CVE-2025-53486
BaseFortify
Publication date: 2025-07-07
Last updated on: 2025-07-08
Assigner: wikimedia-foundation
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a reflected Cross-Site Scripting (XSS) issue in the WikiCategoryTagCloud extension for MediaWiki. It occurs because the linkstyle attribute is improperly handled: it is concatenated directly into inline HTML without proper escaping. An attacker can inject malicious JavaScript event handlers, such as onmouseenter, by crafting input via the {{#tag:tagcloud}} parser function. When a user hovers over a link in the category cloud, the injected JavaScript executes. The root cause is that the linkstyle parameter is only checked by Sanitizer::checkCss(), which does not escape HTML or quotes, and the vulnerable code uses string concatenation instead of safe HTML generation methods. [1]
How can this vulnerability impact me? :
This vulnerability can allow an attacker to execute arbitrary JavaScript in the context of the affected MediaWiki site. This can lead to session hijacking, theft of sensitive information, defacement, or other malicious actions performed on behalf of the victim user when they interact with the category cloud links. Essentially, it compromises the security and trustworthiness of the website by enabling client-side code injection. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by testing the WikiCategoryTagCloud extension's handling of the `linkstyle` attribute in the `{{#tag: tagcloud}}` parser function. Specifically, you can attempt to inject payloads that include JavaScript event handlers such as `onmouseenter` via the `linkstyle` parameter and observe if the injected JavaScript executes when hovering over category cloud links. There are no specific network or system commands provided for detection, but manual testing or automated scanning for reflected XSS in this parameter is recommended. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include updating the WikiCategoryTagCloud extension to a fixed version where the vulnerability is patched (versions 1.39.13, 1.42.7, 1.43.2 or later). The patch replaces unsafe string concatenation with safe HTML generation methods that properly escape attributes. If updating is not immediately possible, consider disabling the use of the `linkstyle` attribute in the `{{#tag: tagcloud}}` parser function or restricting user input to trusted users only to prevent injection of malicious JavaScript. [1]