CVE-2025-62659
BaseFortify
Publication date: 2025-10-22
Last updated on: 2025-10-22
Assigner: wikimedia-foundation
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wikimedia | mediawiki_cookieconsent_extension | 0.1.0 |
| wikimedia | mediawiki_cookieconsent_extension | 2.0.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a Cross-Site Scripting (XSS) issue in the MediaWiki CookieConsent extension. It occurs because the extension sets the 'src' attribute of iframes with the 'data-cookieconsent' attribute to the value of their 'data-src' attribute. Since user-supplied attributes like 'data-src' are not properly restricted, an attacker can supply a malicious JavaScript URI (e.g., 'javascript:alert(1)') that gets executed, leading to XSS. The vulnerability arises from insufficient sanitization of user input in iframe attributes. [1]
How can this vulnerability impact me? :
This vulnerability can allow an attacker to execute arbitrary JavaScript in the context of the affected website by injecting malicious code via the 'data-src' attribute of iframes. This can lead to unauthorized actions such as stealing user session cookies, defacing the website, redirecting users to malicious sites, or performing actions on behalf of the user without their consent. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by inspecting the HTML output of pages using the MediaWiki CookieConsent extension to see if iframes with the attribute `data-cookieconsent` have their `src` attribute set from user-controllable `data-src` attributes. Specifically, look for iframe elements where `src` is set to a JavaScript URI such as `javascript:alert(1)`. You can use browser developer tools to inspect the DOM or use command-line tools like curl combined with grep to find iframe tags with `data-cookieconsent` and check their `src` attributes. For example, you might run: `curl -s https://your-mediawiki-site | grep -oP '<iframe[^>]+data-cookieconsent[^>]+>'` and then manually verify if any `src` attributes contain JavaScript URIs. Additionally, automated scanning tools that detect XSS in iframe src attributes could be used. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation involves updating the MediaWiki CookieConsent extension to version 2.0.0 or later, where the vulnerability is fixed by enforcing the use of reserved data attributes starting with `data-mw-` and disallowing user-controlled data attributes like `data-src` from being used to set iframe `src` attributes. If updating is not immediately possible, consider disabling the CookieConsent extension temporarily or restricting user input that can set `data-src` attributes to prevent injection of JavaScript URIs. Monitoring and applying the patch provided by the extension maintainers is recommended to fully resolve the issue. [1]