CVE-2025-62702
BaseFortify
Publication date: 2025-10-21
Last updated on: 2025-10-21
Assigner: wikimedia-foundation
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| the_wikimedia_foundation | mediawiki | 1.45.0-alpha |
| the_wikimedia_foundation | mediawiki_pagetriage_extension | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-62702 is a stored Cross-Site Scripting (XSS) vulnerability in the PageTriage extension of MediaWiki. It occurs because certain system messages are inserted into the web page as raw HTML without proper escaping, allowing attackers to inject malicious HTML or JavaScript code. This malicious code is then executed in the browsers of users with sysop privileges when they view the PageTriage interface, potentially compromising their accounts or the system. [1]
How can this vulnerability impact me? :
This vulnerability can allow an attacker to execute arbitrary scripts in the context of privileged users (sysops) of the MediaWiki PageTriage interface. This can lead to unauthorized actions such as stealing credentials, performing actions on behalf of the user, or compromising the integrity of the system. The attack requires the attacker to inject malicious content into system messages and the victim to have sysop privileges to trigger the exploit. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by testing whether the system messages `pagetriage-new-page-feed-show-ip` and `pagetriage-new-page-feed-show-ip-not-found` in the MediaWiki PageTriage extension are vulnerable to stored XSS. Detection involves editing these system messages to include a harmless test payload such as `<img src='' onerror='alert(1)'>` or `<img src='' onerror='alert(2)'>`, then accessing the Special:NewPagesFeed page with a sysop account to see if the payload executes. There are no specific network commands provided, but the detection is done through the MediaWiki interface and system message editing. Steps include: 1) Editing the system messages to include test HTML/JavaScript, 2) Creating new pages with a temporary account, 3) Accessing the Special:NewPagesFeed page as a sysop to observe if the payload triggers an alert. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include applying the official patches that escape system messages before inserting them into the DOM, as released by the Wikimedia Foundation. If patching is not immediately possible, restrict permissions to edit system messages such as `pagetriage-new-page-feed-show-ip` and `pagetriage-new-page-feed-show-ip-not-found` to trusted users only, and limit sysop access to the PageTriage interface to prevent triggering the XSS. Additionally, review and remove any malicious content from these system messages. Upgrading to MediaWiki versions where the fix is applied (including master and REL1_44 branches) is recommended. [1]