CVE-2025-62654

Vulnerability

The MediaWiki QuizGame extension suffers from a stored cross-site scripting (XSS) vulnerability because it inserts several system messages into the page as raw HTML without proper sanitization. The unsafe usage occurs in the LightBox.setText function and in API responses for actions quizgame and quizgamevote [1]. Multiple system messages (e.g., quizgame-lightbox-correct, quizgame-ajax-already-answered) are concatenated with HTML or set as innerHTML directly [1].

Exploitation

An attacker who can edit these system messages (typically a user with interface-admin or sysop rights in MediaWiki) can inject arbitrary JavaScript. When other users view QuizGame pages, the injected script executes in their browsers [1]. No authentication is required for the victim to be affected, and the attack can be stored persistently.

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the victim's session. This can lead to session hijacking, data theft, or defacement of the wiki [1].

Mitigation

As of the publication date, no patch is available. The vulnerability affects QuizGame versions 1.39, 1.43, and 1.44 [1]. Administrators should limit the ability to edit system messages to trusted users and consider disabling the extension until a fix is released.