MsUpload: Stored Cross-Site Scripting (XSS) via unsanitized msu-continue system message

July 8, 2025 invoker category_cve

CVE Details

Basic Information

Title MsUpload: Stored Cross-Site Scripting (XSS) via unsanitized msu-continue system message
Type cve
Published 2025-07-08T17:22:35.364Z
Modified 2025-07-08T17:22:35.364Z

Product Information

Vendor Wikimedia Foundation
Product Mediawiki – MsUpload extension
Version 1.39.x

CVSS Information

Base Score 0.0 ()

AI Analysis

AI Description A stored XSS vulnerability in the MsUpload extension for MediaWiki due to unsanitized system messages, affecting versions 1.39.x, 1.42.x, and 1.43.x.
AI Severity Medium
AI Vendor Wikimedia Foundation
AI Product MsUpload extension
AI Version 1.39.x, 1.42.x, 1.43.x

Affected Products

  • Wikimedia Foundation Mediawiki – MsUpload extension 1.39.x
  • Wikimedia Foundation Mediawiki – MsUpload extension 1.42.x
  • Wikimedia Foundation Mediawiki – MsUpload extension 1.43.x

Additional Information

CWE List CWE-79
Source wikimedia-foundation

Description

The MsUpload extension for MediaWiki is vulnerable to stored XSS via the msu-continue system message, which is inserted into the DOM without proper sanitization. The vulnerability occurs in the file upload UI when the same filename is uploaded twice.

This issue affects Mediawiki – MsUpload extension: from 1.39.X before 1.39.13, from 1.42.X before 1.42.7, from 1.43.X before 1.43.2.

💭 Join the Security Discussion

🔒 Your email address will not be published. Required fields are marked *

⚠️ Please be respectful and constructive in your comments. Security discussions should remain professional.