User-controlled inputs are improperly escaped in:
*
VotePage.php (poll option input)
*
ResultPage::getPagesTab() and getErrorsTab() (user-controllable page names)
This allows attackers to inject JavaScript and compromise user sessions under certain conditions.
This issue affects Mediawiki - SecurePoll extension: from 1.39.X before 1.39.13, from 1.42.X before 1.42.7, from 1.43.X before 1.43.2.
References
Configurations
No configuration.
History
08 Jul 2025, 18:15
Type | Values Removed | Values Added |
---|---|---|
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 9.8 |
08 Jul 2025, 16:18
Type | Values Removed | Values Added |
---|---|---|
Summary |
|
04 Jul 2025, 18:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2025-07-04 18:15
Updated : 2025-07-08 18:15
NVD link : CVE-2025-53484
Mitre link : CVE-2025-53484
CVE.ORG link : CVE-2025-53484
JSON object : View
Products Affected
No product.
CWE
CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')