SB2025080751 - Multiple vulnerabilities in MediaWiki

Security Bulletin ID SB2025080751

Severity

Medium

Patch available

YES

Number of vulnerabilities 12

Exploitation vector Remote access

Highest impact Data manipulation

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 12 secuirty vulnerabilities.

1) Cross-site scripting (CVE-ID: CVE-2025-32072)

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data in Feed Utils. A remote attacker can inject and execute arbitrary JavaScript code in WebView.

2) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2025-6589)

The vulnerability allows a remote user to gain access to sensitive information.

The vulnerability exists due to incorrect implementation of the Special:BlockList feature. A remote user blocked with a hideuser block on a wiki with MultiBlocks enabled can view hidden usernames.

3) Improper access control (CVE-ID: CVE-2025-6590)

The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.

The vulnerability exists due to improper validation of the usernames. A logged-out user can reveal hidden page contents through transclusion, e.g., "{{:Private page}}".

4) Text injection (CVE-ID: CVE-2025-6591)

The vulnerability allows a remote attacker to display arbitrary text output.

The vulnerability exists due to insufficient validation of user-supplied input on the API "action=feedcontributions" output. A remote attacker can inject and display arbitrary text messages in the API output.

5) Session fixation (CVE-ID: CVE-2025-6592)

The vulnerability allows a remote attacker to perform session fixation attacks.

The vulnerability exists due to software associates temporary user accounts with newly registered user account, leading to data being merged, such as username and IP address. This can lead to potential account takeover if at attacker had control over the temp user session.

6) Information disclosure (CVE-ID: CVE-2025-6593)

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to the application does not verify the email address when sending the "{{SITENAME}} registered email address has been changed" email message, revealing the IP address of the user. A remote attacker can gain access to sensitive information.

7) Cross-site scripting (CVE-ID: CVE-2025-6594)

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data in Special:ApiSandbox. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

8) Stored cross-site scripting (CVE-ID: CVE-2025-6595)

The disclosed vulnerability allows a remote user to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data in MultimediaViewer. A remote user can inject and execute arbitrary HTML and script code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

9) Stored cross-site scripting (CVE-ID: CVE-2025-6596)

The disclosed vulnerability allows a remote user to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data when handling portlet labels. A remote user can inject and execute arbitrary HTML and script code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

10) Improper authentication (CVE-ID: CVE-2025-6597)

The vulnerability allows a remote attacker to bypass authentication process.

The vulnerability exists due to logic error in the autocreation process, which shares its logic with the user login flow via the AuthManager::setSessionDataForUser() method. A remote attacker can bypass authentication process and take over accounts of other web application users.

11) Improper access control (CVE-ID: CVE-2025-6927)

The vulnerability allows a remote user to gain unauthorized access to sensitive information.

The vulnerability exists due to improper access restrictions within the BlockListPager feature. A remote user can obtain a list of hidden usernames using autoblocks.

12) Improper authentication (CVE-ID: CVE-2025-6926)

The vulnerability allows a remote attacker to bypass authentication process.

The vulnerability exists due to an error in the authentication logic when using SUL3 autologin for re-authentication. A remote attacker can bypass authentication process and gain unauthorized access to the application.

Remediation

Install update from vendor's website.

SB2025080751 - Multiple vulnerabilities in MediaWiki

Breakdown by Severity

Description

Remediation

References

Please verify you're human