CVE-2025-43861 MEDIUM

CVE-2025-43861: ManageWiki Vulnerable to Self-XSS in review dialog via unsanitized field reflection

Vendor Miraheze
Product ManageWiki
Weakness CWE-79 · XSS
Published April 24, 2025
Last update April 25, 2025

CVSS base score

4.4/10
Attack vector Network
Attack complexity High
Privileges required Low
User interaction Required
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N

What the vulnerability does

01Description

ManageWiki is a MediaWiki extension allowing users to manage wikis. Prior to commit 2f177dc, ManageWiki is vulnerable to reflected or stored XSS in the review dialog. A logged-in attacker must change a form field to include a malicious payload. If that same user then opens the "Review Changes" dialog, the payload will be rendered and executed in the context of their own session. This issue has been patched in commit 2f177dc.

Key dates

02Disclosure timeline

April 24, 2025 CVE published
April 25, 2025 Record updated