CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!

CVE-2025-23081: Various security vulnerabilities in Extension:DataTransfer

Description

Cross-Site Request Forgery (CSRF), Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation Mediawiki - DataTransfer Extension allows Cross Site Request Forgery, Cross-Site Scripting (XSS).This issue affects Mediawiki - DataTransfer Extension: from 1.39.X before 1.39.11, from 1.41.X before 1.41.3, from 1.42.X before 1.42.2.

Classification

CVE ID: CVE-2025-23081

Affected Products

Vendor: Wikimedia Foundation

Product: Mediawiki - DataTransfer Extension

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.04% (probability of being exploited)

EPSS Percentile: 12.39% (scored less or equal to compared to others)

EPSS Date: 2025-02-12 (when was this score calculated)

References

https://phabricator.wikimedia.org/T379749
https://gerrit.wikimedia.org/r/q/I773c616db781d2f3f30893ad01ef503bf251a2b3
https://gerrit.wikimedia.org/r/q/I7c9de4c8dcdb3276ba923c6bc7c8eef3531324c7
https://gerrit.wikimedia.org/r/q/I9223c31f02f31f1e06e1a8cddf7d539cc8d3a3d9
https://gerrit.wikimedia.org/r/q/I5e1538a3bf66378810f905834c05626e1d2c82f0
https://gerrit.wikimedia.org/r/c/mediawiki/extensions/DataTransfer/+/1093931
https://gerrit.wikimedia.org/r/c/mediawiki/extensions/DataTransfer/+/1080451

Timeline

2025-01-14 21:15:17 UTC
Github Advisory Database (Composer)

[mediawiki/data-transfer] Mediawiki - DataTransfer Extension Cross-Site Request Forgery (CSRF) and Cross-site Scripting (XSS)
2025-01-15 00:30:53 UTC
CVE

Various security vulnerabilities in Extension:DataTransfer