CVE-2025-53486

{"id": "CVE-2025-53486", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 2.3}]}, "published": "2025-07-07T15:15:27.947", "references": [{"url": "https://gerrit.wikimedia.org/r/q/Idd68cf2372aedd916687d30b1bd09ebb48fcfd17", "source": "c4f26cc8-17ff-4c99-b5e2-38fc1793eacc"}, {"url": "https://phabricator.wikimedia.org/T394590", "source": "c4f26cc8-17ff-4c99-b5e2-38fc1793eacc"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Secondary", "source": "c4f26cc8-17ff-4c99-b5e2-38fc1793eacc", "description": [{"lang": "en", "value": "CWE-79"}]}], "descriptions": [{"lang": "en", "value": "The WikiCategoryTagCloud extension is vulnerable to reflected XSS via the linkstyle attribute, which is improperly concatenated into inline HTML without escaping. An attacker can inject JavaScript event handlers such as onmouseenter using carefully crafted input via the {{#tag:tagcloud}} parser function, resulting in arbitrary JavaScript execution when a victim hovers over a link in the category cloud.\n\n\n\n\nThe vulnerability exists because the linkstyle parameter is only passed through Sanitizer::checkCss() (which does not escape HTML) and is then directly inserted into a style attribute using string concatenation instead of Html::element or Html::openElement.\n\n\n\n\nThis issue affects Mediawiki - WikiCategoryTagCloud extension: from 1.39.X before 1.39.13, from 1.42.X before 1.42.7, from 1.43.X before 1.43.2."}, {"lang": "es", "value": "La extensi\u00f3n WikiCategoryTagCloud es vulnerable a XSS reflejado a trav\u00e9s del atributo linkstyle, que se concatena incorrectamente en HTML en l\u00ednea sin escape. Un atacante puede inyectar controladores de eventos JavaScript como \"onmouseenter\" utilizando una entrada cuidadosamente manipulada mediante la funci\u00f3n de an\u00e1lisis {{#tag:tagcloud}}, lo que provoca la ejecuci\u00f3n arbitraria de JavaScript al pasar el cursor sobre un enlace en la nube de categor\u00edas. La vulnerabilidad existe porque el par\u00e1metro linkstyle solo se pasa a trav\u00e9s de Sanitizer::checkCss() (que no escapa HTML) y luego se inserta directamente en un atributo style mediante concatenaci\u00f3n de cadenas en lugar de Html::element o Html::openElement. Este problema afecta a Mediawiki - extensi\u00f3n WikiCategoryTagCloud: de la versi\u00f3n 1.39.X a la 1.39.13, de la versi\u00f3n 1.42.X a la 1.42.7 y de la versi\u00f3n 1.43.X a la 1.43.2."}], "lastModified": "2025-07-08T16:18:34.923", "sourceIdentifier": "c4f26cc8-17ff-4c99-b5e2-38fc1793eacc"}