CVE-2025-53487
ApprovedRevs: Stored Cross-Site Scripting (XSS) via unsanitized system messages
We use these services and cookies to improve your user experience. You may opt out if you wish, however, this may limit some features on this site.
Please see our statement on Data Privacy.
ApprovedRevs: Stored Cross-Site Scripting (XSS) via unsanitized system messages
The ApprovedRevs extension for MediaWiki is vulnerable to stored XSS in multiple locations where system messages are inserted into raw HTML without proper escaping. Attackers can exploit this by injecting JavaScript payloads via the uselang=x-xss language override, which causes crafted message keys to be rendered unescaped. This issue affects Mediawiki - ApprovedRevs extension: from 1.39.X before 1.39.13, from 1.42.X before 1.42.7, from 1.43.X before 1.43.2.
Reserved 2025-06-30 | Published 2025-07-07 | Updated 2025-07-07 | Assigner wikimedia-foundationCWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
phabricator.wikimedia.org/T394383
gerrit.wikimedia.org/...085111e7898da485a5e2ae287fee4e6d167b
Support options
