Impact
The UrlShortener extension contains an where user supplied URLs are parsed using PHP’s URL logic rather than the WHATWG parsing standard. This discrepancy can allow malicious URLs to bypass the extension’s validation checks, potentially redirecting visitors to arbitrary destinations. The impact is an open redirect that can be leveraged for. The description does not explicitly state the outcome, but it is inferred from the title and the nature of the validation bypass that redirect can be commanded by an attacker.
Affected Systems
The vulnerable component is the UrlShortener extension released by Wikimedia Foundation. No specific version numbers are listed, so any installation of this extension could be susceptible unless otherwise noted by the vendor. The extension is typically used to create shortened URLs from user‑supplied inputs.
Risk and Exploitability
The CVE lacks an EPSS score and is not listed in the CISA KEV catalog, indicating no publicly documented exploitation at this time. No CVSS score is provided, so the severity is unknown, but the presence of a redirect flaw inherently carries a moderate to high risk of abuse if an attacker can supply crafted URLs. The likely attack vector would involve an attacker creating or persuading a user to visit a shortened URL that is crafted to redirect them to a malicious site. Without further information, the exploitation probability remains uncertain but the potential for phishing makes the vulnerability significant for sites relying on the extension.
OpenCVE Enrichment