CVE-2025-21612

TabberNeue is a MediaWiki extension that allows the wiki to create tabs. Prior to 2.7.2, TabberTransclude.php doesn't escape the user-supplied page name when outputting, so an XSS payload as the page name can be used here. This vulnerability is fixed in 2.7.2.

CVSS v3 8.6 HIGH

8.6^/10

CVSS v3 : HIGH

Vector :

Exploitability : 3.9 / Impact : 4.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact LOW

Availability Impact LOW

Scope UNCHANGED

References

Link	Resource
https://github.com/StarCitizenTools/mediawiki-extensions-TabberNeue/commit/d8c3db4e5935476e496d979fb01f775d3d3282e6
https://github.com/StarCitizenTools/mediawiki-extensions-TabberNeue/commit/f229cab099c69006e25d4bad3579954e481dc566
https://github.com/StarCitizenTools/mediawiki-extensions-TabberNeue/security/advisories/GHSA-4x6x-8rm8-c37j

Configurations

No configuration.

History

26 Aug 2025, 20:15

Type	Values Removed	Values Added
Summary		(es) TabberNeue es una extensión de MediaWiki que permite que la wiki cree pestañas. Antes de la versión 2.7.2, TabberTransclude.php no omite el nombre de la página proporcionado por el usuario al generar la salida, por lo que se puede utilizar un payload XSS como nombre de la página. Esta vulnerabilidad se solucionó en la versión 2.7.2.

06 Jan 2025, 16:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-01-06 16:15

Updated : 2025-08-26 20:15

NVD link : CVE-2025-21612

Mitre link : CVE-2025-21612

CVE.ORG link : CVE-2025-21612

JSON object : View

Products Affected

No product.

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CWE-80

Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)

{"id": "CVE-2025-21612", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.6, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 4.7, "exploitabilityScore": 3.9}, {"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.6, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 4.7, "exploitabilityScore": 3.9}]}, "published": "2025-01-06T16:15:31.633", "references": [{"url": "https://github.com/StarCitizenTools/mediawiki-extensions-TabberNeue/commit/d8c3db4e5935476e496d979fb01f775d3d3282e6", "source": "security-advisories@github.com"}, {"url": "https://github.com/StarCitizenTools/mediawiki-extensions-TabberNeue/commit/f229cab099c69006e25d4bad3579954e481dc566", "source": "security-advisories@github.com"}, {"url": "https://github.com/StarCitizenTools/mediawiki-extensions-TabberNeue/security/advisories/GHSA-4x6x-8rm8-c37j", "source": "security-advisories@github.com"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-79"}, {"lang": "en", "value": "CWE-80"}]}], "descriptions": [{"lang": "en", "value": "TabberNeue is a MediaWiki extension that allows the wiki to create tabs. Prior to 2.7.2, TabberTransclude.php doesn't escape the user-supplied page name when outputting, so an XSS payload as the page name can be used here. This vulnerability is fixed in 2.7.2."}, {"lang": "es", "value": "TabberNeue es una extensi\u00f3n de MediaWiki que permite que la wiki cree pesta\u00f1as. Antes de la versi\u00f3n 2.7.2, TabberTransclude.php no omite el nombre de la p\u00e1gina proporcionado por el usuario al generar la salida, por lo que se puede utilizar un payload XSS como nombre de la p\u00e1gina. Esta vulnerabilidad se solucion\u00f3 en la versi\u00f3n 2.7.2."}], "lastModified": "2025-08-26T20:15:36.250", "sourceIdentifier": "security-advisories@github.com"}