CVE-2025-62664
BaseFortify
Publication date: 2025-10-18
Last updated on: 2025-10-21
Assigner: wikimedia-foundation
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| the_wikimedia_foundation | mediawiki | 1.45.0-alpha |
| the_wikimedia_foundation | voteny | * |
| the_wikimedia_foundation | imagerating | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-62664 is a stored Cross-Site Scripting (XSS) vulnerability in the ImageRating extension of MediaWiki. It occurs because the extension inserts system messages as raw HTML into web pages using jQuery's .html() function without escaping them. Specifically, the mw.msg() function returns unescaped HTML, which is then directly injected, allowing attackers to store malicious scripts that execute when users view the affected pages. [1]
How can this vulnerability impact me? :
This vulnerability can allow attackers to execute arbitrary scripts in the context of users viewing the affected MediaWiki pages. This can lead to theft of user credentials, session hijacking, defacement, or distribution of malware. Since the malicious code is stored, it can affect multiple users over time, potentially compromising the security and integrity of the MediaWiki site and its users. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by attempting to reproduce the stored XSS attack as described: enable the VoteNY and ImageRating extensions, upload a file, add <vote type=1 /> to the file page, vote for the file, ensure the configuration variable $wgUseXssLanguage is true, then navigate to /wiki/Special:ImageRating?uselang=x-xss and enter any category name next to the rated image and submit. Observing if injected scripts execute indicates the vulnerability. There are no specific network commands provided, but testing the web interface with crafted inputs as described is the detection method. [1]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation is to apply the patch that changes the insertion method from jQuery's .html() to .text() for system messages in the ImageRating extension, ensuring messages are inserted as plain text rather than raw HTML. This fix has been backported to supported branches and was merged on August 15, 2025. Until patched, consider disabling the ImageRating and VoteNY extensions or restricting access to the affected pages to prevent exploitation. [1]