CVE-2025-62659
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-10-22

Last updated on: 2025-10-22

Assigner: wikimedia-foundation

Description
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in The Wikimedia Foundation MediaWiki CookieConsent extension allows Cross-Site Scripting (XSS).This issue affects MediaWiki CookieConsent extension: from v0.1.0 before v2.0.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-10-22
Last Modified
2025-10-22
Generated
2026-06-16
AI Q&A
2025-10-22
EPSS Evaluated
2026-06-15
NVD
CVE-2025-62659
EUVD
EUVD-2025-35582
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
wikimedia mediawiki_cookieconsent_extension 0.1.0
wikimedia mediawiki_cookieconsent_extension 2.0.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a Cross-Site Scripting (XSS) issue in the MediaWiki CookieConsent extension. It occurs because the extension sets the 'src' attribute of iframes with the 'data-cookieconsent' attribute to the value of their 'data-src' attribute. Since user-supplied attributes like 'data-src' are not properly restricted, an attacker can supply a malicious JavaScript URI (e.g., 'javascript:alert(1)') that gets executed, leading to XSS. The vulnerability arises from insufficient sanitization of user input in iframe attributes. [1]

Impact Analysis

This vulnerability can allow an attacker to execute arbitrary JavaScript in the context of the affected website by injecting malicious code via the 'data-src' attribute of iframes. This can lead to unauthorized actions such as stealing user session cookies, defacing the website, redirecting users to malicious sites, or performing actions on behalf of the user without their consent. [1]

Detection Guidance

This vulnerability can be detected by inspecting the HTML output of pages using the MediaWiki CookieConsent extension to see if iframes with the attribute `data-cookieconsent` have their `src` attribute set from user-controllable `data-src` attributes. Specifically, look for iframe elements where `src` is set to a JavaScript URI such as `javascript:alert(1)`. You can use browser developer tools to inspect the DOM or use command-line tools like curl combined with grep to find iframe tags with `data-cookieconsent` and check their `src` attributes. For example, you might run: `curl -s https://your-mediawiki-site | grep -oP '<iframe[^>]+data-cookieconsent[^>]+>'` and then manually verify if any `src` attributes contain JavaScript URIs. Additionally, automated scanning tools that detect XSS in iframe src attributes could be used. [1]

Mitigation Strategies

Immediate mitigation involves updating the MediaWiki CookieConsent extension to version 2.0.0 or later, where the vulnerability is fixed by enforcing the use of reserved data attributes starting with `data-mw-` and disallowing user-controlled data attributes like `data-src` from being used to set iframe `src` attributes. If updating is not immediately possible, consider disabling the CookieConsent extension temporarily or restricting user input that can set `data-src` attributes to prevent injection of JavaScript URIs. Monitoring and applying the patch provided by the extension maintainers is recommended to fully resolve the issue. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-62659. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart