CVE-2025-53486

The WikiCategoryTagCloud extension is vulnerable to reflected XSS via the linkstyle attribute, which is improperly concatenated into inline HTML without escaping. An attacker can inject JavaScript event handlers such as onmouseenter using carefully crafted input via the {{#tag:tagcloud}} parser function, resulting in arbitrary JavaScript execution when a victim hovers over a link in the category cloud. The vulnerability exists because the linkstyle parameter is only passed through Sanitizer::checkCss() (which does not escape HTML) and is then directly inserted into a style attribute using string concatenation instead of Html::element or Html::openElement. This issue affects Mediawiki - WikiCategoryTagCloud extension: from 1.39.X before 1.39.13, from 1.42.X before 1.42.7, from 1.43.X before 1.43.2.

CVSS v3 5.4 MEDIUM

5.4^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.3 / Impact : 2.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://gerrit.wikimedia.org/r/q/Idd68cf2372aedd916687d30b1bd09ebb48fcfd17
https://phabricator.wikimedia.org/T394590

Configurations

No configuration.

History

No history.

Information

Published : 2025-07-07 15:15

Updated : 2025-07-08 16:18

NVD link : CVE-2025-53486

Mitre link : CVE-2025-53486

CVE.ORG link : CVE-2025-53486

JSON object : View

Products Affected

No product.

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

{"id": "CVE-2025-53486", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 2.3}]}, "published": "2025-07-07T15:15:27.947", "references": [{"url": "https://gerrit.wikimedia.org/r/q/Idd68cf2372aedd916687d30b1bd09ebb48fcfd17", "source": "c4f26cc8-17ff-4c99-b5e2-38fc1793eacc"}, {"url": "https://phabricator.wikimedia.org/T394590", "source": "c4f26cc8-17ff-4c99-b5e2-38fc1793eacc"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Secondary", "source": "c4f26cc8-17ff-4c99-b5e2-38fc1793eacc", "description": [{"lang": "en", "value": "CWE-79"}]}], "descriptions": [{"lang": "en", "value": "The WikiCategoryTagCloud extension is vulnerable to reflected XSS via the linkstyle attribute, which is improperly concatenated into inline HTML without escaping. An attacker can inject JavaScript event handlers such as onmouseenter using carefully crafted input via the {{#tag:tagcloud}} parser function, resulting in arbitrary JavaScript execution when a victim hovers over a link in the category cloud.\n\n\n\n\nThe vulnerability exists because the linkstyle parameter is only passed through Sanitizer::checkCss() (which does not escape HTML) and is then directly inserted into a style attribute using string concatenation instead of Html::element or Html::openElement.\n\n\n\n\nThis issue affects Mediawiki - WikiCategoryTagCloud extension: from 1.39.X before 1.39.13, from 1.42.X before 1.42.7, from 1.43.X before 1.43.2."}, {"lang": "es", "value": "La extensi\u00f3n WikiCategoryTagCloud es vulnerable a XSS reflejado a trav\u00e9s del atributo linkstyle, que se concatena incorrectamente en HTML en l\u00ednea sin escape. Un atacante puede inyectar controladores de eventos JavaScript como \"onmouseenter\" utilizando una entrada cuidadosamente manipulada mediante la funci\u00f3n de an\u00e1lisis {{#tag:tagcloud}}, lo que provoca la ejecuci\u00f3n arbitraria de JavaScript al pasar el cursor sobre un enlace en la nube de categor\u00edas. La vulnerabilidad existe porque el par\u00e1metro linkstyle solo se pasa a trav\u00e9s de Sanitizer::checkCss() (que no escapa HTML) y luego se inserta directamente en un atributo style mediante concatenaci\u00f3n de cadenas en lugar de Html::element o Html::openElement. Este problema afecta a Mediawiki - extensi\u00f3n WikiCategoryTagCloud: de la versi\u00f3n 1.39.X a la 1.39.13, de la versi\u00f3n 1.42.X a la 1.42.7 y de la versi\u00f3n 1.43.X a la 1.43.2."}], "lastModified": "2025-07-08T16:18:34.923", "sourceIdentifier": "c4f26cc8-17ff-4c99-b5e2-38fc1793eacc"}