PT-2025-28178 · Unknown+1 · Approvedrevs Extension+1
Somerandomdeveloper
·
Published
2025-07-07
·
Updated
2025-07-07
·
CVE-2025-53487
CVSS v3.1
5.4
Medium
| Vector | AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N |
Name of the Vulnerable Software and Affected Versions:
ApprovedRevs extension for MediaWiki versions 1.39.X through 1.39.12
ApprovedRevs extension for MediaWiki versions 1.42.X through 1.42.6
ApprovedRevs extension for MediaWiki versions 1.43.X through 1.43.1
Description:
The issue is related to stored XSS in multiple locations where system messages are inserted into raw HTML without proper escaping. Attackers can exploit this by injecting JavaScript payloads via the
uselang=x-xss language override, which causes crafted message keys to be rendered unescaped.Recommendations:
For versions 1.39.X, update to version 1.39.13 or later.
For versions 1.42.X, update to version 1.42.7 or later.
For versions 1.43.X, update to version 1.43.2 or later.
Fix
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Approvedrevs Extension
Mediawiki