CVE-2025-53093
BaseFortify
Publication date: 2025-06-27
Last updated on: 2025-06-30
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
| CWE-80 | The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special characters such as "<", ">", and "&" that could be interpreted as web-scripting elements when they are sent to a downstream component that processes web pages. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-53093 is a stored Cross-Site Scripting (XSS) vulnerability in the TabberNeue MediaWiki extension. It occurs because the extension improperly escapes attribute values in the <tabber> tag, allowing any user to inject arbitrary HTML and JavaScript into the DOM. This happens due to the use of unescaped triple curly braces in the mustache templates, which directly insert attribute values without escaping. Attackers can exploit this by inserting malicious payloads into allowed attributes, leading to execution of arbitrary scripts in the context of the affected MediaWiki instance. [1, 2]
How can this vulnerability impact me? :
This vulnerability can have a high impact because it allows remote attackers to execute arbitrary JavaScript code in the context of the MediaWiki site without requiring any privileges or user interaction. This can lead to theft of user credentials, session hijacking, defacement, or other malicious actions that compromise confidentiality, integrity, and availability of the affected system. The CVSS v3 base score is 8.6, indicating high severity with network attack vector, low complexity, no privileges required, and no user interaction needed. [2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by inspecting the HTML output of pages using the TabberNeue extension for unescaped attribute values in the <tabber> tag, especially looking for injected HTML or JavaScript payloads in attributes. Since the vulnerability involves stored XSS via attributes, you can search for suspicious payloads such as event handlers (e.g., onmouseenter) or script tags within tabber attributes. Commands to detect this might include using grep or curl to fetch pages and search for suspicious patterns, for example: 1) curl -s http://yourwiki.example.com/PageWithTabber | grep -E '<tabber[^>]*onmouseenter|<script' 2) grep -r --include='*.mustache' '{{{ value }}}' in the extension source to check for unescaped templates (for developers). However, no specific detection commands are provided in the resources. [2]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade the TabberNeue MediaWiki extension to version 3.1.1 or later, which contains the patch fixing the vulnerability by properly escaping attribute values in the mustache templates. If upgrading is not immediately possible, as a temporary workaround, you could restrict user permissions to prevent untrusted users from inserting <tabber> tags or sanitize inputs more strictly. The patch replaces triple curly braces {{{ value }}} with double curly braces {{ value }} in the Tabs.mustache template to ensure proper escaping of attribute values, preventing injection of arbitrary HTML or JavaScript. [1, 2]