CVE-2025-23078

Vulnerability

Description

The Breadcrumbs2 extension for MediaWiki fails to properly sanitize user-supplied display titles when outputting breadcrumb navigation. Specifically, the BreadCrumbs2.class.php file does not escape HTML entities in the display title, allowing arbitrary JavaScript execution. This is a classic stored XSS vulnerability, as the malicious payload is stored in a page's DISPLAYTITLE and rendered when any user views a page using breadcrumbs [1].

Exploitation

An attacker with the ability to edit a page can inject a malicious DISPLAYTITLE containing JavaScript. To exploit, the wiki must have $wgAllowDisplayTitle enabled and $wgRestrictDisplayTitle set to false. When the page is loaded, the injected script executes in the context of the viewer's session, without requiring any additional user interaction [1].

Impact

Successful exploitation allows an attacker to perform actions on behalf of the victim, including data theft, session hijacking, and defacement. The attack can target any user viewing the affected page, including administrators, leading to potential privilege escalation [1].

Mitigation

The vulnerability is fixed in Breadcrumbs2 versions 1.39.11, 1.41.5, and 1.42.4. Users should update to these or later versions. As a workaround, administrators can disable the DISPLAYTITLE feature or restrict its use to trusted users [1].