VYPR
← All advisories
Moderate severityNVD Advisory· Published Sep 27, 2020· Updated Aug 4, 2024

CVE-2020-25814

CVE-2020-25814

Description

In MediaWiki before 1.31.10 and 1.32.x through 1.34.x before 1.34.4, XSS related to jQuery can occur. The attacker creates a message with [javascript:payload xss] and turns it into a jQuery object with mw.message().parse(). The expected result is that the jQuery object does not contain an tag (or it does not have a href attribute, or it's empty, etc.). The actual result is that the object contains an <a href ="javascript... that executes when clicked.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

MediaWiki before 1.31.10 and 1.32–1.34.x before 1.34.4 contains a stored XSS vulnerability via jQuery object unsanitized href attributes.

Vulnerability

Overview

CVE-2020-25814 is a cross-site scripting (XSS) vulnerability in MediaWiki versions prior to 1.31.10 and 1.32.x through 1.34.x before 1.34.4. The flaw resides in the mediawiki.jqueryMsg module, specifically when processing messages with mw.message().parse(). An attacker can craft a message containing a [javascript:payload xss] link, which is then converted into a jQuery object. Due to insufficient sanitization, the resulting ` tag retains the javascript:` href, executing arbitrary JavaScript when clicked by a victim.[1][2]

Exploitation

Details

An authenticated attacker (or one able to influence a wiki page's message content) can insert a specially crafted wikitext link with a javascript: URI. When MediaWiki's message parser processes this input through mw.message().parse(), it fails to strip or neutralize the dangerous scheme. The output is a jQuery object containing an `` element. Any user interacting with this rendered content—by clicking the resulting link—triggers script execution in their browser session. No special privileges beyond the ability to edit or create pages with such messages are required.[2][3]

Impact

Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of the victim's MediaWiki session. This can lead to session hijacking, defacement, data theft, or performing administrative actions on behalf of the victim. Since the injected script runs with the user's privileges, the impact scales with the victim's permissions, potentially compromising the entire wiki instance.[2]

Mitigation

The vulnerability is fixed in MediaWiki 1.31.10 and 1.34.4. The fix involves sanitizing URLs and the style attribute in the mediawiki.jqueryMsg module. Administrators are strongly advised to upgrade to these patched versions immediately. No workarounds are publicly documented; upgrading is the only secure mitigation.[3][4]

References
  1. ResourceLoader/Core modules
  2. NVD - CVE-2020-25814
  3. [MediaWiki-l] Security and maintenance release: 1.31.9 / 1.34.3 - MediaWiki-l
  4. security-advisories/mediawiki/core/CVE-2020-25814.yaml at master · FriendsOfPHP/security-advisories

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
mediawiki/corePackagist
>= 1.31.0, < 1.31.91.31.9
mediawiki/corePackagist
>= 1.32.0, < 1.34.31.34.3
mediawiki/corePackagist
>= 1.35.0-rc.0, < 1.35.01.35.0

Affected products

2

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

9

News mentions

0

No linked articles in our index yet.