The MsUpload extension for MediaWiki is vulnerable to stored XSS via the msu-continue system message, which is inserted into the DOM without proper sanitization. The vulnerability occurs in the file upload UI when the same filename is uploaded twice.
This issue affects Mediawiki - MsUpload extension: from 1.39.X before 1.39.13, from 1.42.X before 1.42.7, from 1.43.X before 1.43.2.
References
Configurations
No configuration.
History
10 Jul 2025, 14:15
Type | Values Removed | Values Added |
---|---|---|
References | () https://phabricator.wikimedia.org/T394864 - | |
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 5.4 |
10 Jul 2025, 13:18
Type | Values Removed | Values Added |
---|---|---|
Summary |
|
08 Jul 2025, 18:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2025-07-08 18:15
Updated : 2025-07-10 14:15
NVD link : CVE-2025-7362
Mitre link : CVE-2025-7362
CVE.ORG link : CVE-2025-7362
JSON object : View
Products Affected
No product.
CWE
CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')