Cross-Site Request Forgery and XSS in Wikimedia Foundation Mediawiki - DataTransfer Extension
CVE-2025-23081

6.1MEDIUM

Key Information:

Vendor: Wikimedia Foundation
Status: Mediawiki - Datatransfer Extension
Vendor: CVE Published:; 14 January 2025

Summary

The vulnerability in the Mediawiki - DataTransfer Extension allows attackers to exploit the system via Cross-Site Request Forgery (CSRF) and Cross-Site Scripting (XSS). This flaw enables unauthorized actions and script injection, compromising user data and application integrity. Users of versions prior to 1.39.11, 1.41.3, and 1.42.2 are urged to update their extensions to mitigate these security issues.

Affected Version(s)

Mediawiki - DataTransfer Extension 1.39.x < 1.39.11

Mediawiki - DataTransfer Extension 1.41.x < 1.41.3

Mediawiki - DataTransfer Extension 1.42.x < 1.42.2

References

https://phabricator.wikimedia.org/T379749

https://gerrit.wikimedia.org/r/q/I773c616db781d2f3f30893a...

https://gerrit.wikimedia.org/r/q/I7c9de4c8dcdb3276ba923c6...

CVSS V3.1

Score:

6.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Jan 14, 2025

Credit

BlankEclair (Claire)