vulnerability

Debian: CVE-2020-25814: mediawiki -- security update

Try Surface Command

Back to search

Severity	CVSS	Published	Added	Modified
4	(AV:N/AC:M/Au:N/C:N/I:P/A:N)	Sep 28, 2020	Sep 28, 2020	Aug 15, 2025

Severity

CVSS

(AV:N/AC:M/Au:N/C:N/I:P/A:N)

Published

Sep 28, 2020

Added

Sep 28, 2020

Modified

Aug 15, 2025

Description

In MediaWiki before 1.31.10 and 1.32.x through 1.34.x before 1.34.4, XSS related to jQuery can occur. The attacker creates a message with [javascript:payload xss] and turns it into a jQuery object with mw.message().parse(). The expected result is that the jQuery object does not contain an <a> tag (or it does not have a href attribute, or it's empty, etc.). The actual result is that the object contains an <a href ="javascript... that executes when clicked.

Solution

debian-upgrade-mediawiki

References

CVE-2020-25814
https://attackerkb.com/topics/CVE-2020-25814
CWE-79
DEBIAN-DLA-2379-1
DEBIAN-DSA-4767-1

NEW

Explore Exposure Command

Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.

Try it today