CVE-2025-32074 - Vulnerability Details - OpenCVE

Improper Encoding or Escaping of Output vulnerability in The Wikimedia Foundation Mediawiki - Confirm Account Extension allows Cross-Site Scripting (XSS).This issue affects Mediawiki - Confirm Account Extension: from 1.39 through 1.43.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact High

Vulnerable System Availability Impact High

Subsequent System Confidentiality Impact High

Subsequent System Integrity Impact High

Subsequent System Availability Impact High

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable yes

Technical Impact total

No data.

No data.

No data.

References

Link	Providers
https://gerrit.wikimedia.org/r/q/I86f47103ffb78c671890b44ccd59fcff6613975f
https://phabricator.wikimedia.org/T386908

History

Fri, 11 Apr 2025 18:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Fri, 11 Apr 2025 16:30:00 +0000

Type	Values Removed	Values Added
Description		Improper Encoding or Escaping of Output vulnerability in The Wikimedia Foundation Mediawiki - Confirm Account Extension allows Cross-Site Scripting (XSS).This issue affects Mediawiki - Confirm Account Extension: from 1.39 through 1.43.
Title		XSSes in Extension:ConfirmAccount
Weaknesses		CWE-116
References		https://gerrit.wikimedia.org/r/q/I86f47103ffb78c671890b44ccd59fcff6613975f https://phabricator.wikimedia.org/T386908
Metrics		cvssV4_0 `{'score': 10, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H'}`

MITRE

Status: PUBLISHED

Assigner: wikimedia-foundation

Published: 2025-04-11T16:22:23.418Z

Updated: 2025-04-11T17:30:57.015Z

Reserved: 2025-04-03T21:56:59.952Z

Link: CVE-2025-32074

Vulnrichment

Updated: 2025-04-11T17:30:51.608Z

NVD

Status : Awaiting Analysis

Published: 2025-04-11T17:15:44.097

Modified: 2025-04-15T18:39:43.697

Link: CVE-2025-32074

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-32074", "assignerOrgId": "c4f26cc8-17ff-4c99-b5e2-38fc1793eacc", "state": "PUBLISHED", "assignerShortName": "wikimedia-foundation", "dateReserved": "2025-04-03T21:56:59.952Z", "datePublished": "2025-04-11T16:22:23.418Z", "dateUpdated": "2025-04-11T17:30:57.015Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Mediawiki - Confirm Account Extension", "vendor": "The Wikimedia Foundation", "versions": [{"lessThanOrEqual": "1.43", "status": "affected", "version": "1.39", "versionType": "semver"}]}], "credits": [{"lang": "en", "type": "finder", "value": "BlankEclair"}], "datePublic": "2025-04-11T00:58:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Improper Encoding or Escaping of Output vulnerability in The Wikimedia Foundation Mediawiki - Confirm Account Extension allows Cross-Site Scripting (XSS).<p>This issue affects Mediawiki - Confirm Account Extension: from 1.39 through 1.43.</p>"}], "value": "Improper Encoding or Escaping of Output vulnerability in The Wikimedia Foundation Mediawiki - Confirm Account Extension allows Cross-Site Scripting (XSS).This issue affects Mediawiki - Confirm Account Extension: from 1.39 through 1.43."}], "impacts": [{"capecId": "CAPEC-63", "descriptions": [{"lang": "en", "value": "CAPEC-63 Cross-Site Scripting (XSS)"}]}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "baseScore": 10, "baseSeverity": "CRITICAL", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "HIGH", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "HIGH", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-116", "description": "CWE-116 Improper Encoding or Escaping of Output", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "c4f26cc8-17ff-4c99-b5e2-38fc1793eacc", "shortName": "wikimedia-foundation", "dateUpdated": "2025-04-11T16:22:23.418Z"}, "references": [{"url": "https://phabricator.wikimedia.org/T386908"}, {"url": "https://gerrit.wikimedia.org/r/q/I86f47103ffb78c671890b44ccd59fcff6613975f"}], "source": {"discovery": "UNKNOWN"}, "title": "XSSes in Extension:ConfirmAccount", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-04-11T17:30:39.241628Z", "id": "CVE-2025-32074", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-11T17:30:57.015Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-32074", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-04-11T17:30:39.241628Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-11T17:30:51.608Z"}}], "cna": {"title": "XSSes in Extension:ConfirmAccount", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "finder", "value": "BlankEclair"}], "impacts": [{"capecId": "CAPEC-63", "descriptions": [{"lang": "en", "value": "CAPEC-63 Cross-Site Scripting (XSS)"}]}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 10, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "The Wikimedia Foundation", "product": "Mediawiki - Confirm Account Extension", "versions": [{"status": "affected", "version": "1.39", "versionType": "semver", "lessThanOrEqual": "1.43"}], "defaultStatus": "unaffected"}], "datePublic": "2025-04-11T00:58:00.000Z", "references": [{"url": "https://phabricator.wikimedia.org/T386908"}, {"url": "https://gerrit.wikimedia.org/r/q/I86f47103ffb78c671890b44ccd59fcff6613975f"}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "Improper Encoding or Escaping of Output vulnerability in The Wikimedia Foundation Mediawiki - Confirm Account Extension allows Cross-Site Scripting (XSS).This issue affects Mediawiki - Confirm Account Extension: from 1.39 through 1.43.", "supportingMedia": [{"type": "text/html", "value": "Improper Encoding or Escaping of Output vulnerability in The Wikimedia Foundation Mediawiki - Confirm Account Extension allows Cross-Site Scripting (XSS).<p>This issue affects Mediawiki - Confirm Account Extension: from 1.39 through 1.43.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-116", "description": "CWE-116 Improper Encoding or Escaping of Output"}]}], "providerMetadata": {"orgId": "c4f26cc8-17ff-4c99-b5e2-38fc1793eacc", "shortName": "wikimedia-foundation", "dateUpdated": "2025-04-11T16:22:23.418Z"}}}, "cveMetadata": {"cveId": "CVE-2025-32074", "state": "PUBLISHED", "dateUpdated": "2025-04-11T17:30:57.015Z", "dateReserved": "2025-04-03T21:56:59.952Z", "assignerOrgId": "c4f26cc8-17ff-4c99-b5e2-38fc1793eacc", "datePublished": "2025-04-11T16:22:23.418Z", "assignerShortName": "wikimedia-foundation"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Encoding or Escaping of Output vulnerability in The Wikimedia Foundation Mediawiki - Confirm Account Extension allows Cross-Site Scripting (XSS).This issue affects Mediawiki - Confirm Account Extension: from 1.39 through 1.43."}], "id": "CVE-2025-32074", "lastModified": "2025-04-15T18:39:43.697", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 10.0, "baseSeverity": "CRITICAL", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "HIGH", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "HIGH", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "c4f26cc8-17ff-4c99-b5e2-38fc1793eacc", "type": "Secondary"}]}, "published": "2025-04-11T17:15:44.097", "references": [{"source": "c4f26cc8-17ff-4c99-b5e2-38fc1793eacc", "url": "https://gerrit.wikimedia.org/r/q/I86f47103ffb78c671890b44ccd59fcff6613975f"}, {"source": "c4f26cc8-17ff-4c99-b5e2-38fc1793eacc", "url": "https://phabricator.wikimedia.org/T386908"}], "sourceIdentifier": "c4f26cc8-17ff-4c99-b5e2-38fc1793eacc", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-116"}], "source": "c4f26cc8-17ff-4c99-b5e2-38fc1793eacc", "type": "Secondary"}]}