6.1

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2020-25814

GHSA ID

GHSA-4vr7-m8p8-434h

EPSS Score

0.60608%

CWE

CWE-79

Published

5/24/2022

Updated

5/17/2024

KEV Status

Technology

PHP

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2020-25814

CVE-2020-25814: MediaWiki Cross-site Scripting (XSS) vulnerability

In MediaWiki before 1.31.9 and 1.32.x through 1.34.x before 1.34.3, XSS related to jQuery can occur. The attacker creates a message with [javascript:payload xss] and turns it into a jQuery object with mw.message().parse(). The expected result is that the jQuery object does not contain an <a> tag (or it does not have a href attribute, or it's empty, etc.). The actual result is that the object contains an <a href ="javascript... that executes when clicked.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2020-25814

CVE-2020-25814:

6.1

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2020-25814

GHSA ID

GHSA-4vr7-m8p8-434h

EPSS Score

0.60608%

CWE

CWE-79

Published

5/24/2022

Updated

5/17/2024

KEV Status

Technology

PHP

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
mediawiki/core	composer	>= 1.31.0, < 1.31.9	1.31.9
mediawiki/core	composer	>= 1.32.0, < 1.34.3	1.34.3
mediawiki/core	composer	>= 1.35.0-rc.0, < 1.35.0	1.35.0

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability arises from two key flaws: (1) The extlink handler in jqueryMsg's HtmlEmitter did not sanitize URLs, permitting 'javascript:' links. The patch explicitly checks for valid protocols. (2) The isAllowedHtml function allowed unsafe style attributes. Both functions were directly modified in the security patch (T86738), and their pre-patch behavior aligns with the described XSS vector. The Phabricator ticket and commit diffs confirm these as the root causes.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

6.1

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2020-25814: MediaWiki Cross-site Scripting (XSS) vulnerability

CVE-2020-25814:

6.1

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI

Detect and Respond To Threats Faster.

Technical Details

Basic Information

Basic Information

CVE-2020-25814: MediaWiki Cross-site Scripting (XSS) vulnerability

6.1

6.1

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

6.1

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2020-25814: MediaWiki Cross-site Scripting (XSS) vulnerability

CVE-2020-25814:

6.1

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Technical Details

Basic Information

Basic Information

CVE-2020-25814: MediaWiki Cross-site Scripting (XSS) vulnerability

6.1

6.1

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI