{"schema_version":"1.7.3","id":"GHSA-gr6v-3pmp-996p","published":"2025-10-18T06:30:26Z","modified":"2025-10-20T18:27:46.506909Z","aliases":["CVE-2025-62671"],"summary":"Cargo Mediawiki Extension vulnerable to Cross-site Scripting","details":"Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in The Wikimedia Foundation Mediawiki - Cargo Extension allows Stored XSS. This issue affects Mediawiki - Cargo Extension befor 3.8.3.","affected":[{"package":{"name":"mediawiki/cargo","ecosystem":"Packagist","purl":"pkg:composer/mediawiki/cargo"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"3.8.3"}]}],"versions":["0.10","0.11","1.0","1.0.1","1.1.1","1.2","1.3","1.3.1","1.4","1.5","1.6","1.7","2.0","2.0.1","2.1","2.1.1","2.1.2","2.2","2.3","2.3.1","2.4","2.5","2.6","2.7","2.7.1","2.8","3.0","3.1","3.2","3.3","3.3.1","3.4","3.4.1","3.4.2","3.4.3","3.4.4","3.5","3.5.1","3.6","3.6.1","3.7","3.7.1","3.8","3.8.1","3.8.2"],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/10/GHSA-gr6v-3pmp-996p/GHSA-gr6v-3pmp-996p.json"}}],"references":[{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-62671"},{"type":"WEB","url":"https://github.com/wikimedia/mediawiki-extensions-Cargo/commit/e50915626c0d9a7b222dabc94ddfcb516caf557d"},{"type":"WEB","url":"https://gerrit.wikimedia.org/r/1179707"},{"type":"PACKAGE","url":"https://github.com/wikimedia/mediawiki-extensions-Cargo"},{"type":"WEB","url":"https://phabricator.wikimedia.org/T402147"}],"database_specific":{"cwe_ids":["CWE-79"],"github_reviewed":true,"github_reviewed_at":"2025-10-20T17:54:59Z","nvd_published_at":"2025-10-18T05:15:34Z","severity":"MODERATE"},"severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L"}]}