CVE-2025-23078
📋 TL;DR
This CVE describes a Cross-Site Scripting (XSS) vulnerability in the Mediawiki Breadcrumbs2 extension. It allows attackers to inject malicious scripts into web pages viewed by other users. Affected systems include Mediawiki installations using Breadcrumbs2 extension versions 1.39.X before 1.39.11, 1.41.X before 1.41.5, and 1.42.X before 1.42.4.
💻 Affected Systems
- Wikimedia Foundation Mediawiki - Breadcrumbs2 extension
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal session cookies, perform actions as authenticated users, deface websites, or redirect users to malicious sites.
Likely Case
Attackers inject malicious scripts to steal user session data or credentials from authenticated users.
If Mitigated
Limited impact if proper Content Security Policy (CSP) headers are implemented and user input validation is enforced.
🎯 Exploit Status
XSS vulnerabilities typically have low exploitation complexity and can be exploited by unauthenticated users if they can inject malicious input.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.39.11, 1.41.5, or 1.42.4
Vendor Advisory: https://phabricator.wikimedia.org/T382043
Restart Required: No
Instructions:
1. Update Mediawiki to version 1.39.11, 1.41.5, or 1.42.4. 2. Update the Breadcrumbs2 extension to the latest version compatible with your Mediawiki version. 3. Clear any caches if applicable.
🔧 Temporary Workarounds
Disable Breadcrumbs2 Extension
allTemporarily disable the vulnerable Breadcrumbs2 extension until patching is possible.
Edit LocalSettings.php and remove or comment out the line: wfLoadExtension('Breadcrumbs2');
Implement Content Security Policy
allAdd CSP headers to mitigate XSS impact by restricting script execution sources.
Add to web server config or application headers: Content-Security-Policy: default-src 'self'; script-src 'self'
🧯 If You Can't Patch
- Disable the Breadcrumbs2 extension immediately
- Implement strict input validation and output encoding for all user inputs
🔍 How to Verify
Check if Vulnerable:
Check Mediawiki version and Breadcrumbs2 extension version in LocalSettings.php and extension metadata.Check Version:
Check Mediawiki version via Special:Version page or grep 'wgVersion' in LocalSettings.phpVerify Fix Applied:
Verify Mediawiki version is 1.39.11, 1.41.5, or 1.42.4 and Breadcrumbs2 extension is updated.📡 Detection & Monitoring
Log Indicators:
- Unusual script tags or JavaScript in URL parameters or form submissions
- Multiple requests with encoded script payloads
Network Indicators:
- HTTP requests containing script tags or JavaScript in parameters
- Unusual redirects to external domains
SIEM Query:
web_access_logs WHERE url CONTAINS '<script' OR url CONTAINS 'javascript:'