Wikimedia Foundation Mediawiki Core
Moderate fix4 remedies
cpe:2.3:a:mediawiki:mediawiki:*:*:*:*:*:*:*
Moderate fix4 remedies
- >= 1.39, <= 1.43
Wikimedia Foundation MediaWiki Core Feed Utils WebView Injection Vulnerability
Vulnerability
Patched
A vulnerability allowing improper encoding or escaping of output has been identified in the Feed Utils component of Wikimedia Foundation's MediaWiki Core, specifically in versions 1.39 through 1.43. This issue can lead to WebView injection by allowing HTML injection in the feed output.
Impact
Exploitation of this vulnerability could cause HTML injection, leading to malformed or confusing feed output.
Reproduction
The vulnerability can be reproduced by creating a blank wikitext page, which triggers the 'newpage' message. This message is then included in the feed output without proper escaping. When the feed is viewed with a WebView that interprets HTML, such as in a mobile app, the injected script will execute, demonstrating the WebView injection vulnerability.
Remediation
Users can update to MediaWiki versions 1.39.12, 1.42.6, or 1.43.1, where this vulnerability has been patched.
Added: Jun 9, 2025, 7:46 PM
Updated: Jun 9, 2025, 7:46 PM
Vulnerability Rating
Custom Algorithm
spread
6.4impact
1.7exploitability
7.9remediation
7.7relevance
0.0threat
6.4urgency
2.9incentive
1.7Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.