund.de/.well-known/csaf/white/2025/wid-sec-w-2025-0098.json"
      },
      {
        "category": "self",
        "summary": "WID-SEC-2025-0098 - Portal Version",
        "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2025-0098"
      },
      {
        "category": "external",
        "summary": "MediaWiki Extensions and Skins Security Release Supplement vom 2025-01-14",
        "url": "https://lists.wikimedia.org/hyperkitty/list/mediawiki-announce@lists.wikimedia.org/thread/7FVLRF77HRBRY23UFLLJYYT6SNCGJUMY/"
      }
    ],
    "source_lang": "en-US",
    "title": "MediaWiki: Mehrere Schwachstellen",
    "tracking": {
      "current_release_date": "2025-01-14T23:00:00.000+00:00",
      "generator": {
        "date": "2025-01-15T12:48:20.297+00:00",
        "engine": {
          "name": "BSI-WID",
          "version": "1.3.10"
        }
      },
      "id": "WID-SEC-W-2025-0098",
      "initial_release_date": "2025-01-14T23:00:00.000+00:00",
      "revision_history": [
        {
          "date": "2025-01-14T23:00:00.000+00:00",
          "number": "1",
          "summary": "Initiale Fassung"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003c1.39.11",
                "product": {
                  "name": "Open Source MediaWiki \u003c1.39.11",
                  "product_id": "T040317"
                }
              },
              {
                "category": "product_version",
                "name": "1.39.11",
                "product": {
                  "name": "Open Source MediaWiki 1.39.11",
                  "product_id": "T040317-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:mediawiki:mediawiki:1.39.11"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003c11.41.5",
                "product": {
                  "name": "Open Source MediaWiki \u003c11.41.5",
                  "product_id": "T040318"
                }
              },
              {
                "category": "product_version",
                "name": "11.41.5",
                "product": {
                  "name": "Open Source MediaWiki 11.41.5",
                  "product_id": "T040318-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:mediawiki:mediawiki:11.41.5"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003c1.42.4",
                "product": {
                  "name": "Open Source MediaWiki \u003c1.42.4",
                  "product_id": "T040319"
                }
              },
              {
                "category": "product_version",
                "name": "1.42.4",
                "product": {
                  "name": "Open Source MediaWiki 1.42.4",
                  "product_id": "T040319-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:mediawiki:mediawiki:1.42.4"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "MediaWiki"
          }
        ],
        "category": "vendor",
        "name": "Open Source"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2025-23072",
      "notes": [
        {
          "category": "description",
          "text": "Es bestehen mehrere Schwachstellen in MediaWiki. Diese Schwachstellen betreffen mehrere Komponenten, darunter Special, Extension und die API-Liste, aufgrund verschiedener Sicherheitsprobleme, wie z.B. unsachgem\u00e4\u00dfe Durchsetzung von Sichtbarkeitseinstellungen oder unsachgem\u00e4\u00dfe Behandlung von Eingabeparametern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Dateien zu manipulieren oder vertrauliche Informationen preiszugeben. Einige der Schwachstellen erfordern ein bestimmtes Privilegienniveau, um erfolgreich ausgenutzt werden zu k\u00f6nnen, zum Beispiel das Benutzerrecht editothersprofiles. Viele der Schwachstellen erfordern eine Benutzerinteraktion, um erfolgreich ausgenutzt werden zu k\u00f6nnen."
        }
      ],
      "product_status": {
        "known_affected": [
          "T040319",
          "T040318",
          "T040317"
        ]
      },
      "release_date": "2025-01-14T23:00:00.000+00:00",
      "title": "CVE-2025-23072"
    },
    {
      "cve": "CVE-2025-23073",
      "notes": [
        {
          "category": "description",
          "text": "Es bestehen mehrere Schwachstellen in MediaWiki. Diese Schwachstellen betreffen mehrere Komponenten, darunter Special, Extension und die API-Liste, aufgrund verschiedener Sicherheitsprobleme, wie z.B. unsachgem\u00e4\u00dfe Durchsetzung von Sichtbarkeitseinstellungen oder unsachgem\u00e4\u00dfe Behandlung von Eingabeparametern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Dateien zu manipulieren oder vertrauliche Informationen preiszugeben. Einige der Schwachstellen erfordern ein bestimmtes Privilegienniveau, um erfolgreich ausgenutzt werden zu k\u00f6nnen, zum Beispiel das Benutzerrecht editothersprofiles. Viele der Schwachstellen erfordern eine Benutzerinteraktion, um erfolgreich ausgenutzt werden zu k\u00f6nnen."
        }
      ],
      "product_status": {
        "known_affected": [
          "T040319",
          "T040318",
          "T040317"
        ]
      },
      "release_date": "2025-01-14T23:00:00.000+00:00",
      "title": "CVE-2025-23073"
    },
    {
      "cve": "CVE-2025-23074",
      "notes": [
        {
          "category": "description",
          "text": "Es bestehen mehrere Schwachstellen in MediaWiki. Diese Schwachstellen betreffen mehrere Komponenten, darunter Special, Extension und die API-Liste, aufgrund verschiedener Sicherheitsprobleme, wie z.B. unsachgem\u00e4\u00dfe Durchsetzung von Sichtbarkeitseinstellungen oder unsachgem\u00e4\u00dfe Behandlung von Eingabeparametern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Dateien zu manipulieren oder vertrauliche Informationen preiszugeben. Einige der Schwachstellen erfordern ein bestimmtes Privilegienniveau, um erfolgreich ausgenutzt werden zu k\u00f6nnen, zum Beispiel das Benutzerrecht editothersprofiles. Viele der Schwachstellen erfordern eine Benutzerinteraktion, um erfolgreich ausgenutzt werden zu k\u00f6nnen."
        }
      ],
      "product_status": {
        "known_affected": [
          "T040319",
          "T040318",
          "T040317"
        ]
      },
      "release_date": "2025-01-14T23:00:00.000+00:00",
      "title": "CVE-2025-23074"
    },
    {
      "cve": "CVE-2025-23078",
      "notes": [
        {
          "category": "description",
          "text": "Es bestehen mehrere Schwachstellen in MediaWiki. Diese Schwachstellen betreffen mehrere Komponenten, darunter Special, Extension und die API-Liste, aufgrund verschiedener Sicherheitsprobleme, wie z.B. unsachgem\u00e4\u00dfe Durchsetzung von Sichtbarkeitseinstellungen oder unsachgem\u00e4\u00dfe Behandlung von Eingabeparametern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Dateien zu manipulieren oder vertrauliche Informationen preiszugeben. Einige der Schwachstellen erfordern ein bestimmtes Privilegienniveau, um erfolgreich ausgenutzt werden zu k\u00f6nnen, zum Beispiel das Benutzerrecht editothersprofiles. Viele der Schwachstellen erfordern eine Benutzerinteraktion, um erfolgreich ausgenutzt werden zu k\u00f6nnen."
        }
      ],
      "product_status": {
        "known_affected": [
          "T040319",
          "T040318",
          "T040317"
        ]
      },
      "release_date": "2025-01-14T23:00:00.000+00:00",
      "title": "CVE-2025-23078"
    },
    {
      "cve": "CVE-2025-23079",
      "notes": [
        {
          "category": "description",
          "text": "Es bestehen mehrere Schwachstellen in MediaWiki. Diese Schwachstellen betreffen mehrere Komponenten, darunter Special, Extension und die API-Liste, aufgrund verschiedener Sicherheitsprobleme, wie z.B. unsachgem\u00e4\u00dfe Durchsetzung von Sichtbarkeitseinstellungen oder unsachgem\u00e4\u00dfe Behandlung von Eingabeparametern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Dateien zu manipulieren oder vertrauliche Informationen preiszugeben. Einige der Schwachstellen erfordern ein bestimmtes Privilegienniveau, um erfolgreich ausgenutzt werden zu k\u00f6nnen, zum Beispiel das Benutzerrecht editothersprofiles. Viele der Schwachstellen erfordern eine Benutzerinteraktion, um erfolgreich ausgenutzt werden zu k\u00f6nnen."
        }
      ],
      "product_status": {
        "known_affected": [
          "T040319",
          "T040318",
          "T040317"
        ]
      },
      "release_date": "2025-01-14T23:00:00.000+00:00",
      "title": "CVE-2025-23079"
    },
    {
      "cve": "CVE-2025-23080",
      "notes": [
        {
          "category": "description",
          "text": "Es bestehen mehrere Schwachstellen in MediaWiki. Diese Schwachstellen betreffen mehrere Komponenten, darunter Special, Extension und die API-Liste, aufgrund verschiedener Sicherheitsprobleme, wie z.B. unsachgem\u00e4\u00dfe Durchsetzung von Sichtbarkeitseinstellungen oder unsachgem\u00e4\u00dfe Behandlung von Eingabeparametern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Dateien zu manipulieren oder vertrauliche Informationen preiszugeben. Einige der Schwachstellen erfordern ein bestimmtes Privilegienniveau, um erfolgreich ausgenutzt werden zu k\u00f6nnen, zum Beispiel das Benutzerrecht editothersprofiles. Viele der Schwachstellen erfordern eine Benutzerinteraktion, um erfolgreich ausgenutzt werden zu k\u00f6nnen."
        }
      ],
      "product_status": {
        "known_affected": [
          "T040319",
          "T040318",
          "T040317"
        ]
      },
      "release_date": "2025-01-14T23:00:00.000+00:00",
      "title": "CVE-2025-23080"
    },
    {
      "cve": "CVE-2025-23081",
      "notes": [
        {
          "category": "description",
          "text": "Es bestehen mehrere Schwachstellen in MediaWiki. Diese Schwachstellen betreffen mehrere Komponenten, darunter Special, Extension und die API-Liste, aufgrund verschiedener Sicherheitsprobleme, wie z.B. unsachgem\u00e4\u00dfe Durchsetzung von Sichtbarkeitseinstellungen oder unsachgem\u00e4\u00dfe Behandlung von Eingabeparametern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Dateien zu manipulieren oder vertrauliche Informationen preiszugeben. Einige der Schwachstellen erfordern ein bestimmtes Privilegienniveau, um erfolgreich ausgenutzt werden zu k\u00f6nnen, zum Beispiel das Benutzerrecht editothersprofiles. Viele der Schwachstellen erfordern eine Benutzerinteraktion, um erfolgreich ausgenutzt werden zu k\u00f6nnen."
        }
      ],
      "product_status": {
        "known_affected": [
          "T040319",
          "T040318",
          "T040317"
        ]
      },
      "release_date": "2025-01-14T23:00:00.000+00:00",
      "title": "CVE-2025-23081"
    }
  ]
}

CVE-2025-23074 (GCVE-0-2025-23074)

Vulnerability from cvelistv5

Published

2025-01-14 18:58

Modified

2025-01-31 16:51

Severity ?

2.4 (Low) - CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:N/A:N

CWE

CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor

Summary

Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Wikimedia Foundation Mediawiki - SocialProfile Extension allows Functionality Misuse.This issue affects Mediawiki - SocialProfile Extension: from 1.39.X before 1.39.11, from 1.41.X before 1.41.3, from 1.42.X before 1.42.2.

References

▼	URL	Tags
	https://phabricator.wikimedia.org/T373265
	https://gerrit.wikimedia.org/r/q/I4b77ced314bc6cea0ef3657a82e7467d3661fe2a

Impacted products

	Vendor	Product	Version
	Wikimedia Foundation	Mediawiki - SocialProfile Extension	Version: 1.39.x ≤ Version: 1.41.x ≤ Version: 1.42.x ≤

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "NONE",
              "baseScore": 2.4,
              "baseSeverity": "LOW",
              "confidentialityImpact": "LOW",
              "integrityImpact": "NONE",
              "privilegesRequired": "HIGH",
              "scope": "UNCHANGED",
              "userInteraction": "REQUIRED",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:N/A:N",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2025-23074",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-01-15T14:31:46.445581Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-01-31T16:51:45.996Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Mediawiki - SocialProfile Extension",
          "vendor": "Wikimedia Foundation",
          "versions": [
            {
              "lessThan": "1.39.11",
              "status": "affected",
              "version": "1.39.x",
              "versionType": "semver"
            },
            {
              "lessThan": "1.41.3",
              "status": "affected",
              "version": "1.41.x",
              "versionType": "semver"
            },
            {
              "lessThan": "1.42.2",
              "status": "affected",
              "version": "1.42.x",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Jack Phoenix (ashley)"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Wikimedia Foundation Mediawiki - SocialProfile Extension allows Functionality Misuse.\u003cp\u003eThis issue affects Mediawiki - SocialProfile Extension: from 1.39.X before 1.39.11, from 1.41.X before 1.41.3, from 1.42.X before 1.42.2.\u003c/p\u003e"
            }
          ],
          "value": "Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Wikimedia Foundation Mediawiki - SocialProfile Extension allows Functionality Misuse.This issue affects Mediawiki - SocialProfile Extension: from 1.39.X before 1.39.11, from 1.41.X before 1.41.3, from 1.42.X before 1.42.2."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-212",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-212 Functionality Misuse"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-200",
              "description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-01-14T18:58:20.037Z",
        "orgId": "c4f26cc8-17ff-4c99-b5e2-38fc1793eacc",
        "shortName": "wikimedia-foundation"
      },
      "references": [
        {
          "url": "https://phabricator.wikimedia.org/T373265"
        },
        {
          "url": "https://gerrit.wikimedia.org/r/q/I4b77ced314bc6cea0ef3657a82e7467d3661fe2a"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Special:EditProfile exposes the contents of profile fields marked \"hidden\"/friends or \"friends of friends\" when the privileged user isn\u0027t a friend of the user whose profile they edit(ed)",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "c4f26cc8-17ff-4c99-b5e2-38fc1793eacc",
    "assignerShortName": "wikimedia-foundation",
    "cveId": "CVE-2025-23074",
    "datePublished": "2025-01-14T18:58:20.037Z",
    "dateReserved": "2025-01-10T17:00:37.684Z",
    "dateUpdated": "2025-01-31T16:51:45.996Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-23073 (GCVE-0-2025-23073)

Vulnerability from cvelistv5

Published

2025-01-14 18:45

Modified

2025-02-03 16:59

Severity ?

3.5 (Low) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N

CWE

CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor

Summary

Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Wikimedia Foundation Mediawiki - GlobalBlocking Extension allows Retrieve Embedded Sensitive Data. This issue briefly impacted the master branch of MediaWiki’s GlobalBlocking Extension.

References

▼	URL	Tags
	https://phabricator.wikimedia.org/T377855
	https://gerrit.wikimedia.org/r/q/I2a2d32aedf6328be0a9f1b4e04a6567a25f19486

Impacted products

	Vendor	Product	Version
	Wikimedia Foundation	Mediawiki - GlobalBlocking Extension	Version: master ≤

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "NONE",
              "baseScore": 3.5,
              "baseSeverity": "LOW",
              "confidentialityImpact": "LOW",
              "integrityImpact": "NONE",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "REQUIRED",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2025-23073",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-01-15T14:29:44.676766Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-02-03T16:59:49.214Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Mediawiki - GlobalBlocking Extension",
          "vendor": "Wikimedia Foundation",
          "versions": [
            {
              "status": "affected",
              "version": "master",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Dom Walden"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Wikimedia Foundation Mediawiki - GlobalBlocking Extension allows Retrieve Embedded Sensitive Data.\u003cp\u003e\u003c/p\u003e\u003cp\u003eThis issue briefly impacted the master branch of MediaWiki\u2019s GlobalBlocking Extension.\u003c/p\u003e\n\n\n\u003cp\u003e\u003c/p\u003e"
            }
          ],
          "value": "Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Wikimedia Foundation Mediawiki - GlobalBlocking Extension allows Retrieve Embedded Sensitive Data.\n\nThis issue briefly impacted the master branch of MediaWiki\u2019s GlobalBlocking Extension."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-37",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-37 Retrieve Embedded Sensitive Data"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-200",
              "description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-01-15T15:57:06.582Z",
        "orgId": "c4f26cc8-17ff-4c99-b5e2-38fc1793eacc",
        "shortName": "wikimedia-foundation"
      },
      "references": [
        {
          "url": "https://phabricator.wikimedia.org/T377855"
        },
        {
          "url": "https://gerrit.wikimedia.org/r/q/I2a2d32aedf6328be0a9f1b4e04a6567a25f19486"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "API list=globalblocks can reveal IP of autoblock if username and IP are included in the bgtargets parameter",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "c4f26cc8-17ff-4c99-b5e2-38fc1793eacc",
    "assignerShortName": "wikimedia-foundation",
    "cveId": "CVE-2025-23073",
    "datePublished": "2025-01-14T18:45:31.542Z",
    "dateReserved": "2025-01-10T17:00:37.684Z",
    "dateUpdated": "2025-02-03T16:59:49.214Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-23079 (GCVE-0-2025-23079)

Vulnerability from cvelistv5

Published

2025-01-10 19:03

Modified

2025-01-13 17:52

Severity ?

6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CWE

CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')

Summary

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation Mediawiki - ArticleFeedbackv5 extension allows Cross-Site Scripting (XSS).This issue affects Mediawiki - ArticleFeedbackv5 extension: from 1.42.X before 1.42.2.

References

▼	URL	Tags
	https://phabricator.wikimedia.org/T381753
	https://gerrit.wikimedia.org/r/q/I6ee51c8b518bda41739fd666fa2891cc12e79ac3

Impacted products

	Vendor	Product	Version
	Wikimedia Foundation	Mediawiki - ArticleFeedbackv5 extension	Version: 1.39.x ≤ Version: 1.41.x ≤ Version: 1.42.x ≤

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "NONE",
              "baseScore": 6.1,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "LOW",
              "integrityImpact": "LOW",
              "privilegesRequired": "NONE",
              "scope": "CHANGED",
              "userInteraction": "REQUIRED",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2025-23079",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-01-13T17:51:30.529258Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-01-13T17:52:17.561Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Mediawiki - ArticleFeedbackv5 extension",
          "vendor": "Wikimedia Foundation",
          "versions": [
            {
              "lessThan": "1.39.11",
              "status": "affected",
              "version": "1.39.x",
              "versionType": "semver"
            },
            {
              "lessThan": "1.41.3",
              "status": "affected",
              "version": "1.41.x",
              "versionType": "semver"
            },
            {
              "lessThan": "1.42.2",
              "status": "affected",
              "version": "1.42.x",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "BlankEclair (Claire)"
        }
      ],
      "datePublic": "2025-01-10T18:05:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027) vulnerability in Wikimedia Foundation Mediawiki - ArticleFeedbackv5 extension allows Cross-Site Scripting (XSS).\u003cp\u003eThis issue affects Mediawiki - ArticleFeedbackv5 extension: from 1.42.X before 1.42.2.\u003c/p\u003e"
            }
          ],
          "value": "Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027) vulnerability in Wikimedia Foundation Mediawiki - ArticleFeedbackv5 extension allows Cross-Site Scripting (XSS).This issue affects Mediawiki - ArticleFeedbackv5 extension: from 1.42.X before 1.42.2."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-63",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-63 Cross-Site Scripting (XSS)"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-79",
              "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-01-10T19:03:15.208Z",
        "orgId": "c4f26cc8-17ff-4c99-b5e2-38fc1793eacc",
        "shortName": "wikimedia-foundation"
      },
      "references": [
        {
          "url": "https://phabricator.wikimedia.org/T381753"
        },
        {
          "url": "https://gerrit.wikimedia.org/r/q/I6ee51c8b518bda41739fd666fa2891cc12e79ac3"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "XSSes in Extension:ArticleFeedbackv5",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "c4f26cc8-17ff-4c99-b5e2-38fc1793eacc",
    "assignerShortName": "wikimedia-foundation",
    "cveId": "CVE-2025-23079",
    "datePublished": "2025-01-10T19:03:15.208Z",
    "dateReserved": "2025-01-10T17:00:37.685Z",
    "dateUpdated": "2025-01-13T17:52:17.561Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-23080 (GCVE-0-2025-23080)

Vulnerability from cvelistv5

Published

2025-01-14 16:40

Modified

2025-01-14 17:20

Severity ?

5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CWE

CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')

Summary

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation Mediawiki - OpenBadges Extension allows Cross-Site Scripting (XSS).This issue affects Mediawiki - OpenBadges Extension: from 1.39.X before 1.39.11, from 1.41.X before 1.41.3, from 1.42.X before 1.42.2.

References

▼	URL	Tags
	https://phabricator.wikimedia.org/T381220
	https://gerrit.wikimedia.org/r/q/Ic9448312fa7f1cbc8feac3f852bc8720568522e2

Impacted products

	Vendor	Product	Version
	Wikimedia Foundation	Mediawiki - OpenBadges Extension	Version: 1.39.x ≤ Version: 1.41.x ≤ Version: 1.42.x ≤

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "NONE",
              "baseScore": 5.3,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "LOW",
              "integrityImpact": "NONE",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2025-23080",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-01-14T17:20:21.584135Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-01-14T17:20:49.366Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Mediawiki - OpenBadges Extension",
          "vendor": "Wikimedia Foundation",
          "versions": [
            {
              "lessThan": "1.39.11",
              "status": "affected",
              "version": "1.39.x",
              "versionType": "semver"
            },
            {
              "lessThan": "1.41.3",
              "status": "affected",
              "version": "1.41.x",
              "versionType": "semver"
            },
            {
              "lessThan": "1.42.2",
              "status": "affected",
              "version": "1.42.x",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "BlankEclair (Claire)"
        }
      ],
      "datePublic": "2025-01-14T16:33:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027) vulnerability in Wikimedia Foundation Mediawiki - OpenBadges Extension allows Cross-Site Scripting (XSS).\u003cp\u003eThis issue affects Mediawiki - OpenBadges Extension: from 1.39.X before 1.39.11, from 1.41.X before 1.41.3, from 1.42.X before 1.42.2.\u003c/p\u003e"
            }
          ],
          "value": "Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027) vulnerability in Wikimedia Foundation Mediawiki - OpenBadges Extension allows Cross-Site Scripting (XSS).This issue affects Mediawiki - OpenBadges Extension: from 1.39.X before 1.39.11, from 1.41.X before 1.41.3, from 1.42.X before 1.42.2."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-63",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-63 Cross-Site Scripting (XSS)"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-79",
              "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-01-14T16:40:41.795Z",
        "orgId": "c4f26cc8-17ff-4c99-b5e2-38fc1793eacc",
        "shortName": "wikimedia-foundation"
      },
      "references": [
        {
          "url": "https://phabricator.wikimedia.org/T381220"
        },
        {
          "url": "https://gerrit.wikimedia.org/r/q/Ic9448312fa7f1cbc8feac3f852bc8720568522e2"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "XSSes in Special:BadgeView",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "c4f26cc8-17ff-4c99-b5e2-38fc1793eacc",
    "assignerShortName": "wikimedia-foundation",
    "cveId": "CVE-2025-23080",
    "datePublished": "2025-01-14T16:40:41.795Z",
    "dateReserved": "2025-01-10T17:00:37.685Z",
    "dateUpdated": "2025-01-14T17:20:49.366Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-23078 (GCVE-0-2025-23078)

Vulnerability from cvelistv5

Published

2025-01-10 17:57

Modified

2025-01-13 19:02

Severity ?

6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

CWE

CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')

Summary

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation Mediawiki - Breadcrumbs2 extension allows Cross-Site Scripting (XSS).This issue affects Mediawiki - Breadcrumbs2 extension: from 1.39.X before 1.39.11, from 1.41.X before 1.41.5, from 1.42.X before 1.42.4.

References

▼	URL	Tags
	https://phabricator.wikimedia.org/T382043
	https://gerrit.wikimedia.org/r/q/I7878f8f7bc067080f80427b90f8d85337f172711

Impacted products

	Vendor	Product	Version
	Wikimedia Foundation	Mediawiki - Breadcrumbs2 extension	Version: 1.39.x ≤ Version: 1.41.x ≤ Version: 1.42.x ≤

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "NONE",
              "baseScore": 6.5,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "LOW",
              "integrityImpact": "LOW",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2025-23078",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-01-13T18:58:30.572486Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-01-13T19:02:35.058Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Mediawiki - Breadcrumbs2 extension",
          "vendor": "Wikimedia Foundation",
          "versions": [
            {
              "lessThan": "1.39.11",
              "status": "affected",
              "version": "1.39.x",
              "versionType": "semver"
            },
            {
              "lessThan": "1.41.5",
              "status": "affected",
              "version": "1.41.x",
              "versionType": "semver"
            },
            {
              "lessThan": "1.42.4",
              "status": "affected",
              "version": "1.42.x",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "BlankEclair (Claire)"
        }
      ],
      "datePublic": "2024-12-09T17:17:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027) vulnerability in Wikimedia Foundation Mediawiki - Breadcrumbs2 extension allows Cross-Site Scripting (XSS).\u003cp\u003eThis issue affects Mediawiki - Breadcrumbs2 extension: from 1.39.X before 1.39.11, from 1.41.X before 1.41.5, from 1.42.X before 1.42.4.\u003c/p\u003e"
            }
          ],
          "value": "Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027) vulnerability in Wikimedia Foundation Mediawiki - Breadcrumbs2 extension allows Cross-Site Scripting (XSS).This issue affects Mediawiki - Breadcrumbs2 extension: from 1.39.X before 1.39.11, from 1.41.X before 1.41.5, from 1.42.X before 1.42.4."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-63",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-63 Cross-Site Scripting (XSS)"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-79",
              "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-01-10T17:57:20.927Z",
        "orgId": "c4f26cc8-17ff-4c99-b5e2-38fc1793eacc",
        "shortName": "wikimedia-foundation"
      },
      "references": [
        {
          "url": "https://phabricator.wikimedia.org/T382043"
        },
        {
          "url": "https://gerrit.wikimedia.org/r/q/I7878f8f7bc067080f80427b90f8d85337f172711"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "XSS in BreadCrumbs2",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "c4f26cc8-17ff-4c99-b5e2-38fc1793eacc",
    "assignerShortName": "wikimedia-foundation",
    "cveId": "CVE-2025-23078",
    "datePublished": "2025-01-10T17:57:20.927Z",
    "dateReserved": "2025-01-10T17:00:37.685Z",
    "dateUpdated": "2025-01-13T19:02:35.058Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-23072 (GCVE-0-2025-23072)

Vulnerability from cvelistv5

Published

2025-01-14 18:29

Modified

2025-03-13 18:20

Severity ?

5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

CWE

CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')

Summary

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation Mediawiki - RefreshSpecial Extension allows Cross-Site Scripting (XSS).This issue affects Mediawiki - RefreshSpecial Extension: from 1.39.X before 1.39.11, from 1.41.X before 1.41.3, from 1.42.X before 1.42.2.

References

▼	URL	Tags
	https://phabricator.wikimedia.org/T378885
	https://gerrit.wikimedia.org/r/q/Ic9547e80a8296d707ad8a157eb8ba7aa26fb08dc

Impacted products

	Vendor	Product	Version
	Wikimedia Foundation	Mediawiki - RefreshSpecial Extension	Version: 1.39.x ≤ Version: 1.41.x ≤ Version: 1.42.x ≤

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "NONE",
              "baseScore": 5.4,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "LOW",
              "integrityImpact": "LOW",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "REQUIRED",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2025-23072",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-01-15T14:48:21.621684Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-03-13T18:20:27.524Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Mediawiki - RefreshSpecial Extension",
          "vendor": "Wikimedia Foundation",
          "versions": [
            {
              "lessThan": "1.39.11",
              "status": "affected",
              "version": "1.39.x",
              "versionType": "semver"
            },
            {
              "lessThan": "1.41.3",
              "status": "affected",
              "version": "1.41.x",
              "versionType": "semver"
            },
            {
              "lessThan": "1.42.2",
              "status": "affected",
              "version": "1.42.x",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "BlankEclair (Claire)"
        }
      ],
      "datePublic": "2025-01-14T18:24:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027) vulnerability in Wikimedia Foundation Mediawiki - RefreshSpecial Extension allows Cross-Site Scripting (XSS).\u003cp\u003eThis issue affects Mediawiki - RefreshSpecial Extension: from 1.39.X before 1.39.11, from 1.41.X before 1.41.3, from 1.42.X before 1.42.2.\u003c/p\u003e"
            }
          ],
          "value": "Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027) vulnerability in Wikimedia Foundation Mediawiki - RefreshSpecial Extension allows Cross-Site Scripting (XSS).This issue affects Mediawiki - RefreshSpecial Extension: from 1.39.X before 1.39.11, from 1.41.X before 1.41.3, from 1.42.X before 1.42.2."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-63",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-63 Cross-Site Scripting (XSS)"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-79",
              "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-01-14T18:29:20.768Z",
        "orgId": "c4f26cc8-17ff-4c99-b5e2-38fc1793eacc",
        "shortName": "wikimedia-foundation"
      },
      "references": [
        {
          "url": "https://phabricator.wikimedia.org/T378885"
        },
        {
          "url": "https://gerrit.wikimedia.org/r/q/Ic9547e80a8296d707ad8a157eb8ba7aa26fb08dc"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "XSS in Special:RefreshSpecial",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "c4f26cc8-17ff-4c99-b5e2-38fc1793eacc",
    "assignerShortName": "wikimedia-foundation",
    "cveId": "CVE-2025-23072",
    "datePublished": "2025-01-14T18:29:20.768Z",
    "dateReserved": "2025-01-10T17:00:37.684Z",
    "dateUpdated": "2025-03-13T18:20:27.524Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-23081 (GCVE-0-2025-23081)

Vulnerability from cvelistv5

Published

2025-01-14 16:56

Modified

2025-03-13 14:33

Severity ?

6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CWE

CWE-352 - Cross-Site Request Forgery (CSRF)
CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')

Summary

Cross-Site Request Forgery (CSRF), Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation Mediawiki - DataTransfer Extension allows Cross Site Request Forgery, Cross-Site Scripting (XSS).This issue affects Mediawiki - DataTransfer Extension: from 1.39.X before 1.39.11, from 1.41.X before 1.41.3, from 1.42.X before 1.42.2.

References

▼	URL	Tags
	https://phabricator.wikimedia.org/T379749
	https://gerrit.wikimedia.org/r/q/I773c616db781d2f3f30893ad01ef503bf251a2b3
	https://gerrit.wikimedia.org/r/q/I7c9de4c8dcdb3276ba923c6bc7c8eef3531324c7
	https://gerrit.wikimedia.org/r/q/I9223c31f02f31f1e06e1a8cddf7d539cc8d3a3d9
	https://gerrit.wikimedia.org/r/q/I5e1538a3bf66378810f905834c05626e1d2c82f0
	https://gerrit.wikimedia.org/r/c/mediawiki/extensions/DataTransfer/+/1093931
	https://gerrit.wikimedia.org/r/c/mediawiki/extensions/DataTransfer/+/1080451

Impacted products

	Vendor	Product	Version
	Wikimedia Foundation	Mediawiki - DataTransfer Extension	Version: 1.39.x ≤ Version: 1.41.x ≤ Version: 1.42.x ≤

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "NONE",
              "baseScore": 6.1,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "LOW",
              "integrityImpact": "LOW",
              "privilegesRequired": "NONE",
              "scope": "CHANGED",
              "userInteraction": "REQUIRED",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2025-23081",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-01-16T15:35:39.419422Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-03-13T14:33:03.926Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Mediawiki - DataTransfer Extension",
          "vendor": "Wikimedia Foundation",
          "versions": [
            {
              "lessThan": "1.39.11",
              "status": "affected",
              "version": "1.39.x",
              "versionType": "semver"
            },
            {
              "lessThan": "1.41.3",
              "status": "affected",
              "version": "1.41.x",
              "versionType": "semver"
            },
            {
              "lessThan": "1.42.2",
              "status": "affected",
              "version": "1.42.x",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "BlankEclair (Claire)"
        }
      ],
      "datePublic": "2025-01-14T16:42:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Cross-Site Request Forgery (CSRF), Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027) vulnerability in Wikimedia Foundation Mediawiki - DataTransfer Extension allows Cross Site Request Forgery, Cross-Site Scripting (XSS).\u003cp\u003eThis issue affects Mediawiki - DataTransfer Extension: from 1.39.X before 1.39.11, from 1.41.X before 1.41.3, from 1.42.X before 1.42.2.\u003c/p\u003e"
            }
          ],
          "value": "Cross-Site Request Forgery (CSRF), Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027) vulnerability in Wikimedia Foundation Mediawiki - DataTransfer Extension allows Cross Site Request Forgery, Cross-Site Scripting (XSS).This issue affects Mediawiki - DataTransfer Extension: from 1.39.X before 1.39.11, from 1.41.X before 1.41.3, from 1.42.X before 1.42.2."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-62",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-62 Cross Site Request Forgery"
            }
          ]
        },
        {
          "capecId": "CAPEC-63",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-63 Cross-Site Scripting (XSS)"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-352",
              "description": "CWE-352 Cross-Site Request Forgery (CSRF)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-79",
              "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-01-14T16:56:42.009Z",
        "orgId": "c4f26cc8-17ff-4c99-b5e2-38fc1793eacc",
        "shortName": "wikimedia-foundation"
      },
      "references": [
        {
          "url": "https://phabricator.wikimedia.org/T379749"
        },
        {
          "url": "https://gerrit.wikimedia.org/r/q/I773c616db781d2f3f30893ad01ef503bf251a2b3"
        },
        {
          "url": "https://gerrit.wikimedia.org/r/q/I7c9de4c8dcdb3276ba923c6bc7c8eef3531324c7"
        },
        {
          "url": "https://gerrit.wikimedia.org/r/q/I9223c31f02f31f1e06e1a8cddf7d539cc8d3a3d9"
        },
        {
          "url": "https://gerrit.wikimedia.org/r/q/I5e1538a3bf66378810f905834c05626e1d2c82f0"
        },
        {
          "url": "https://gerrit.wikimedia.org/r/c/mediawiki/extensions/DataTransfer/+/1093931"
        },
        {
          "url": "https://gerrit.wikimedia.org/r/c/mediawiki/extensions/DataTransfer/+/1080451"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Various security vulnerabilities in Extension:DataTransfer",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "c4f26cc8-17ff-4c99-b5e2-38fc1793eacc",
    "assignerShortName": "wikimedia-foundation",
    "cveId": "CVE-2025-23081",
    "datePublished": "2025-01-14T16:56:42.009Z",
    "dateReserved": "2025-01-10T17:00:37.685Z",
    "dateUpdated": "2025-03-13T14:33:03.926Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted

wid-sec-w-2025-0098

Vulnerability from csaf_certbund

CVE-2025-23074 (GCVE-0-2025-23074)

Vulnerability from cvelistv5

CVE-2025-23073 (GCVE-0-2025-23073)

Vulnerability from cvelistv5

CVE-2025-23079 (GCVE-0-2025-23079)

Vulnerability from cvelistv5

CVE-2025-23080 (GCVE-0-2025-23080)

Vulnerability from cvelistv5

CVE-2025-23078 (GCVE-0-2025-23078)

Vulnerability from cvelistv5

CVE-2025-23072 (GCVE-0-2025-23072)

Vulnerability from cvelistv5

CVE-2025-23081 (GCVE-0-2025-23081)

Vulnerability from cvelistv5

Tags

Sightings

Nomenclature