CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!

CVE-2025-7362: MsUpload: Stored Cross-Site Scripting (XSS) via unsanitized msu-continue system message

Description

The MsUpload extension for MediaWiki is vulnerable to stored XSS via the msu-continue system message, which is inserted into the DOM without proper sanitization. The vulnerability occurs in the file upload UI when the same filename is uploaded twice.

This issue affects Mediawiki - MsUpload extension: from 1.39.X before 1.39.13, from 1.42.X before 1.42.7, from 1.43.X before 1.43.2.

Classification

CVE ID: CVE-2025-7362

Problem Types

CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')

Affected Products

Vendor: Wikimedia Foundation

Product: Mediawiki - MsUpload extension

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.03% (probability of being exploited)

EPSS Percentile: 6.3% (scored less or equal to compared to others)

EPSS Date: 2025-07-10 (when was this score calculated)

References

https://nvd.nist.gov/vuln/detail/CVE-2025-7362
https://phabricator.wikimedia.org/T394864
https://gerrit.wikimedia.org/r/q/Icf4c0a5a936926ea887ca2e48c3a7bd297201d9f

Timeline