This issue affects Mediawiki - ApprovedRevs extension: from 1.39.X before 1.39.13, from 1.42.X before 1.42.7, from 1.43.X before 1.43.2.
No analysis available yet.
No remediation available yet.
Tracking
Sign in to view the affected projects.
| Source | ID | Title |
|---|---|---|
EUVD |
EUVD-2025-20236 | The ApprovedRevs extension for MediaWiki is vulnerable to stored XSS in multiple locations where system messages are inserted into raw HTML without proper escaping. Attackers can exploit this by injecting JavaScript payloads via the uselang=x-xss language override, which causes crafted message keys to be rendered unescaped. This issue affects Mediawiki - ApprovedRevs extension: from 1.39.X before 1.39.13, from 1.42.X before 1.42.7, from 1.43.X before 1.43.2. |
Mon, 07 Jul 2025 20:15:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Metrics |
cvssV3_1
|
Mon, 07 Jul 2025 15:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | The ApprovedRevs extension for MediaWiki is vulnerable to stored XSS in multiple locations where system messages are inserted into raw HTML without proper escaping. Attackers can exploit this by injecting JavaScript payloads via the uselang=x-xss language override, which causes crafted message keys to be rendered unescaped. This issue affects Mediawiki - ApprovedRevs extension: from 1.39.X before 1.39.13, from 1.42.X before 1.42.7, from 1.43.X before 1.43.2. | |
| Title | ApprovedRevs: Stored Cross-Site Scripting (XSS) via unsanitized system messages | |
| Weaknesses | CWE-79 | |
| References |
|
Subscriptions
No data.
Status: PUBLISHED
Assigner: wikimedia-foundation
Published:
Updated: 2025-07-07T19:16:14.015Z
Reserved: 2025-06-30T15:20:44.462Z
Link: CVE-2025-53487
Updated: 2025-07-07T19:16:08.320Z
Status : Deferred
Published: 2025-07-07T16:15:25.623
Modified: 2026-06-17T09:38:18.167
Link: CVE-2025-53487
No data.
OpenCVE Enrichment
No data.
-
CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
EUVD