PT-2025-28636 · Mediawiki · Msupload Extension+1
Jane Smith
+3
·
Published
2025-07-08
·
Updated
2025-07-08
·
CVE-2025-7362
CVSS v3.1
5.4
Medium
| Vector | AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N |
Name of the Vulnerable Software and Affected Versions:
MediaWiki - MsUpload extension versions 1.39.X through 1.39.12
MediaWiki - MsUpload extension versions 1.42.X through 1.42.6
MediaWiki - MsUpload extension versions 1.43.X through 1.43.1
Description:
The MsUpload extension for MediaWiki is vulnerable to stored XSS via the
msu-continue system message, which is inserted into the DOM without proper sanitization. This issue occurs in the file upload UI when the same filename is uploaded twice.Recommendations:
For MediaWiki - MsUpload extension versions 1.39.X through 1.39.12, update to version 1.39.13 or later.
For MediaWiki - MsUpload extension versions 1.42.X through 1.42.6, update to version 1.42.7 or later.
For MediaWiki - MsUpload extension versions 1.43.X through 1.43.1, update to version 1.43.2 or later.
Exploit
Fix
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Mediawiki
Msupload Extension