Impact
This vulnerability is an Improper Neutralization of Input During Web Page Generation (XSS) that allows an attacker to store malicious javascript URLs within SVG files generated by the EasyTimeline component. When a victim views a compromised timeline, the embedded script can execute in their browser, potentially leading to credential theft, session hijacking, or defacement. The weakness is categorized as CWE‑79.
Affected Systems
The issue targets the Wikimedia Foundation’s timeline extension, affecting all versions prior to 1.46.0 as well as the specific releases 1.45.4, 1.44.6, and 1.43.9. The vulnerability manifests when SVG graphics are rendered by the extension and can impact any user who loads a timeline containing user‑supplied SVG content.
Risk and Exploitability
While no EPSS score is available and the vulnerability is not listed in CISA’s KEV catalog, the attack vector is likely through user‑controlled SVG uploads or edits. Stored XSS is a high‑risk vulnerability because it persists across sessions and can affect all users who visit a compromised page. Without a CVSS score provided, the risk level remains high due to the potential for widespread compromise, though the precise exploitation probability cannot be quantified from the available data.
OpenCVE Enrichment