CVE-2025-21612 (GCVE-0-2025-21612)
Vulnerability from cvelistv5 – Published: 2025-01-06 15:47 – Updated: 2025-08-26 19:48
VLAI?
Summary
TabberNeue is a MediaWiki extension that allows the wiki to create tabs. Prior to 2.7.2, TabberTransclude.php doesn't escape the user-supplied page name when outputting, so an XSS payload as the page name can be used here. This vulnerability is fixed in 2.7.2.
Severity ?
8.6 (High)
CWE
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| StarCitizenTools | mediawiki-extensions-TabberNeue |
Affected:
>= 1.9.1, < 2.7.2
Affected: >= d8c3db4e5935476e496d979fb01f775d3d3282e6, < f229cab099c69006e25d4bad3579954e481dc566 |
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 8.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-21612",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-06T16:51:40.445477Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-08-26T19:48:04.827Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "mediawiki-extensions-TabberNeue",
"vendor": "StarCitizenTools",
"versions": [
{
"status": "affected",
"version": "\u003e= 1.9.1, \u003c 2.7.2"
},
{
"status": "affected",
"version": "\u003e= d8c3db4e5935476e496d979fb01f775d3d3282e6, \u003c f229cab099c69006e25d4bad3579954e481dc566"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "TabberNeue is a MediaWiki extension that allows the wiki to create tabs. Prior to 2.7.2, TabberTransclude.php doesn\u0027t escape the user-supplied page name when outputting, so an XSS payload as the page name can be used here. This vulnerability is fixed in 2.7.2."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 8.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-80",
"description": "CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-01-06T15:47:27.214Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/StarCitizenTools/mediawiki-extensions-TabberNeue/security/advisories/GHSA-4x6x-8rm8-c37j",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/StarCitizenTools/mediawiki-extensions-TabberNeue/security/advisories/GHSA-4x6x-8rm8-c37j"
},
{
"name": "https://github.com/StarCitizenTools/mediawiki-extensions-TabberNeue/commit/d8c3db4e5935476e496d979fb01f775d3d3282e6",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/StarCitizenTools/mediawiki-extensions-TabberNeue/commit/d8c3db4e5935476e496d979fb01f775d3d3282e6"
},
{
"name": "https://github.com/StarCitizenTools/mediawiki-extensions-TabberNeue/commit/f229cab099c69006e25d4bad3579954e481dc566",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/StarCitizenTools/mediawiki-extensions-TabberNeue/commit/f229cab099c69006e25d4bad3579954e481dc566"
}
],
"source": {
"advisory": "GHSA-4x6x-8rm8-c37j",
"discovery": "UNKNOWN"
},
"title": "Cross-site Scripting in TabberTransclude in Extension:TabberNeue"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-21612",
"datePublished": "2025-01-06T15:47:27.214Z",
"dateReserved": "2024-12-29T03:00:24.713Z",
"dateUpdated": "2025-08-26T19:48:04.827Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"fkie_nvd": {
"descriptions": "[{\"lang\": \"en\", \"value\": \"TabberNeue is a MediaWiki extension that allows the wiki to create tabs. Prior to 2.7.2, TabberTransclude.php doesn\u0027t escape the user-supplied page name when outputting, so an XSS payload as the page name can be used here. This vulnerability is fixed in 2.7.2.\"}, {\"lang\": \"es\", \"value\": \"TabberNeue es una extensi\\u00f3n de MediaWiki que permite que la wiki cree pesta\\u00f1as. Antes de la versi\\u00f3n 2.7.2, TabberTransclude.php no omite el nombre de la p\\u00e1gina proporcionado por el usuario al generar la salida, por lo que se puede utilizar un payload XSS como nombre de la p\\u00e1gina. Esta vulnerabilidad se solucion\\u00f3 en la versi\\u00f3n 2.7.2.\"}]",
"id": "CVE-2025-21612",
"lastModified": "2025-01-06T17:15:46.840",
"metrics": "{\"cvssMetricV31\": [{\"source\": \"security-advisories@github.com\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L\", \"baseScore\": 8.6, \"baseSeverity\": \"HIGH\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"LOW\", \"availabilityImpact\": \"LOW\"}, \"exploitabilityScore\": 3.9, \"impactScore\": 4.7}, {\"source\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L\", \"baseScore\": 8.6, \"baseSeverity\": \"HIGH\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"LOW\", \"availabilityImpact\": \"LOW\"}, \"exploitabilityScore\": 3.9, \"impactScore\": 4.7}]}",
"published": "2025-01-06T16:15:31.633",
"references": "[{\"url\": \"https://github.com/StarCitizenTools/mediawiki-extensions-TabberNeue/commit/d8c3db4e5935476e496d979fb01f775d3d3282e6\", \"source\": \"security-advisories@github.com\"}, {\"url\": \"https://github.com/StarCitizenTools/mediawiki-extensions-TabberNeue/commit/f229cab099c69006e25d4bad3579954e481dc566\", \"source\": \"security-advisories@github.com\"}, {\"url\": \"https://github.com/StarCitizenTools/mediawiki-extensions-TabberNeue/security/advisories/GHSA-4x6x-8rm8-c37j\", \"source\": \"security-advisories@github.com\"}]",
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Awaiting Analysis",
"weaknesses": "[{\"source\": \"security-advisories@github.com\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-79\"}, {\"lang\": \"en\", \"value\": \"CWE-80\"}]}, {\"source\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-79\"}]}]"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2025-21612\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2025-01-06T16:15:31.633\",\"lastModified\":\"2025-08-26T20:15:36.250\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"TabberNeue is a MediaWiki extension that allows the wiki to create tabs. Prior to 2.7.2, TabberTransclude.php doesn\u0027t escape the user-supplied page name when outputting, so an XSS payload as the page name can be used here. This vulnerability is fixed in 2.7.2.\"},{\"lang\":\"es\",\"value\":\"TabberNeue es una extensi\u00f3n de MediaWiki que permite que la wiki cree pesta\u00f1as. Antes de la versi\u00f3n 2.7.2, TabberTransclude.php no omite el nombre de la p\u00e1gina proporcionado por el usuario al generar la salida, por lo que se puede utilizar un payload XSS como nombre de la p\u00e1gina. Esta vulnerabilidad se solucion\u00f3 en la versi\u00f3n 2.7.2.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L\",\"baseScore\":8.6,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"LOW\"},\"exploitabilityScore\":3.9,\"impactScore\":4.7},{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L\",\"baseScore\":8.6,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"LOW\"},\"exploitabilityScore\":3.9,\"impactScore\":4.7}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-79\"},{\"lang\":\"en\",\"value\":\"CWE-80\"}]}],\"references\":[{\"url\":\"https://github.com/StarCitizenTools/mediawiki-extensions-TabberNeue/commit/d8c3db4e5935476e496d979fb01f775d3d3282e6\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/StarCitizenTools/mediawiki-extensions-TabberNeue/commit/f229cab099c69006e25d4bad3579954e481dc566\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/StarCitizenTools/mediawiki-extensions-TabberNeue/security/advisories/GHSA-4x6x-8rm8-c37j\",\"source\":\"security-advisories@github.com\"}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 8.6, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L\", \"integrityImpact\": \"LOW\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"LOW\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"HIGH\"}}, {\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-21612\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-01-06T16:51:40.445477Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-01-06T16:52:21.396Z\"}}], \"cna\": {\"title\": \"Cross-site Scripting in TabberTransclude in Extension:TabberNeue\", \"source\": {\"advisory\": \"GHSA-4x6x-8rm8-c37j\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 8.6, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L\", \"integrityImpact\": \"LOW\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"LOW\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"StarCitizenTools\", \"product\": \"mediawiki-extensions-TabberNeue\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003e= 1.9.1, \u003c 2.7.2\"}, {\"status\": \"affected\", \"version\": \"\u003e= d8c3db4e5935476e496d979fb01f775d3d3282e6, \u003c f229cab099c69006e25d4bad3579954e481dc566\"}]}], \"references\": [{\"url\": \"https://github.com/StarCitizenTools/mediawiki-extensions-TabberNeue/security/advisories/GHSA-4x6x-8rm8-c37j\", \"name\": \"https://github.com/StarCitizenTools/mediawiki-extensions-TabberNeue/security/advisories/GHSA-4x6x-8rm8-c37j\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/StarCitizenTools/mediawiki-extensions-TabberNeue/commit/d8c3db4e5935476e496d979fb01f775d3d3282e6\", \"name\": \"https://github.com/StarCitizenTools/mediawiki-extensions-TabberNeue/commit/d8c3db4e5935476e496d979fb01f775d3d3282e6\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/StarCitizenTools/mediawiki-extensions-TabberNeue/commit/f229cab099c69006e25d4bad3579954e481dc566\", \"name\": \"https://github.com/StarCitizenTools/mediawiki-extensions-TabberNeue/commit/f229cab099c69006e25d4bad3579954e481dc566\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"TabberNeue is a MediaWiki extension that allows the wiki to create tabs. Prior to 2.7.2, TabberTransclude.php doesn\u0027t escape the user-supplied page name when outputting, so an XSS payload as the page name can be used here. This vulnerability is fixed in 2.7.2.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-79\", \"description\": \"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\"}]}, {\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-80\", \"description\": \"CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2025-01-06T15:47:27.214Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2025-21612\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-08-26T19:48:04.827Z\", \"dateReserved\": \"2024-12-29T03:00:24.713Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2025-01-06T15:47:27.214Z\", \"assignerShortName\": \"GitHub_M\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
}
}
FKIE_CVE-2025-21612
Vulnerability from fkie_nvd - Published: 2025-01-06 16:15 - Updated: 2025-08-26 20:15
Severity ?
8.6 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L
8.6 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L
8.6 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L
Summary
TabberNeue is a MediaWiki extension that allows the wiki to create tabs. Prior to 2.7.2, TabberTransclude.php doesn't escape the user-supplied page name when outputting, so an XSS payload as the page name can be used here. This vulnerability is fixed in 2.7.2.
References
Impacted products
| Vendor | Product | Version |
|---|
{
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "TabberNeue is a MediaWiki extension that allows the wiki to create tabs. Prior to 2.7.2, TabberTransclude.php doesn\u0027t escape the user-supplied page name when outputting, so an XSS payload as the page name can be used here. This vulnerability is fixed in 2.7.2."
},
{
"lang": "es",
"value": "TabberNeue es una extensi\u00f3n de MediaWiki que permite que la wiki cree pesta\u00f1as. Antes de la versi\u00f3n 2.7.2, TabberTransclude.php no omite el nombre de la p\u00e1gina proporcionado por el usuario al generar la salida, por lo que se puede utilizar un payload XSS como nombre de la p\u00e1gina. Esta vulnerabilidad se solucion\u00f3 en la versi\u00f3n 2.7.2."
}
],
"id": "CVE-2025-21612",
"lastModified": "2025-08-26T20:15:36.250",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 8.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 4.7,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 8.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 4.7,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2025-01-06T16:15:31.633",
"references": [
{
"source": "security-advisories@github.com",
"url": "https://github.com/StarCitizenTools/mediawiki-extensions-TabberNeue/commit/d8c3db4e5935476e496d979fb01f775d3d3282e6"
},
{
"source": "security-advisories@github.com",
"url": "https://github.com/StarCitizenTools/mediawiki-extensions-TabberNeue/commit/f229cab099c69006e25d4bad3579954e481dc566"
},
{
"source": "security-advisories@github.com",
"url": "https://github.com/StarCitizenTools/mediawiki-extensions-TabberNeue/security/advisories/GHSA-4x6x-8rm8-c37j"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Awaiting Analysis",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
},
{
"lang": "en",
"value": "CWE-80"
}
],
"source": "security-advisories@github.com",
"type": "Primary"
}
]
}
GHSA-4X6X-8RM8-C37J
Vulnerability from github – Published: 2025-01-06 15:47 – Updated: 2025-01-06 18:42
VLAI?
Summary
Extension:TabberNeue vulnerable to Cross-site Scripting
Details
Summary
There are several sources of arbitrary, unescaped user input being used to construct HTML, which allows any user that can edit pages or otherwise render wikitext to XSS other users.
Edit: Only the first XSS can be reproduced in production.
Details
✅ Verified and patched in f229cab099c69006e25d4bad3579954e481dc566
https://github.com/StarCitizenTools/mediawiki-extensions-TabberNeue/blob/2526daa9f8cfdd616c861c8439755cb74a6c8c6e/includes/TabberTransclude.php#L154 This doesn't escape the user-supplied page name when outputting, so an XSS payload as the page name can be used here.
This was caused by d8c3db4e5935476e496d979fb01f775d3d3282e6.
❌ Invalid as MediaWiki parser sanitizes dangerous HTML
https://github.com/StarCitizenTools/mediawiki-extensions-TabberNeue/blob/2526daa9f8cfdd616c861c8439755cb74a6c8c6e/includes/Tabber.php#L160
The documentation for Parser::recursiveTagParse() states that it returns unsafe HTML, and the $content being supplied is from user input.
This was caused by 95351812613e04717f3ad7844cfcc67e4ede4d11.
❌ Invalid as TabberParsoid is not being used
https://github.com/StarCitizenTools/mediawiki-extensions-TabberNeue/blob/2526daa9f8cfdd616c861c8439755cb74a6c8c6e/includes/TabberParsoid.php#L96 This uses unescaped user input as the attribute of an element, thus allowing the user to break out of the attribute or element and injecting arbitrary attributes to the element, or inserting new ones (such as a script tag).
This was caused by 8278e665480f08da635aee383c6b5caaeca26ba3.
PoC
For the first XSS, render the following wikitext (whether it be through saving it to a page and viewing it, or via Special:ExpandTemplates):
<tabbertransclude>
<script>alert(1)</script> | hehe
</tabbertransclude>
For the second XSS, I have given up attempting to reproduce it after over twenty minutes of "surfing through the internals of the MediaWiki parser fishing for an XSS out of this giant contraption as I bring myself deeper and deeper into the cogs of the machine that no one knows how to maintain or fully operate ever since its conception".
For the third XSS, this is unreachable as the class is never used, though it should be fixed anyway (or the file removed).
Impact
Any user with the ability to cause another user to render wikitext (such as viewing a page that the user can edit, or an attacker tricking the victim to click on a link to Special:ExpandTemplates with the malicious wikitext in the wpInput parameter) can XSS said user.
Severity ?
8.6 (High)
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "starcitizentools/tabber-neue"
},
"ranges": [
{
"events": [
{
"introduced": "1.9.1"
},
{
"fixed": "2.7.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-21612"
],
"database_specific": {
"cwe_ids": [
"CWE-79"
],
"github_reviewed": true,
"github_reviewed_at": "2025-01-06T15:47:49Z",
"nvd_published_at": "2025-01-06T16:15:31Z",
"severity": "HIGH"
},
"details": "### Summary\nThere are several sources of arbitrary, unescaped user input being used to construct HTML, which allows any user that can edit pages or otherwise render wikitext to XSS other users.\n\n\u003e Edit: Only the first XSS can be reproduced in production.\n\n### Details\n\n\u003e \u2705 Verified and patched in f229cab099c69006e25d4bad3579954e481dc566\n\nhttps://github.com/StarCitizenTools/mediawiki-extensions-TabberNeue/blob/2526daa9f8cfdd616c861c8439755cb74a6c8c6e/includes/TabberTransclude.php#L154\nThis doesn\u0027t escape the user-supplied page name when outputting, so an XSS payload as the page name can be used here.\n\nThis was caused by d8c3db4e5935476e496d979fb01f775d3d3282e6.\n\n----\n\n\u003e \u274c Invalid as MediaWiki parser sanitizes dangerous HTML\n\nhttps://github.com/StarCitizenTools/mediawiki-extensions-TabberNeue/blob/2526daa9f8cfdd616c861c8439755cb74a6c8c6e/includes/Tabber.php#L160\nThe documentation for [`Parser::recursiveTagParse()`](https://doc.wikimedia.org/mediawiki-core/REL1_42/php/classMediaWiki_1_1Parser_1_1Parser.html#ae450036ec9abb417f142bfdaede02783) states that it returns unsafe HTML, and the `$content` being supplied is from user input.\n\nThis was caused by 95351812613e04717f3ad7844cfcc67e4ede4d11.\n\n----\n\n\u003e \u274c Invalid as TabberParsoid is not being used\n\nhttps://github.com/StarCitizenTools/mediawiki-extensions-TabberNeue/blob/2526daa9f8cfdd616c861c8439755cb74a6c8c6e/includes/TabberParsoid.php#L96\nThis uses unescaped user input as the attribute of an element, thus allowing the user to break out of the attribute or element and injecting arbitrary attributes to the element, or inserting new ones (such as a script tag).\n\nThis was caused by 8278e665480f08da635aee383c6b5caaeca26ba3.\n\n### PoC\nFor the first XSS, render the following wikitext (whether it be through saving it to a page and viewing it, or via Special:ExpandTemplates):\n```wikitext\n\u003ctabbertransclude\u003e\n\u003cscript\u003ealert(1)\u003c/script\u003e | hehe\n\u003c/tabbertransclude\u003e\n```\n\n\nFor the second XSS, I have given up attempting to reproduce it after over twenty minutes of \"surfing through the internals of the MediaWiki parser fishing for an XSS out of this giant contraption as I bring myself deeper and deeper into the cogs of the machine that no one knows how to maintain or fully operate ever since its conception\".\n\nFor the third XSS, this is unreachable as the class is never used, though it should be fixed anyway (or the file removed).\n\n### Impact\nAny user with the ability to cause another user to render wikitext (such as viewing a page that the user can edit, or an attacker tricking the victim to click on a link to Special:ExpandTemplates with the malicious wikitext in the `wpInput` parameter) can XSS said user.\n",
"id": "GHSA-4x6x-8rm8-c37j",
"modified": "2025-01-06T18:42:30Z",
"published": "2025-01-06T15:47:49Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/StarCitizenTools/mediawiki-extensions-TabberNeue/security/advisories/GHSA-4x6x-8rm8-c37j"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-21612"
},
{
"type": "WEB",
"url": "https://github.com/StarCitizenTools/mediawiki-extensions-TabberNeue/commit/d8c3db4e5935476e496d979fb01f775d3d3282e6"
},
{
"type": "WEB",
"url": "https://github.com/StarCitizenTools/mediawiki-extensions-TabberNeue/commit/f229cab099c69006e25d4bad3579954e481dc566"
},
{
"type": "PACKAGE",
"url": "https://github.com/StarCitizenTools/mediawiki-extensions-TabberNeue"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L",
"type": "CVSS_V3"
}
],
"summary": "Extension:TabberNeue vulnerable to Cross-site Scripting"
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…