Impact
The Vulnerability is an Improper Neutralization of Input During Web Page Generation (XSS) flaw found in Wikimedia Foundation’s SyntaxHighlight_GeSHi component. An attacker can supply a value for the extended "linelinks" attribute that is stored and later rendered unescaped, allowing malicious JavaScript to persistently execute within an authenticated user’s browser. This stored XSS can be used to hijack user sessions, deface content, or exfiltrate sensitive data, affecting confidentiality and integrity for users of the affected application.
Affected Systems
The issue appears in Wikimedia Foundation SyntaxHighlight_GeSHi, specifically versions prior to 1.46.0 and the releases 1.45.4, 1.44.6, and 1.43.9. All earlier releases are also vulnerable. The vulnerability arises in files related to SyntaxHighlight.Php.
Risk and Exploitability
The CVSS score of 5.3 places the flaw in the moderate severity range. No EPSS score is available, so the probability of exploitation cannot be quantified from the data. The vulnerability is not listed in the CISA KEV catalog, so no known widespread exploitation has been documented. The likely attack path requires an attacker to inject malicious content via the "linelinks" attribute into a page or data field that is processed and stored by SyntaxHighlight_GeSHi, implying that the ability to craft the input is a prerequisite. Attacker impact would be confined to the affected user’s session and any downstream users who view the compromised content.
OpenCVE Enrichment