Impact
Improper neutralization of input during web page generation in the Cargo extension leads to stored cross‑site scripting, allowing an attacker to inject and persist malicious scripts that run in the context of any user who views the affected page. This can enable credential theft, session hijacking, defacement and other client‑side attacks, leveraging the well‑known CWE‑79 weakness.
Affected Systems
The vulnerability affects the Wikimedia Foundation MediaWiki Cargo Extension in all releases earlier than 3.9.1, including the 3.8.x series and the very early 3.9 versions. Any MediaWiki installation that includes this extension is potentially exposed.
Risk and Exploitability
The CVSS base score of 6.9 indicates moderate severity, and the EPSS score is currently unavailable, so the likelihood of widespread exploitation is uncertain. The extension is not listed in CISA’s KEV catalog. Exploitation requires the ability to store data in the Cargo map format, which, based on the description, it is inferred that requires content‑editing or higher permissions. Since the vulnerability is stored, a single injection will persist until the data is removed, providing a persistent attack vector.
OpenCVE Enrichment