CVE-2020-25828
MEDIUMMediaWiki < 1.31.10 and 1.32.0-1.34.3 - Cross-Site Scripting in Message Parser
Title source: llmDescription
An issue was discovered in MediaWiki before 1.31.10 and 1.32.x through 1.34.x before 1.34.4. The non-jqueryMsg version of mw.message().parse() doesn't escape HTML. This affects both message contents (which are generally safe) and the parameters (which can be based on user input). (When jqueryMsg is loaded, it correctly accepts only whitelisted tags in message contents, and escapes all parameters. Situations with an unloaded jqueryMsg are rare in practice, but can for example occur for Special:SpecialPages on a wiki with no extensions installed.)
References (4)
Core 4
Core References
Vendor Advisory x_refsource_misc
https://lists.wikimedia.org/pipermail/mediawiki-announce
Mailing List, Vendor Advisory x_refsource_confirm
https://lists.wikimedia.org/pipermail/mediawiki-l/2020-September/048480.html
Mailing List, Vendor Advisory x_refsource_misc
https://lists.wikimedia.org/pipermail/mediawiki-l/2020-September/048488.html
Mailing List, Third Party Advisory vendor-advisory
x_refsource_fedora
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RTTPZ7XMDS66I442OLLHXBDNP2LCBJU6/
Scores
CVSS v3
6.1
EPSS
0.0039
EPSS Percentile
59.9%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Details
CWE
CWE-79
Status
published
Products (4)
fedoraproject/fedora
33
mediawiki/core
1.31.0 - 1.31.9Packagist
mediawiki/mediawiki
1.31.10
mediawiki/mediawiki
1.32.0 - 1.34.4
Published
Sep 27, 2020
Tracked Since
Feb 18, 2026