Reflected Cross-Site Scripting (XSS) in Semantic MediaWiki
Semantic MediaWiki, releases prior to 5.0.2.
INCIBE has coordinated the publication of a medium-severity vulnerability affecting Semantic MediaWiki, an open-source extension for MediaWiki (the wiki software used by Wikipedia). The vulnerability was discovered by Gonzalo Aguilar García (6h4ack).
This vulnerability has been assigned the following code, CVSS v4.0 base score, CVSS vector, and CWE vulnerability type:
- CVE-2025-10354: CVSS v4.0: 5.1 | CVSS AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N | CWE-79
The vulnerability has been fixed by the Semantic MediaWiki team in version 5.0.2.
CVE-2025-10354: Cross-Site Scripting (XSS) vulnerability reflected in Semantic MediaWiki. This vulnerability allows an attacker to execute JavaScript code in the victim's browser by sending them a malicious URL using the '/index.php/Speciaal:GefacetteerdZoeken' endpoint parameter. This vulnerability can be exploited to steal sensitive user data, such as session cookies, or to perform actions on behalf of the user.
| Identificador CVE | Severidad | Explotación | Fabricante |
|---|---|---|---|
| CVE-2025-10354 | Media | No | Semantic MediaWiki |
