CVE-2020-25814

Description

In MediaWiki before 1.31.10 and 1.32.x through 1.34.x before 1.34.4, XSS related to jQuery can occur. The attacker creates a message with [javascript:payload xss] and turns it into a jQuery object with mw.message().parse(). The expected result is that the jQuery object does not contain an <a> tag (or it does not have a href attribute, or it's empty, etc.). The actual result is that the object contains an <a href ="javascript... that executes when clicked.

How to fix CVE-2020-25814

To remediate CVE-2020-25814, upgrade the affected package to a fixed version below.

• —upgrade to 1.31.10 or later
• —upgrade to 1:1.35.0-1 or later
• —upgrade to 1.31.9 or later

Is CVE-2020-25814 being exploited?

Low — EPSS is 0.3%, meaning exploitation activity has not been observed at scale.

Affected packages (3)

• from 0, < 1.31.10, >= 1.32.0, < 1.34.4
• from 0, < 1:1.35.0-1
• >= 1.31.0, < 1.31.9

CVSS scores

References (10)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2020-25814
• ADVISORYsecurity-tracker.debian.org/tracker/CVE-2020-25814
• PATCHgithub.com/wikimedia/mediawiki
• WEBgithub.com/FriendsOfPHP/security-advisories/blob/master/mediawiki/core/CVE-2020-25814.yaml