PT-2025-28017 · Mediawiki · Securepoll Extension+1
Published
2025-07-04
·
Updated
2025-07-04
·
CVE-2025-53484
CVSS v3.1
9.8
Critical
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions:
Mediawiki - SecurePoll extension versions 1.39.0 through 1.39.12
Mediawiki - SecurePoll extension versions 1.42.0 through 1.42.6
Mediawiki - SecurePoll extension versions 1.43.0 through 1.43.1
Description:
The issue arises from improper escaping of user-controlled inputs in VotePage.php, specifically the poll option input, and in ResultPage, within the getPagesTab() and getErrorsTab() functions, where user-controllable page names are used. This allows attackers to inject JavaScript, potentially compromising user sessions under certain conditions.
Recommendations:
For Mediawiki - SecurePoll extension versions 1.39.0 through 1.39.12, update to version 1.39.13 or later.
For Mediawiki - SecurePoll extension versions 1.42.0 through 1.42.6, update to version 1.42.7 or later.
For Mediawiki - SecurePoll extension versions 1.43.0 through 1.43.1, update to version 1.43.2 or later.
Fix
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Mediawiki
Securepoll Extension