Action not permitted
Modal body text goes here.
Modal Title
Modal Body
wid-sec-w-2025-0790
Vulnerability from csaf_certbund
Published
2025-04-13 22:00
Modified
2025-07-23 22:00
Summary
MediaWiki Erweiterungen und -Komponenten: Mehrere Schwachstellen
Notes
Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.
Produktbeschreibung
MediaWiki ist ein freies Wiki, das ursprünglich für den Einsatz auf Wikipedia entwickelt wurde.
Angriff
Ein Angreifer kann mehrere Schwachstellen in verschiedenen MediaWiki Erweiterungen und -Komponenten ausnutzen, um Cross Site Scripting Angriffe durchzuführen, beliebigen Code auszuführen, Informationen offenzulegen und Sicherheitsmaßnahmen wie z.B. die Authentisierung zu umgehen.
Betroffene Betriebssysteme
- Linux
- Sonstiges
- UNIX
- Windows
{
"document": {
"aggregate_severity": {
"text": "hoch"
},
"category": "csaf_base",
"csaf_version": "2.0",
"distribution": {
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "de-DE",
"notes": [
{
"category": "legal_disclaimer",
"text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
},
{
"category": "description",
"text": "MediaWiki ist ein freies Wiki, das urspr\u00fcnglich f\u00fcr den Einsatz auf Wikipedia entwickelt wurde.",
"title": "Produktbeschreibung"
},
{
"category": "summary",
"text": "Ein Angreifer kann mehrere Schwachstellen in verschiedenen MediaWiki Erweiterungen und -Komponenten ausnutzen, um Cross Site Scripting Angriffe durchzuf\u00fchren, beliebigen Code auszuf\u00fchren, Informationen offenzulegen und Sicherheitsma\u00dfnahmen wie z.B. die Authentisierung zu umgehen.",
"title": "Angriff"
},
{
"category": "general",
"text": "- Linux\n- Sonstiges\n- UNIX\n- Windows",
"title": "Betroffene Betriebssysteme"
}
],
"publisher": {
"category": "other",
"contact_details": "csaf-provider@cert-bund.de",
"name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
"namespace": "https://www.bsi.bund.de"
},
"references": [
{
"category": "self",
"summary": "WID-SEC-W-2025-0790 - CSAF Version",
"url": "https://wid.cert-bund.de/.well-known/csaf/white/2025/wid-sec-w-2025-0790.json"
},
{
"category": "self",
"summary": "WID-SEC-2025-0790 - Portal Version",
"url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2025-0790"
},
{
"category": "external",
"summary": "MediaWiki Extensions and Skins Security Release Supplement vom 2025-04-13",
"url": "https://lists.wikimedia.org/hyperkitty/list/mediawiki-announce@lists.wikimedia.org/thread/OXIGQIHBL26HFKG6TT5SWSH7K7W6RO4H/"
},
{
"category": "external",
"summary": "Debian Security Advisory DSA-5957 vom 2025-07-03",
"url": "https://lists.debian.org/debian-security-announce/2025/msg00121.html"
},
{
"category": "external",
"summary": "Debian Security Advisory DLA-4249 vom 2025-07-23",
"url": "https://lists.debian.org/debian-lts-announce/2025/07/msg00012.html"
}
],
"source_lang": "en-US",
"title": "MediaWiki Erweiterungen und -Komponenten: Mehrere Schwachstellen",
"tracking": {
"current_release_date": "2025-07-23T22:00:00.000+00:00",
"generator": {
"date": "2025-07-24T07:51:56.078+00:00",
"engine": {
"name": "BSI-WID",
"version": "1.4.0"
}
},
"id": "WID-SEC-W-2025-0790",
"initial_release_date": "2025-04-13T22:00:00.000+00:00",
"revision_history": [
{
"date": "2025-04-13T22:00:00.000+00:00",
"number": "1",
"summary": "Initiale Fassung"
},
{
"date": "2025-07-03T22:00:00.000+00:00",
"number": "2",
"summary": "Neue Updates von Debian aufgenommen"
},
{
"date": "2025-07-23T22:00:00.000+00:00",
"number": "3",
"summary": "Neue Updates von Debian aufgenommen"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Debian Linux",
"product": {
"name": "Debian Linux",
"product_id": "2951",
"product_identification_helper": {
"cpe": "cpe:/o:debian:debian_linux:-"
}
}
}
],
"category": "vendor",
"name": "Debian"
},
{
"branches": [
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c1.39.12",
"product": {
"name": "Open Source MediaWiki \u003c1.39.12",
"product_id": "T042753"
}
},
{
"category": "product_version",
"name": "1.39.12",
"product": {
"name": "Open Source MediaWiki 1.39.12",
"product_id": "T042753-fixed",
"product_identification_helper": {
"cpe": "cpe:/a:mediawiki:mediawiki:1.39.12"
}
}
},
{
"category": "product_version_range",
"name": "\u003c1.42.6",
"product": {
"name": "Open Source MediaWiki \u003c1.42.6",
"product_id": "T042754"
}
},
{
"category": "product_version",
"name": "1.42.6",
"product": {
"name": "Open Source MediaWiki 1.42.6",
"product_id": "T042754-fixed",
"product_identification_helper": {
"cpe": "cpe:/a:mediawiki:mediawiki:1.42.6"
}
}
},
{
"category": "product_version_range",
"name": "\u003c1.43.1",
"product": {
"name": "Open Source MediaWiki \u003c1.43.1",
"product_id": "T042755"
}
},
{
"category": "product_version",
"name": "1.43.1",
"product": {
"name": "Open Source MediaWiki 1.43.1",
"product_id": "T042755-fixed",
"product_identification_helper": {
"cpe": "cpe:/a:mediawiki:mediawiki:1.43.1"
}
}
}
],
"category": "product_name",
"name": "MediaWiki"
}
],
"category": "vendor",
"name": "Open Source"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2025-32067",
"product_status": {
"known_affected": [
"T042753",
"2951",
"T042754",
"T042755"
]
},
"release_date": "2025-04-13T22:00:00.000+00:00",
"title": "CVE-2025-32067"
},
{
"cve": "CVE-2025-32068",
"product_status": {
"known_affected": [
"T042753",
"2951",
"T042754",
"T042755"
]
},
"release_date": "2025-04-13T22:00:00.000+00:00",
"title": "CVE-2025-32068"
},
{
"cve": "CVE-2025-32069",
"product_status": {
"known_affected": [
"T042753",
"2951",
"T042754",
"T042755"
]
},
"release_date": "2025-04-13T22:00:00.000+00:00",
"title": "CVE-2025-32069"
},
{
"cve": "CVE-2025-32070",
"product_status": {
"known_affected": [
"T042753",
"2951",
"T042754",
"T042755"
]
},
"release_date": "2025-04-13T22:00:00.000+00:00",
"title": "CVE-2025-32070"
},
{
"cve": "CVE-2025-32071",
"product_status": {
"known_affected": [
"T042753",
"2951",
"T042754",
"T042755"
]
},
"release_date": "2025-04-13T22:00:00.000+00:00",
"title": "CVE-2025-32071"
},
{
"cve": "CVE-2025-32072",
"product_status": {
"known_affected": [
"T042753",
"2951",
"T042754",
"T042755"
]
},
"release_date": "2025-04-13T22:00:00.000+00:00",
"title": "CVE-2025-32072"
},
{
"cve": "CVE-2025-32073",
"product_status": {
"known_affected": [
"T042753",
"2951",
"T042754",
"T042755"
]
},
"release_date": "2025-04-13T22:00:00.000+00:00",
"title": "CVE-2025-32073"
},
{
"cve": "CVE-2025-32074",
"product_status": {
"known_affected": [
"T042753",
"2951",
"T042754",
"T042755"
]
},
"release_date": "2025-04-13T22:00:00.000+00:00",
"title": "CVE-2025-32074"
},
{
"cve": "CVE-2025-32075",
"product_status": {
"known_affected": [
"T042753",
"2951",
"T042754",
"T042755"
]
},
"release_date": "2025-04-13T22:00:00.000+00:00",
"title": "CVE-2025-32075"
},
{
"cve": "CVE-2025-32076",
"product_status": {
"known_affected": [
"T042753",
"2951",
"T042754",
"T042755"
]
},
"release_date": "2025-04-13T22:00:00.000+00:00",
"title": "CVE-2025-32076"
},
{
"cve": "CVE-2025-32077",
"product_status": {
"known_affected": [
"T042753",
"2951",
"T042754",
"T042755"
]
},
"release_date": "2025-04-13T22:00:00.000+00:00",
"title": "CVE-2025-32077"
},
{
"cve": "CVE-2025-32078",
"product_status": {
"known_affected": [
"T042753",
"2951",
"T042754",
"T042755"
]
},
"release_date": "2025-04-13T22:00:00.000+00:00",
"title": "CVE-2025-32078"
},
{
"cve": "CVE-2025-32079",
"product_status": {
"known_affected": [
"T042753",
"2951",
"T042754",
"T042755"
]
},
"release_date": "2025-04-13T22:00:00.000+00:00",
"title": "CVE-2025-32079"
},
{
"cve": "CVE-2025-32080",
"product_status": {
"known_affected": [
"T042753",
"2951",
"T042754",
"T042755"
]
},
"release_date": "2025-04-13T22:00:00.000+00:00",
"title": "CVE-2025-32080"
}
]
}
CVE-2025-32075 (GCVE-0-2025-32075)
Vulnerability from cvelistv5
Published
2025-04-11 16:21
Modified
2025-04-11 17:34
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-20 - Improper Input Validation
Summary
Improper Input Validation vulnerability in The Wikimedia Foundation Mediawiki - Tabs Extension allows Code Injection.This issue affects Mediawiki - Tabs Extension: from 1.39 through 1.43.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| The Wikimedia Foundation | Mediawiki - Tabs Extension |
Version: 1.39 ≤ 1.43 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-32075",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-11T17:33:41.959977Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-11T17:34:19.348Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://phabricator.wikimedia.org/T386887"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mediawiki - Tabs Extension",
"vendor": "The Wikimedia Foundation",
"versions": [
{
"lessThanOrEqual": "1.43",
"status": "affected",
"version": "1.39",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "BlankEclair"
}
],
"datePublic": "2025-04-11T01:10:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Input Validation vulnerability in The Wikimedia Foundation Mediawiki - Tabs Extension allows Code Injection.\u003cp\u003eThis issue affects Mediawiki - Tabs Extension: from 1.39 through 1.43.\u003c/p\u003e"
}
],
"value": "Improper Input Validation vulnerability in The Wikimedia Foundation Mediawiki - Tabs Extension allows Code Injection.This issue affects Mediawiki - Tabs Extension: from 1.39 through 1.43."
}
],
"impacts": [
{
"capecId": "CAPEC-242",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-242 Code Injection"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "LOW",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20 Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-11T16:21:59.701Z",
"orgId": "c4f26cc8-17ff-4c99-b5e2-38fc1793eacc",
"shortName": "wikimedia-foundation"
},
"references": [
{
"url": "https://phabricator.wikimedia.org/T386887"
},
{
"url": "https://gerrit.wikimedia.org/r/q/I03bec9528ee3ed05f35187458cde4e2fc4b51092"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "IP and user agent leaks in Extension:Tabs",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "c4f26cc8-17ff-4c99-b5e2-38fc1793eacc",
"assignerShortName": "wikimedia-foundation",
"cveId": "CVE-2025-32075",
"datePublished": "2025-04-11T16:21:59.701Z",
"dateReserved": "2025-04-03T21:56:59.952Z",
"dateUpdated": "2025-04-11T17:34:19.348Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-32080 (GCVE-0-2025-32080)
Vulnerability from cvelistv5
Published
2025-04-11 16:24
Modified
2025-04-11 16:36
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Summary
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in The Wikimedia Foundation Mediawiki - Mobile Frontend Extension allows Shared Resource Manipulation.This issue affects Mediawiki - Mobile Frontend Extension: from 1.39 through 1.43.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| The Wikimedia Foundation | Mediawiki - Mobile Frontend Extension |
Version: 1.39 ≤ 1.43 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-32080",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-11T16:36:29.305226Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-11T16:36:40.447Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mediawiki - Mobile Frontend Extension",
"vendor": "The Wikimedia Foundation",
"versions": [
{
"lessThanOrEqual": "1.43",
"status": "affected",
"version": "1.39",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Bawolff"
},
{
"lang": "en",
"type": "finder",
"value": "Jdlrobson-WMF"
}
],
"datePublic": "2025-04-11T00:22:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Exposure of Sensitive Information to an Unauthorized Actor vulnerability in The Wikimedia Foundation Mediawiki - Mobile Frontend Extension allows Shared Resource Manipulation.\u003cp\u003eThis issue affects Mediawiki - Mobile Frontend Extension: from 1.39 through 1.43.\u003c/p\u003e"
}
],
"value": "Exposure of Sensitive Information to an Unauthorized Actor vulnerability in The Wikimedia Foundation Mediawiki - Mobile Frontend Extension allows Shared Resource Manipulation.This issue affects Mediawiki - Mobile Frontend Extension: from 1.39 through 1.43."
}
],
"impacts": [
{
"capecId": "CAPEC-124",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-124 Shared Resource Manipulation"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "LOW",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-11T16:24:00.100Z",
"orgId": "c4f26cc8-17ff-4c99-b5e2-38fc1793eacc",
"shortName": "wikimedia-foundation"
},
"references": [
{
"url": "https://phabricator.wikimedia.org/T366402"
},
{
"url": "https://gerrit.wikimedia.org/r/c/mediawiki/extensions/MobileFrontend/+/1123392"
},
{
"url": "https://gerrit.wikimedia.org/r/q/Ia5c3be79db37240acbaa630834e430ec3147e61c"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Cross-origin data leak in mobilefrontend via lazy load images",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "c4f26cc8-17ff-4c99-b5e2-38fc1793eacc",
"assignerShortName": "wikimedia-foundation",
"cveId": "CVE-2025-32080",
"datePublished": "2025-04-11T16:24:00.100Z",
"dateReserved": "2025-04-03T21:57:02.784Z",
"dateUpdated": "2025-04-11T16:36:40.447Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-32072 (GCVE-0-2025-32072)
Vulnerability from cvelistv5
Published
2025-04-11 16:23
Modified
2025-04-11 16:40
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-116 - Improper Encoding or Escaping of Output
Summary
Improper Encoding or Escaping of Output vulnerability in The Wikimedia Foundation Mediawiki Core - Feed Utils allows WebView Injection.This issue affects Mediawiki Core - Feed Utils: from 1.39 through 1.43.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| The Wikimedia Foundation | Mediawiki Core - Feed Utils |
Version: 1.39 ≤ 1.43 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-32072",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-11T16:39:44.476218Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-11T16:40:02.558Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mediawiki Core - Feed Utils",
"vendor": "The Wikimedia Foundation",
"versions": [
{
"lessThanOrEqual": "1.43",
"status": "affected",
"version": "1.39",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Lucas_Werkmeister_WMDE"
}
],
"datePublic": "2025-04-11T00:43:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Encoding or Escaping of Output vulnerability in The Wikimedia Foundation Mediawiki Core - Feed Utils allows WebView Injection.\u003cp\u003eThis issue affects Mediawiki Core - Feed Utils: from 1.39 through 1.43.\u003c/p\u003e"
}
],
"value": "Improper Encoding or Escaping of Output vulnerability in The Wikimedia Foundation Mediawiki Core - Feed Utils allows WebView Injection.This issue affects Mediawiki Core - Feed Utils: from 1.39 through 1.43."
}
],
"impacts": [
{
"capecId": "CAPEC-500",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-500 WebView Injection"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "LOW",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-116",
"description": "CWE-116 Improper Encoding or Escaping of Output",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-11T16:23:12.186Z",
"orgId": "c4f26cc8-17ff-4c99-b5e2-38fc1793eacc",
"shortName": "wikimedia-foundation"
},
"references": [
{
"url": "https://gerrit.wikimedia.org/r/c/mediawiki/core/+/1120134"
},
{
"url": "https://phabricator.wikimedia.org/T386175"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "HTML injection in feed output from i18n message",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "c4f26cc8-17ff-4c99-b5e2-38fc1793eacc",
"assignerShortName": "wikimedia-foundation",
"cveId": "CVE-2025-32072",
"datePublished": "2025-04-11T16:23:12.186Z",
"dateReserved": "2025-04-03T21:56:59.952Z",
"dateUpdated": "2025-04-11T16:40:02.558Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-32069 (GCVE-0-2025-32069)
Vulnerability from cvelistv5
Published
2025-04-11 16:20
Modified
2025-07-07 14:09
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-20 - Improper Input Validation
Summary
Improper Input Validation vulnerability in The Wikimedia Foundation Mediawiki - Wikibase Media Info Extension allows Cross-Site Scripting (XSS).This issue affects Mediawiki - Wikibase Media Info Extension: from 1.39 through 1.43.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| The Wikimedia Foundation | Mediawiki - Wikibase Media Info Extension |
Version: 1.39 ≤ 1.43 |
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-32069",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-11T19:14:48.319682Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-07T14:09:11.663Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mediawiki - Wikibase Media Info Extension",
"vendor": "The Wikimedia Foundation",
"versions": [
{
"lessThanOrEqual": "1.43",
"status": "affected",
"version": "1.39",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Dylsss"
},
{
"lang": "en",
"type": "finder",
"value": "matthiasmullie"
}
],
"datePublic": "2025-04-11T01:36:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Input Validation vulnerability in The Wikimedia Foundation Mediawiki - Wikibase Media Info Extension allows Cross-Site Scripting (XSS).\u003cp\u003eThis issue affects Mediawiki - Wikibase Media Info Extension: from 1.39 through 1.43.\u003c/p\u003e"
}
],
"value": "Improper Input Validation vulnerability in The Wikimedia Foundation Mediawiki - Wikibase Media Info Extension allows Cross-Site Scripting (XSS).This issue affects Mediawiki - Wikibase Media Info Extension: from 1.39 through 1.43."
}
],
"impacts": [
{
"capecId": "CAPEC-63",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-63 Cross-Site Scripting (XSS)"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20 Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-03T16:26:45.624Z",
"orgId": "c4f26cc8-17ff-4c99-b5e2-38fc1793eacc",
"shortName": "wikimedia-foundation"
},
"references": [
{
"url": "https://phabricator.wikimedia.org/T387691"
},
{
"url": "https://gerrit.wikimedia.org/r/q/Ie969a8cfeab0d4457417773fa884e271968e5657"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Wikitext stored XSS on filepages due to dangerous WBMI serialization",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "c4f26cc8-17ff-4c99-b5e2-38fc1793eacc",
"assignerShortName": "wikimedia-foundation",
"cveId": "CVE-2025-32069",
"datePublished": "2025-04-11T16:20:48.994Z",
"dateReserved": "2025-04-03T21:56:59.951Z",
"dateUpdated": "2025-07-07T14:09:11.663Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-32067 (GCVE-0-2025-32067)
Vulnerability from cvelistv5
Published
2025-04-11 16:21
Modified
2025-07-07 14:33
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-20 - Improper Input Validation
Summary
Improper Input Validation vulnerability in The Wikimedia Foundation Mediawiki - Growth Experiments Extension allows Cross-Site Scripting (XSS).This issue affects Mediawiki - Growth Experiments Extension: from 1.39 through 1.43.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| The Wikimedia Foundation | Mediawiki - Growth Experiments Extension |
Version: 1.39 ≤ 1.43 |
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-32067",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-14T14:30:39.939666Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-07T14:33:32.461Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mediawiki - Growth Experiments Extension",
"vendor": "The Wikimedia Foundation",
"versions": [
{
"lessThanOrEqual": "1.43",
"status": "affected",
"version": "1.39",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Michael"
},
{
"lang": "en",
"type": "finder",
"value": "Urbanecm_WMF"
}
],
"datePublic": "2025-04-11T01:17:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Input Validation vulnerability in The Wikimedia Foundation Mediawiki - Growth Experiments Extension allows Cross-Site Scripting (XSS).\u003cp\u003eThis issue affects Mediawiki - Growth Experiments Extension: from 1.39 through 1.43.\u003c/p\u003e"
}
],
"value": "Improper Input Validation vulnerability in The Wikimedia Foundation Mediawiki - Growth Experiments Extension allows Cross-Site Scripting (XSS).This issue affects Mediawiki - Growth Experiments Extension: from 1.39 through 1.43."
}
],
"impacts": [
{
"capecId": "CAPEC-63",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-63 Cross-Site Scripting (XSS)"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20 Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-03T16:27:47.501Z",
"orgId": "c4f26cc8-17ff-4c99-b5e2-38fc1793eacc",
"shortName": "wikimedia-foundation"
},
"references": [
{
"url": "https://phabricator.wikimedia.org/T386963"
},
{
"url": "https://gerrit.wikimedia.org/r/c/mediawiki/extensions/GrowthExperiments/+/1122163"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "i18n XSS vulnerability in message growthexperiments",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "c4f26cc8-17ff-4c99-b5e2-38fc1793eacc",
"assignerShortName": "wikimedia-foundation",
"cveId": "CVE-2025-32067",
"datePublished": "2025-04-11T16:21:33.513Z",
"dateReserved": "2025-04-03T21:56:59.951Z",
"dateUpdated": "2025-07-07T14:33:32.461Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-32068 (GCVE-0-2025-32068)
Vulnerability from cvelistv5
Published
2025-04-11 16:21
Modified
2025-07-07 14:28
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-863 - Incorrect Authorization
Summary
Incorrect Authorization vulnerability in The Wikimedia Foundation Mediawiki - OAuth Extension allows Authentication Bypass.This issue affects Mediawiki - OAuth Extension: from 1.39 through 1.43.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| The Wikimedia Foundation | Mediawiki - OAuth Extension |
Version: 1.39 ≤ 1.43 |
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-32068",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-11T19:12:49.332073Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-07T14:28:21.088Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mediawiki - OAuth Extension",
"vendor": "The Wikimedia Foundation",
"versions": [
{
"lessThanOrEqual": "1.43",
"status": "affected",
"version": "1.39",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Tgr"
},
{
"lang": "en",
"type": "finder",
"value": "MarkusRost"
}
],
"datePublic": "2025-04-11T01:29:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Incorrect Authorization vulnerability in The Wikimedia Foundation Mediawiki - OAuth Extension allows Authentication Bypass.\u003cp\u003eThis issue affects Mediawiki - OAuth Extension: from 1.39 through 1.43.\u003c/p\u003e"
}
],
"value": "Incorrect Authorization vulnerability in The Wikimedia Foundation Mediawiki - OAuth Extension allows Authentication Bypass.This issue affects Mediawiki - OAuth Extension: from 1.39 through 1.43."
}
],
"impacts": [
{
"capecId": "CAPEC-115",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-115 Authentication Bypass"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863 Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-03T16:27:05.610Z",
"orgId": "c4f26cc8-17ff-4c99-b5e2-38fc1793eacc",
"shortName": "wikimedia-foundation"
},
"references": [
{
"url": "https://phabricator.wikimedia.org/T336113"
},
{
"url": "https://gerrit.wikimedia.org/r/q/I27b61af2cdfb862a42432e7a87b863033d540cfc"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Revoking authorization of OAuth2 consumer does not invalidate refresh tokens",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "c4f26cc8-17ff-4c99-b5e2-38fc1793eacc",
"assignerShortName": "wikimedia-foundation",
"cveId": "CVE-2025-32068",
"datePublished": "2025-04-11T16:21:11.981Z",
"dateReserved": "2025-04-03T21:56:59.951Z",
"dateUpdated": "2025-07-07T14:28:21.088Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-32073 (GCVE-0-2025-32073)
Vulnerability from cvelistv5
Published
2025-04-11 16:22
Modified
2025-07-07 14:09
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-20 - Improper Input Validation
Summary
Improper Input Validation vulnerability in The Wikimedia Foundation Mediawiki - HTML Tags allows Cross-Site Scripting (XSS).This issue affects Mediawiki - HTML Tags: from 1.39 through 1.43.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| The Wikimedia Foundation | Mediawiki - HTML Tags |
Version: 1.39 ≤ 1.43 |
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-32073",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-11T16:58:30.720359Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-07T14:09:51.465Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mediawiki - HTML Tags",
"vendor": "The Wikimedia Foundation",
"versions": [
{
"lessThanOrEqual": "1.43",
"status": "affected",
"version": "1.39",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "BlankEclair"
},
{
"lang": "en",
"type": "finder",
"value": "Yaron_Koren"
}
],
"datePublic": "2025-04-11T00:54:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Input Validation vulnerability in The Wikimedia Foundation Mediawiki - HTML Tags allows Cross-Site Scripting (XSS).\u003cp\u003eThis issue affects Mediawiki - HTML Tags: from 1.39 through 1.43.\u003c/p\u003e"
}
],
"value": "Improper Input Validation vulnerability in The Wikimedia Foundation Mediawiki - HTML Tags allows Cross-Site Scripting (XSS).This issue affects Mediawiki - HTML Tags: from 1.39 through 1.43."
}
],
"impacts": [
{
"capecId": "CAPEC-63",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-63 Cross-Site Scripting (XSS)"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20 Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-03T16:28:44.953Z",
"orgId": "c4f26cc8-17ff-4c99-b5e2-38fc1793eacc",
"shortName": "wikimedia-foundation"
},
"references": [
{
"url": "https://phabricator.wikimedia.org/T386337"
},
{
"url": "https://gerrit.wikimedia.org/r/c/mediawiki/extensions/HTMLTags/+/1121056"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "System message XSS in HTMLTags",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "c4f26cc8-17ff-4c99-b5e2-38fc1793eacc",
"assignerShortName": "wikimedia-foundation",
"cveId": "CVE-2025-32073",
"datePublished": "2025-04-11T16:22:47.728Z",
"dateReserved": "2025-04-03T21:56:59.952Z",
"dateUpdated": "2025-07-07T14:09:51.465Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-32074 (GCVE-0-2025-32074)
Vulnerability from cvelistv5
Published
2025-04-11 16:22
Modified
2025-07-07 14:29
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-116 - Improper Encoding or Escaping of Output
Summary
Improper Encoding or Escaping of Output vulnerability in The Wikimedia Foundation Mediawiki - Confirm Account Extension allows Cross-Site Scripting (XSS).This issue affects Mediawiki - Confirm Account Extension: from 1.39 through 1.43.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| The Wikimedia Foundation | Mediawiki - Confirm Account Extension |
Version: 1.39 ≤ 1.43 |
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-32074",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-11T17:30:39.241628Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-07T14:29:03.605Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mediawiki - Confirm Account Extension",
"vendor": "The Wikimedia Foundation",
"versions": [
{
"lessThanOrEqual": "1.43",
"status": "affected",
"version": "1.39",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "BlankEclair"
}
],
"datePublic": "2025-04-11T00:58:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Encoding or Escaping of Output vulnerability in The Wikimedia Foundation Mediawiki - Confirm Account Extension allows Cross-Site Scripting (XSS).\u003cp\u003eThis issue affects Mediawiki - Confirm Account Extension: from 1.39 through 1.43.\u003c/p\u003e"
}
],
"value": "Improper Encoding or Escaping of Output vulnerability in The Wikimedia Foundation Mediawiki - Confirm Account Extension allows Cross-Site Scripting (XSS).This issue affects Mediawiki - Confirm Account Extension: from 1.39 through 1.43."
}
],
"impacts": [
{
"capecId": "CAPEC-63",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-63 Cross-Site Scripting (XSS)"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-116",
"description": "CWE-116 Improper Encoding or Escaping of Output",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-03T16:28:08.097Z",
"orgId": "c4f26cc8-17ff-4c99-b5e2-38fc1793eacc",
"shortName": "wikimedia-foundation"
},
"references": [
{
"url": "https://phabricator.wikimedia.org/T386908"
},
{
"url": "https://gerrit.wikimedia.org/r/q/I86f47103ffb78c671890b44ccd59fcff6613975f"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "XSSes in Extension:ConfirmAccount",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "c4f26cc8-17ff-4c99-b5e2-38fc1793eacc",
"assignerShortName": "wikimedia-foundation",
"cveId": "CVE-2025-32074",
"datePublished": "2025-04-11T16:22:23.418Z",
"dateReserved": "2025-04-03T21:56:59.952Z",
"dateUpdated": "2025-07-07T14:29:03.605Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-32076 (GCVE-0-2025-32076)
Vulnerability from cvelistv5
Published
2025-04-11 16:23
Modified
2025-04-11 16:39
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-20 - Improper Input Validation
Summary
Improper Input Validation vulnerability in The Wikimedia Foundation Mediawiki - Visual Data Extension allows HTTP DoS.This issue affects Mediawiki - Visual Data Extension: from 1.39 through 1.43.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| The Wikimedia Foundation | Mediawiki - Visual Data Extension |
Version: 1.39 ≤ 1.43 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-32076",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-11T16:38:53.983961Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-11T16:39:21.649Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mediawiki - Visual Data Extension",
"vendor": "The Wikimedia Foundation",
"versions": [
{
"lessThanOrEqual": "1.43",
"status": "affected",
"version": "1.39",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Bawolff"
},
{
"lang": "en",
"type": "finder",
"value": "Thomas-topway-it"
}
],
"datePublic": "2025-04-11T00:35:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Input Validation vulnerability in The Wikimedia Foundation Mediawiki - Visual Data Extension allows HTTP DoS.\u003cp\u003eThis issue affects Mediawiki - Visual Data Extension: from 1.39 through 1.43.\u003c/p\u003e"
}
],
"value": "Improper Input Validation vulnerability in The Wikimedia Foundation Mediawiki - Visual Data Extension allows HTTP DoS.This issue affects Mediawiki - Visual Data Extension: from 1.39 through 1.43."
}
],
"impacts": [
{
"capecId": "CAPEC-469",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-469 HTTP DoS"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "LOW",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20 Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-11T16:23:36.096Z",
"orgId": "c4f26cc8-17ff-4c99-b5e2-38fc1793eacc",
"shortName": "wikimedia-foundation"
},
"references": [
{
"url": "https://gerrit.wikimedia.org/r/c/mediawiki/extensions/VisualData/+/1121732"
},
{
"url": "https://phabricator.wikimedia.org/T385935"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Evil regex used to process user-provided data in VisualData",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "c4f26cc8-17ff-4c99-b5e2-38fc1793eacc",
"assignerShortName": "wikimedia-foundation",
"cveId": "CVE-2025-32076",
"datePublished": "2025-04-11T16:23:36.096Z",
"dateReserved": "2025-04-03T21:57:02.783Z",
"dateUpdated": "2025-04-11T16:39:21.649Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-32079 (GCVE-0-2025-32079)
Vulnerability from cvelistv5
Published
2025-04-11 16:24
Modified
2025-07-07 14:17
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-20 - Improper Input Validation
Summary
Improper Input Validation vulnerability in The Wikimedia Foundation Mediawiki - GrowthExperiments allows HTTP DoS.This issue affects Mediawiki - GrowthExperiments: from 1.39 through 1.43.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| The Wikimedia Foundation | Mediawiki - GrowthExperiments |
Version: 1.39 ≤ 1.43 |
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-32079",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-11T16:35:56.581176Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-07T14:17:08.578Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mediawiki - GrowthExperiments",
"vendor": "The Wikimedia Foundation",
"versions": [
{
"lessThanOrEqual": "1.43",
"status": "affected",
"version": "1.39",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Urbanecm_WMF"
}
],
"datePublic": "2025-04-10T22:02:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Input Validation vulnerability in The Wikimedia Foundation Mediawiki - GrowthExperiments allows HTTP DoS.\u003cp\u003eThis issue affects Mediawiki - GrowthExperiments: from 1.39 through 1.43.\u003c/p\u003e"
}
],
"value": "Improper Input Validation vulnerability in The Wikimedia Foundation Mediawiki - GrowthExperiments allows HTTP DoS.This issue affects Mediawiki - GrowthExperiments: from 1.39 through 1.43."
}
],
"impacts": [
{
"capecId": "CAPEC-469",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-469 HTTP DoS"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20 Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-03T16:28:56.592Z",
"orgId": "c4f26cc8-17ff-4c99-b5e2-38fc1793eacc",
"shortName": "wikimedia-foundation"
},
"references": [
{
"url": "https://gerrit.wikimedia.org/r/c/mediawiki/extensions/GrowthExperiments/+/1114020"
},
{
"url": "https://phabricator.wikimedia.org/T384244"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Saving the right content to MediaWiki:GrowthMentors.json can take down the site",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "c4f26cc8-17ff-4c99-b5e2-38fc1793eacc",
"assignerShortName": "wikimedia-foundation",
"cveId": "CVE-2025-32079",
"datePublished": "2025-04-11T16:24:21.988Z",
"dateReserved": "2025-04-03T21:57:02.784Z",
"dateUpdated": "2025-07-07T14:17:08.578Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-32077 (GCVE-0-2025-32077)
Vulnerability from cvelistv5
Published
2025-04-11 16:25
Modified
2025-04-11 16:33
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-20 - Improper Input Validation
Summary
Improper Input Validation vulnerability in The Wikimedia Foundation Mediawiki - Extension:SimpleCalendar allows Cross-Site Scripting (XSS).This issue affects Mediawiki - Extension:SimpleCalendar: from 1.39 through 1.43.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| The Wikimedia Foundation | Mediawiki - Extension:SimpleCalendar |
Version: 1.39 ≤ 1.43 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-32077",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-11T16:33:00.507829Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-11T16:33:20.827Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mediawiki - Extension:SimpleCalendar",
"vendor": "The Wikimedia Foundation",
"versions": [
{
"lessThanOrEqual": "1.43",
"status": "affected",
"version": "1.39",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "BlankEclair"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Input Validation vulnerability in The Wikimedia Foundation Mediawiki - Extension:SimpleCalendar allows Cross-Site Scripting (XSS).\u003cp\u003eThis issue affects Mediawiki - Extension:SimpleCalendar: from 1.39 through 1.43.\u003c/p\u003e"
}
],
"value": "Improper Input Validation vulnerability in The Wikimedia Foundation Mediawiki - Extension:SimpleCalendar allows Cross-Site Scripting (XSS).This issue affects Mediawiki - Extension:SimpleCalendar: from 1.39 through 1.43."
}
],
"impacts": [
{
"capecId": "CAPEC-63",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-63 Cross-Site Scripting (XSS)"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20 Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-11T16:25:06.597Z",
"orgId": "c4f26cc8-17ff-4c99-b5e2-38fc1793eacc",
"shortName": "wikimedia-foundation"
},
"references": [
{
"url": "https://phabricator.wikimedia.org/T383472"
},
{
"url": "https://gerrit.wikimedia.org/r/q/Ic5b5ce8f7791026eff1aafffb32a68f3aab119be"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "XSSes in Extension:SimpleCalendar",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "c4f26cc8-17ff-4c99-b5e2-38fc1793eacc",
"assignerShortName": "wikimedia-foundation",
"cveId": "CVE-2025-32077",
"datePublished": "2025-04-11T16:25:06.597Z",
"dateReserved": "2025-04-03T21:57:02.784Z",
"dateUpdated": "2025-04-11T16:33:20.827Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-32070 (GCVE-0-2025-32070)
Vulnerability from cvelistv5
Published
2025-04-11 16:20
Modified
2025-07-07 14:31
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-20 - Improper Input Validation
Summary
Improper Input Validation vulnerability in The Wikimedia Foundation Mediawiki - AJAX Poll Extension allows Cross-Site Scripting (XSS).This issue affects Mediawiki - AJAX Poll Extension: from 1.39 through 1.43.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| The Wikimedia Foundation | Mediawiki - AJAX Poll Extension |
Version: 1.39 ≤ 1.43 |
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-32070",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-11T19:17:27.575685Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-07T14:31:48.651Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mediawiki - AJAX Poll Extension",
"vendor": "The Wikimedia Foundation",
"versions": [
{
"lessThanOrEqual": "1.43",
"status": "affected",
"version": "1.39",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "BlankEclair"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Input Validation vulnerability in The Wikimedia Foundation Mediawiki - AJAX Poll Extension allows Cross-Site Scripting (XSS).\u003cp\u003eThis issue affects Mediawiki - AJAX Poll Extension: from 1.39 through 1.43.\u003c/p\u003e"
}
],
"value": "Improper Input Validation vulnerability in The Wikimedia Foundation Mediawiki - AJAX Poll Extension allows Cross-Site Scripting (XSS).This issue affects Mediawiki - AJAX Poll Extension: from 1.39 through 1.43."
}
],
"impacts": [
{
"capecId": "CAPEC-63",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-63 Cross-Site Scripting (XSS)"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20 Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-03T16:26:23.765Z",
"orgId": "c4f26cc8-17ff-4c99-b5e2-38fc1793eacc",
"shortName": "wikimedia-foundation"
},
"references": [
{
"url": "https://phabricator.wikimedia.org/T389590"
},
{
"url": "https://gerrit.wikimedia.org/r/q/Ib59c59b2cd36928ab200149c851e2bfcf5cf920c"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "XSSes in AJAXPoll",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "c4f26cc8-17ff-4c99-b5e2-38fc1793eacc",
"assignerShortName": "wikimedia-foundation",
"cveId": "CVE-2025-32070",
"datePublished": "2025-04-11T16:20:24.436Z",
"dateReserved": "2025-04-03T21:56:59.951Z",
"dateUpdated": "2025-07-07T14:31:48.651Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-32078 (GCVE-0-2025-32078)
Vulnerability from cvelistv5
Published
2025-04-11 16:24
Modified
2025-04-11 16:34
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-116 - Improper Encoding or Escaping of Output
Summary
Improper Encoding or Escaping of Output vulnerability in The Wikimedia Foundation Mediawiki - Version Compare Extension allows Cross-Site Scripting (XSS).This issue affects Mediawiki - Version Compare Extension: from 1.39 through 1.43.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| The Wikimedia Foundation | Mediawiki - Version Compare Extension |
Version: 1.39 ≤ 1.43 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-32078",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-11T16:34:07.729721Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-11T16:34:20.203Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mediawiki - Version Compare Extension",
"vendor": "The Wikimedia Foundation",
"versions": [
{
"lessThanOrEqual": "1.43",
"status": "affected",
"version": "1.39",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "BlankEclair"
}
],
"datePublic": "2025-04-10T21:51:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Encoding or Escaping of Output vulnerability in The Wikimedia Foundation Mediawiki - Version Compare Extension allows Cross-Site Scripting (XSS).\u003cp\u003eThis issue affects Mediawiki - Version Compare Extension: from 1.39 through 1.43.\u003c/p\u003e"
}
],
"value": "Improper Encoding or Escaping of Output vulnerability in The Wikimedia Foundation Mediawiki - Version Compare Extension allows Cross-Site Scripting (XSS).This issue affects Mediawiki - Version Compare Extension: from 1.39 through 1.43."
}
],
"impacts": [
{
"capecId": "CAPEC-63",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-63 Cross-Site Scripting (XSS)"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "LOW",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-116",
"description": "CWE-116 Improper Encoding or Escaping of Output",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-11T16:24:46.164Z",
"orgId": "c4f26cc8-17ff-4c99-b5e2-38fc1793eacc",
"shortName": "wikimedia-foundation"
},
"references": [
{
"url": "https://phabricator.wikimedia.org/T384269"
},
{
"url": "https://gerrit.wikimedia.org/r/q/If901b3b98e615e1a4f4034d932d2d592000b51d0"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "XSSes and potential RCE in Special:VersionCompare",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "c4f26cc8-17ff-4c99-b5e2-38fc1793eacc",
"assignerShortName": "wikimedia-foundation",
"cveId": "CVE-2025-32078",
"datePublished": "2025-04-11T16:24:46.164Z",
"dateReserved": "2025-04-03T21:57:02.784Z",
"dateUpdated": "2025-04-11T16:34:20.203Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-32071 (GCVE-0-2025-32071)
Vulnerability from cvelistv5
Published
2025-04-11 16:19
Modified
2025-07-07 14:17
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-20 - Improper Input Validation
Summary
Improper Input Validation vulnerability in The Wikimedia Foundation Mediawiki - Wikidata Extension allows Cross-Site Scripting (XSS) from widthheight message via ImageHandler::getDimensionsString()This issue affects Mediawiki - Wikidata Extension: from 1.39 through 1.43.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| The Wikimedia Foundation | Mediawiki - Wikidata Extension |
Version: 1.39 ≤ 1.43 |
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-32071",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-11T19:26:45.902214Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-07T14:17:52.085Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://phabricator.wikimedia.org/T389369"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mediawiki - Wikidata Extension",
"vendor": "The Wikimedia Foundation",
"versions": [
{
"lessThanOrEqual": "1.43",
"status": "affected",
"version": "1.39",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Lucas_Werkmeister_WMDE"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Input Validation vulnerability in The Wikimedia Foundation Mediawiki - Wikidata Extension allows Cross-Site Scripting (XSS)\u0026nbsp;\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003efrom widthheight message via ImageHandler::getDimensionsString()\u003c/span\u003e\u003cp\u003eThis issue affects Mediawiki - Wikidata Extension: from 1.39 through 1.43.\u003c/p\u003e"
}
],
"value": "Improper Input Validation vulnerability in The Wikimedia Foundation Mediawiki - Wikidata Extension allows Cross-Site Scripting (XSS)\u00a0from widthheight message via ImageHandler::getDimensionsString()This issue affects Mediawiki - Wikidata Extension: from 1.39 through 1.43."
}
],
"impacts": [
{
"capecId": "CAPEC-63",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-63 Cross-Site Scripting (XSS)"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20 Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-03T16:26:09.433Z",
"orgId": "c4f26cc8-17ff-4c99-b5e2-38fc1793eacc",
"shortName": "wikimedia-foundation"
},
"references": [
{
"url": "https://phabricator.wikimedia.org/T389369"
},
{
"url": "https://gerrit.wikimedia.org/r/q/Iac1f1c27054bfd1a4a4251281ab8c72f59204a90"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Wikibase CommonsInlineImageFormatter: i18n XSS",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "c4f26cc8-17ff-4c99-b5e2-38fc1793eacc",
"assignerShortName": "wikimedia-foundation",
"cveId": "CVE-2025-32071",
"datePublished": "2025-04-11T16:19:46.163Z",
"dateReserved": "2025-04-03T21:56:59.951Z",
"dateUpdated": "2025-07-07T14:17:52.085Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Loading…