CVE-2025-53487

State: PUBLISHED · Published: 2025-07-07 · Updated: 2025-07-07 · Assigner: wikimedia-foundation

Description

The ApprovedRevs extension for MediaWiki is vulnerable to stored XSS in multiple locations where system messages are inserted into raw HTML without proper escaping. Attackers can exploit this by injecting JavaScript payloads via the uselang=x-xss language override, which causes crafted message keys to be rendered unescaped. This issue affects Mediawiki - ApprovedRevs extension: from 1.39.X before 1.39.13, from 1.42.X before 1.42.7, from 1.43.X before 1.43.2.

CWE

CWE-79 — CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')

Affected

Wikimedia Foundation / Mediawiki - ApprovedRevs extension — v=1.39.x <1.39.13 [affected]; v=1.42.x <1.42.7 [affected]; v=1.43.x <1.43.2 [affected]

CVSS

(none)

References

https://phabricator.wikimedia.org/T394383
https://gerrit.wikimedia.org/r/q/Ifcab085111e7898da485a5e2ae287fee4e6d167b

Source

cvelistV5-main/cves/2025/53xxx/CVE-2025-53487.json