CVE-2025-53484
BaseFortify
Publication date: 2025-07-04
Last updated on: 2025-07-08
Assigner: wikimedia-foundation
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability occurs because user-controlled inputs in certain parts of the Mediawiki SecurePoll extension are not properly escaped. Specifically, inputs in VotePage.php (poll option input) and in ResultPage::getPagesTab() and getErrorsTab() (user-controllable page names) can be exploited. This improper escaping allows attackers to inject malicious JavaScript code, which can lead to compromising user sessions under certain conditions.
How can this vulnerability impact me? :
The vulnerability can allow attackers to inject JavaScript code into the application, potentially leading to session hijacking or other malicious actions performed in the context of the affected users. This can compromise user accounts, lead to unauthorized actions, and damage trust in the application.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, update the Mediawiki SecurePoll extension to a fixed version: 1.39.13 or later if you are on the 1.39.X branch, 1.42.7 or later if on the 1.42.X branch, or 1.43.2 or later if on the 1.43.X branch. These updates address improper escaping of user-controlled inputs that allow JavaScript injection and session compromise.