CVE-2025-7363

{"id": "CVE-2025-7363", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 2.3}]}, "published": "2025-07-08T18:15:46.913", "references": [{"url": "https://gerrit.wikimedia.org/r/q/I107ab638fecbf52b5bec3f02726ed24b1ae74429", "source": "c4f26cc8-17ff-4c99-b5e2-38fc1793eacc"}, {"url": "https://gerrit.wikimedia.org/r/q/I2e8c73445172679634f6ec64d37cf82507dfa110", "source": "c4f26cc8-17ff-4c99-b5e2-38fc1793eacc"}, {"url": "https://phabricator.wikimedia.org/T394721", "source": "c4f26cc8-17ff-4c99-b5e2-38fc1793eacc"}, {"url": "https://phabricator.wikimedia.org/T394721", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Secondary", "source": "c4f26cc8-17ff-4c99-b5e2-38fc1793eacc", "description": [{"lang": "en", "value": "CWE-79"}]}], "descriptions": [{"lang": "en", "value": "The TitleIcon extension for MediaWiki is vulnerable to stored XSS through the #titleicon_unicode parser function. User input passed to this function is wrapped in an HtmlArmor object without sanitization and rendered directly into the page header, allowing attackers to inject arbitrary JavaScript.\n\n\n\n\nThis issue affects Mediawiki - TitleIcon extension: from 1.39.X before 1.39.13, from 1.42.X before 1.42.7, from 1.43.X before 1.43.2."}, {"lang": "es", "value": "La extensi\u00f3n TitleIcon para MediaWiki es vulnerable a XSS almacenado a trav\u00e9s de la funci\u00f3n de an\u00e1lisis #titleicon_unicode. La entrada del usuario enviada a esta funci\u00f3n se encapsula en un objeto HtmlArmor sin depurar y se renderiza directamente en el encabezado de la p\u00e1gina, lo que permite a los atacantes inyectar JavaScript arbitrario. Este problema afecta a Mediawiki - extensi\u00f3n TitleIcon: de la versi\u00f3n 1.39.X a la 1.39.13, de la versi\u00f3n 1.42.X a la 1.42.7 y de la versi\u00f3n 1.43.X a la 1.43.2."}], "lastModified": "2025-07-10T14:15:27.100", "sourceIdentifier": "c4f26cc8-17ff-4c99-b5e2-38fc1793eacc"}