CVE-2025-21612
📋 TL;DR
This is a cross-site scripting (XSS) vulnerability in the TabberNeue MediaWiki extension that allows attackers to inject malicious scripts via user-supplied page names. When exploited, it enables attackers to execute arbitrary JavaScript in the context of other users' browsers. This affects MediaWiki installations using TabberNeue extension versions prior to 2.7.2.
💻 Affected Systems
- TabberNeue MediaWiki Extension
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal session cookies, perform actions as authenticated users, redirect users to malicious sites, or deface the wiki interface.
Likely Case
Attackers inject malicious scripts that steal user session tokens or credentials when users view pages with crafted tab names.
If Mitigated
With proper Content Security Policy (CSP) headers and other XSS protections, impact is limited to the specific vulnerable page.
🎯 Exploit Status
Exploitation requires ability to create or edit pages with tab names, typically requiring edit permissions. The vulnerability is in TabberTransclude.php where user input is not properly escaped before output.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.7.2
Vendor Advisory: https://github.com/StarCitizenTools/mediawiki-extensions-TabberNeue/security/advisories/GHSA-4x6x-8rm8-c37j
Restart Required: No
Instructions:
1. Update TabberNeue extension to version 2.7.2 or later. 2. For MediaWiki installations: Navigate to extensions/TabberNeue directory. 3. Run: git pull origin master. 4. Verify the update by checking the version in extension.json.
🔧 Temporary Workarounds
Disable TabberTransclude feature
allTemporarily disable the vulnerable tab transclusion functionality
Edit LocalSettings.php and add: $wgTabberNeueDisableTransclude = true;
🧯 If You Can't Patch
- Implement strict Content Security Policy (CSP) headers to limit script execution
- Restrict page editing permissions to trusted users only
🔍 How to Verify
Check if Vulnerable:
Check if TabberNeue extension version is below 2.7.2 in extensions/TabberNeue/extension.jsonCheck Version:
grep -i version extensions/TabberNeue/extension.jsonVerify Fix Applied:
Verify extension version is 2.7.2 or higher and test tab transclusion with script-like input📡 Detection & Monitoring
Log Indicators:
- Unusual page edits containing script tags in tab names
- Multiple failed attempts to inject script payloads
Network Indicators:
- Unexpected JavaScript execution from tab content
- External script loading from tab names
SIEM Query:
source="mediawiki" AND ("TabberTransclude" OR "tab name" AND ("script" OR "javascript" OR "onerror"))🔗 References
- https://github.com/StarCitizenTools/mediawiki-extensions-TabberNeue/commit/d8c3db4e5935476e496d979fb01f775d3d3282e6
- https://github.com/StarCitizenTools/mediawiki-extensions-TabberNeue/commit/f229cab099c69006e25d4bad3579954e481dc566
- https://github.com/StarCitizenTools/mediawiki-extensions-TabberNeue/security/advisories/GHSA-4x6x-8rm8-c37j
