CVE-2025-21612
Published: 06 January 2025
Description
TabberNeue is a MediaWiki extension that allows the wiki to create tabs. Prior to 2.7.2, TabberTransclude.php doesn't escape the user-supplied page name when outputting, so an XSS payload as the page name can be used here. This vulnerability is fixed in 2.7.2.
Security Summary
CVE-2025-21612 is a cross-site scripting (XSS) vulnerability (CWE-79, CWE-80) in the TabberNeue MediaWiki extension, which enables tab creation on wikis. In versions prior to 2.7.2, the TabberTransclude.php file fails to properly escape user-supplied page names during output, allowing an XSS payload embedded in the page name to execute. The vulnerability carries a CVSS v3.1 base score of 8.6 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L), indicating high severity due to its network accessibility and potential for significant confidentiality impact.
Unauthenticated attackers (PR:N) can exploit this vulnerability remotely over the network (AV:N) with low complexity and no user interaction required (UI:N). By supplying a malicious page name containing an XSS payload, attackers can inject and execute arbitrary JavaScript in the context of users viewing affected wiki pages, potentially leading to high confidentiality impact such as session hijacking or data theft, alongside low integrity and availability effects.
The vulnerability is addressed in TabberNeue version 2.7.2, where escaping was added to prevent payload execution. Relevant GitHub commits (d8c3db4e5935476e496d979fb01f775d3d3282e6 and f229cab099c69006e25d4bad3579954e481dc566) detail the fix, and the security advisory (GHSA-4x6x-8rm8-c37j) provides further guidance on updating the extension.
Details
- CWE(s)