CVE-2020-25812
Description
An issue was discovered in MediaWiki 1.34.x before 1.34.4. On Special:Contributions, the NS filter uses unescaped messages as keys in the option key for an HTMLForm specifier. This is vulnerable to a mild XSS if one of those messages is changed to include raw HTML.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
An XSS vulnerability in MediaWiki's Special:Contributions page allows attackers to inject arbitrary HTML if a message is modified to contain raw HTML.
Vulnerability
Overview
An issue in MediaWiki versions 1.34.x before 1.34.4 allowed cross-site scripting (XSS) on the Special:Contributions page. The NS filter option keys were built using unescaped messages from the invert and namespace_association system messages, as seen in the source code [1]. If an attacker could alter these messages (e.g., through editinterface rights or compromised localization), they could inject raw HTML into the page.
Exploitation
Prerequisites
Exploitation requires the ability to modify MediaWiki system messages, typically limited to administrators with editinterface permission. The XSS fires when a victim views Special:Contributions because the unescaped message values become part of the HTML form [2]. No special user interaction beyond viewing the page is needed.
Impact
An attacker can execute arbitrary HTML or JavaScript in the context of the victim's browser, potentially leading to session theft, defacement, or disclosure of sensitive information [3]. The severity is considered mild due to the administrative prerequisite, but it still poses a risk on wikis where message customization is allowed.
Mitigation
The fix replaces ->text() with ->escaped() when generating the option keys, ensuring proper HTML escaping [2]. The vulnerability is addressed in MediaWiki 1.34.4 and later releases; administrators should upgrade or apply the patch [4].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
mediawiki/corePackagist | >= 1.34.0, < 1.34.3 | 1.34.3 |
mediawiki/corePackagist | >= 1.35.0-rc.0, < 1.35.0 | 1.35.0 |
Affected products
2- osv-coords2 versions
>= 1.34.0, < 1.34.4+ 1 more
- (no CPE)range: >= 1.34.0, < 1.34.4
- (no CPE)range: >= 1.34.0, < 1.34.3
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
9- github.com/advisories/GHSA-rj9p-8jxj-2ch4ghsaADVISORY
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RTTPZ7XMDS66I442OLLHXBDNP2LCBJU6/mitrevendor-advisoryx_refsource_FEDORA
- nvd.nist.gov/vuln/detail/CVE-2020-25812ghsaADVISORY
- gerrit.wikimedia.org/g/mediawiki/core/+/ad4a3ba45fb955aa8c0eb3c83809b16b40a498b9/includes/specials/SpecialContributions.phpghsax_refsource_MISCWEB
- github.com/FriendsOfPHP/security-advisories/blob/master/mediawiki/core/CVE-2020-25812.yamlghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RTTPZ7XMDS66I442OLLHXBDNP2LCBJU6ghsaWEB
- lists.wikimedia.org/pipermail/mediawiki-l/2020-September/048480.htmlghsax_refsource_CONFIRMWEB
- lists.wikimedia.org/pipermail/mediawiki-l/2020-September/048488.htmlghsax_refsource_MISCWEB
- phabricator.wikimedia.org/T255918ghsaWEB
News mentions
0No linked articles in our index yet.