CVE-2025-53486 (GCVE-0-2025-53486)

Vulnerability from cvelistv5 – Published: 2025-07-07 15:07 – Updated: 2025-07-07 19:15
VLAI?
Summary
The WikiCategoryTagCloud extension is vulnerable to reflected XSS via the linkstyle attribute, which is improperly concatenated into inline HTML without escaping. An attacker can inject JavaScript event handlers such as onmouseenter using carefully crafted input via the {{#tag:tagcloud}} parser function, resulting in arbitrary JavaScript execution when a victim hovers over a link in the category cloud. The vulnerability exists because the linkstyle parameter is only passed through Sanitizer::checkCss() (which does not escape HTML) and is then directly inserted into a style attribute using string concatenation instead of Html::element or Html::openElement. This issue affects Mediawiki - WikiCategoryTagCloud extension: from 1.39.X before 1.39.13, from 1.42.X before 1.42.7, from 1.43.X before 1.43.2.
Severity ?
5.4 (Medium)
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
CWE
  • CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
Assigner
References
Impacted products
Vendor Product Version
Wikimedia Foundation Mediawiki - WikiCategoryTagCloud extension Affected: 1.39.x , < 1.39.13 (semver)
Affected: 1.42.x , < 1.42.7 (semver)
Affected: 1.43.x , < 1.43.2 (semver)
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "NONE",
              "baseScore": 5.4,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "LOW",
              "integrityImpact": "LOW",
              "privilegesRequired": "LOW",
              "scope": "CHANGED",
              "userInteraction": "REQUIRED",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2025-53486",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-07-07T19:13:04.719962Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-07-07T19:15:02.740Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Mediawiki - WikiCategoryTagCloud extension",
          "vendor": "Wikimedia Foundation",
          "versions": [
            {
              "lessThan": "1.39.13",
              "status": "affected",
              "version": "1.39.x",
              "versionType": "semver"
            },
            {
              "lessThan": "1.42.7",
              "status": "affected",
              "version": "1.42.x",
              "versionType": "semver"
            },
            {
              "lessThan": "1.43.2",
              "status": "affected",
              "version": "1.43.x",
              "versionType": "semver"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eThe WikiCategoryTagCloud extension is vulnerable to reflected XSS via the linkstyle attribute, which is improperly concatenated into inline HTML without escaping. An attacker can inject JavaScript event handlers such as onmouseenter using carefully crafted input via the {{#tag:tagcloud}} parser function, resulting in arbitrary JavaScript execution when a victim hovers over a link in the category cloud.\u003cbr\u003e\u003c/p\u003e\n\n\u003cp\u003eThe vulnerability exists because the linkstyle parameter is only passed through Sanitizer::checkCss() (which does not escape HTML) and is then directly inserted into a style attribute using string concatenation instead of Html::element or Html::openElement.\u003c/p\u003e\n\n\n\u003cp\u003eThis issue affects Mediawiki - WikiCategoryTagCloud extension: from 1.39.X before 1.39.13, from 1.42.X before 1.42.7, from 1.43.X before 1.43.2.\u003c/p\u003e"
            }
          ],
          "value": "The WikiCategoryTagCloud extension is vulnerable to reflected XSS via the linkstyle attribute, which is improperly concatenated into inline HTML without escaping. An attacker can inject JavaScript event handlers such as onmouseenter using carefully crafted input via the {{#tag:tagcloud}} parser function, resulting in arbitrary JavaScript execution when a victim hovers over a link in the category cloud.\n\n\n\n\nThe vulnerability exists because the linkstyle parameter is only passed through Sanitizer::checkCss() (which does not escape HTML) and is then directly inserted into a style attribute using string concatenation instead of Html::element or Html::openElement.\n\n\n\n\nThis issue affects Mediawiki - WikiCategoryTagCloud extension: from 1.39.X before 1.39.13, from 1.42.X before 1.42.7, from 1.43.X before 1.43.2."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-591",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-591 Reflected XSS"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-79",
              "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-07T15:07:44.875Z",
        "orgId": "c4f26cc8-17ff-4c99-b5e2-38fc1793eacc",
        "shortName": "wikimedia-foundation"
      },
      "references": [
        {
          "url": "https://phabricator.wikimedia.org/T394590"
        },
        {
          "url": "https://gerrit.wikimedia.org/r/q/Idd68cf2372aedd916687d30b1bd09ebb48fcfd17"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "WikiCategoryTagCloud: Reflected Cross-Site Scripting (XSS) via linkstyle attribute in parser function",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "c4f26cc8-17ff-4c99-b5e2-38fc1793eacc",
    "assignerShortName": "wikimedia-foundation",
    "cveId": "CVE-2025-53486",
    "datePublished": "2025-07-07T15:07:44.875Z",
    "dateReserved": "2025-06-30T15:20:44.462Z",
    "dateUpdated": "2025-07-07T19:15:02.740Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-53486\",\"sourceIdentifier\":\"c4f26cc8-17ff-4c99-b5e2-38fc1793eacc\",\"published\":\"2025-07-07T15:15:27.947\",\"lastModified\":\"2025-07-08T16:18:34.923\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"The WikiCategoryTagCloud extension is vulnerable to reflected XSS via the linkstyle attribute, which is improperly concatenated into inline HTML without escaping. An attacker can inject JavaScript event handlers such as onmouseenter using carefully crafted input via the {{#tag:tagcloud}} parser function, resulting in arbitrary JavaScript execution when a victim hovers over a link in the category cloud.\\n\\n\\n\\n\\nThe vulnerability exists because the linkstyle parameter is only passed through Sanitizer::checkCss() (which does not escape HTML) and is then directly inserted into a style attribute using string concatenation instead of Html::element or Html::openElement.\\n\\n\\n\\n\\nThis issue affects Mediawiki - WikiCategoryTagCloud extension: from 1.39.X before 1.39.13, from 1.42.X before 1.42.7, from 1.43.X before 1.43.2.\"},{\"lang\":\"es\",\"value\":\"La extensi\u00f3n WikiCategoryTagCloud es vulnerable a XSS reflejado a trav\u00e9s del atributo linkstyle, que se concatena incorrectamente en HTML en l\u00ednea sin escape. Un atacante puede inyectar controladores de eventos JavaScript como \\\"onmouseenter\\\" utilizando una entrada cuidadosamente manipulada mediante la funci\u00f3n de an\u00e1lisis {{#tag:tagcloud}}, lo que provoca la ejecuci\u00f3n arbitraria de JavaScript al pasar el cursor sobre un enlace en la nube de categor\u00edas. La vulnerabilidad existe porque el par\u00e1metro linkstyle solo se pasa a trav\u00e9s de Sanitizer::checkCss() (que no escapa HTML) y luego se inserta directamente en un atributo style mediante concatenaci\u00f3n de cadenas en lugar de Html::element o Html::openElement. Este problema afecta a Mediawiki - extensi\u00f3n WikiCategoryTagCloud: de la versi\u00f3n 1.39.X a la 1.39.13, de la versi\u00f3n 1.42.X a la 1.42.7 y de la versi\u00f3n 1.43.X a la 1.43.2.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N\",\"baseScore\":5.4,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"REQUIRED\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.3,\"impactScore\":2.7}]},\"weaknesses\":[{\"source\":\"c4f26cc8-17ff-4c99-b5e2-38fc1793eacc\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-79\"}]}],\"references\":[{\"url\":\"https://gerrit.wikimedia.org/r/q/Idd68cf2372aedd916687d30b1bd09ebb48fcfd17\",\"source\":\"c4f26cc8-17ff-4c99-b5e2-38fc1793eacc\"},{\"url\":\"https://phabricator.wikimedia.org/T394590\",\"source\":\"c4f26cc8-17ff-4c99-b5e2-38fc1793eacc\"}]}}",
    "vulnrichment": {
      "containers": "{\"cna\": {\"affected\": [{\"defaultStatus\": \"unaffected\", \"product\": \"Mediawiki - WikiCategoryTagCloud extension\", \"vendor\": \"Wikimedia Foundation\", \"versions\": [{\"lessThan\": \"1.39.13\", \"status\": \"affected\", \"version\": \"1.39.x\", \"versionType\": \"semver\"}, {\"lessThan\": \"1.42.7\", \"status\": \"affected\", \"version\": \"1.42.x\", \"versionType\": \"semver\"}, {\"lessThan\": \"1.43.2\", \"status\": \"affected\", \"version\": \"1.43.x\", \"versionType\": \"semver\"}]}], \"descriptions\": [{\"lang\": \"en\", \"supportingMedia\": [{\"base64\": false, \"type\": \"text/html\", \"value\": \"\u003cp\u003eThe WikiCategoryTagCloud extension is vulnerable to reflected XSS via the linkstyle attribute, which is improperly concatenated into inline HTML without escaping. An attacker can inject JavaScript event handlers such as onmouseenter using carefully crafted input via the {{#tag:tagcloud}} parser function, resulting in arbitrary JavaScript execution when a victim hovers over a link in the category cloud.\u003cbr\u003e\u003c/p\u003e\\n\\n\u003cp\u003eThe vulnerability exists because the linkstyle parameter is only passed through Sanitizer::checkCss() (which does not escape HTML) and is then directly inserted into a style attribute using string concatenation instead of Html::element or Html::openElement.\u003c/p\u003e\\n\\n\\n\u003cp\u003eThis issue affects Mediawiki - WikiCategoryTagCloud extension: from 1.39.X before 1.39.13, from 1.42.X before 1.42.7, from 1.43.X before 1.43.2.\u003c/p\u003e\"}], \"value\": \"The WikiCategoryTagCloud extension is vulnerable to reflected XSS via the linkstyle attribute, which is improperly concatenated into inline HTML without escaping. An attacker can inject JavaScript event handlers such as onmouseenter using carefully crafted input via the {{#tag:tagcloud}} parser function, resulting in arbitrary JavaScript execution when a victim hovers over a link in the category cloud.\\n\\n\\n\\n\\nThe vulnerability exists because the linkstyle parameter is only passed through Sanitizer::checkCss() (which does not escape HTML) and is then directly inserted into a style attribute using string concatenation instead of Html::element or Html::openElement.\\n\\n\\n\\n\\nThis issue affects Mediawiki - WikiCategoryTagCloud extension: from 1.39.X before 1.39.13, from 1.42.X before 1.42.7, from 1.43.X before 1.43.2.\"}], \"impacts\": [{\"capecId\": \"CAPEC-591\", \"descriptions\": [{\"lang\": \"en\", \"value\": \"CAPEC-591 Reflected XSS\"}]}], \"problemTypes\": [{\"descriptions\": [{\"cweId\": \"CWE-79\", \"description\": \"CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)\", \"lang\": \"en\", \"type\": \"CWE\"}]}], \"providerMetadata\": {\"orgId\": \"c4f26cc8-17ff-4c99-b5e2-38fc1793eacc\", \"shortName\": \"wikimedia-foundation\", \"dateUpdated\": \"2025-07-07T15:07:44.875Z\"}, \"references\": [{\"url\": \"https://phabricator.wikimedia.org/T394590\"}, {\"url\": \"https://gerrit.wikimedia.org/r/q/Idd68cf2372aedd916687d30b1bd09ebb48fcfd17\"}], \"source\": {\"discovery\": \"UNKNOWN\"}, \"title\": \"WikiCategoryTagCloud: Reflected Cross-Site Scripting (XSS) via linkstyle attribute in parser function\", \"x_generator\": {\"engine\": \"Vulnogram 0.2.0\"}}, \"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"cvssV3_1\": {\"scope\": \"CHANGED\", \"version\": \"3.1\", \"baseScore\": 5.4, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N\", \"integrityImpact\": \"LOW\", \"userInteraction\": \"REQUIRED\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"LOW\"}}, {\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-53486\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-07-07T19:13:04.719962Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-07-07T19:13:14.209Z\"}}]}",
      "cveMetadata": "{\"cveId\": \"CVE-2025-53486\", \"assignerOrgId\": \"c4f26cc8-17ff-4c99-b5e2-38fc1793eacc\", \"state\": \"PUBLISHED\", \"assignerShortName\": \"wikimedia-foundation\", \"dateReserved\": \"2025-06-30T15:20:44.462Z\", \"datePublished\": \"2025-07-07T15:07:44.875Z\", \"dateUpdated\": \"2025-07-07T19:15:02.740Z\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.