8.6

CVSS Score

3.1

Basic Information

CVE ID

CVE-2025-21612

GHSA ID

GHSA-4x6x-8rm8-c37j

EPSS Score

0.3118%

CWE

CWE-79

Published

1/6/2025

Updated

1/6/2025

KEV Status

Technology

PHP

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-21612

CVE-2025-21612:
Extension:TabberNeue vulnerable to Cross-site Scripting

Summary

There are several sources of arbitrary, unescaped user input being used to construct HTML, which allows any user that can edit pages or otherwise render wikitext to XSS other users.

Edit: Only the first XSS can be reproduced in production.

Details

✅ Verified and patched in f229cab099c69006e25d4bad3579954e481dc566

https://github.com/StarCitizenTools/mediawiki-extensions-TabberNeue/blob/2526daa9f8cfdd616c861c8439755cb74a6c8c6e/includes/TabberTransclude.php#L154 This doesn't escape the user-supplied page name when outputting, so an XSS payload as the page name can be used here.

This was caused by d8c3db4e5935476e496d979fb01f775d3d3282e6.

❌ Invalid as MediaWiki parser sanitizes dangerous HTML

https://github.com/StarCitizenTools/mediawiki-extensions-TabberNeue/blob/2526daa9f8cfdd616c861c8439755cb74a6c8c6e/includes/Tabber.php#L160 The documentation for Parser::recursiveTagParse() states that it returns unsafe HTML, and the $content being supplied is from user input.

This was caused by 95351812613e04717f3ad7844cfcc67e4ede4d11.

❌ Invalid as TabberParsoid is not being used

https://github.com/StarCitizenTools/mediawiki-extensions-TabberNeue/blob/2526daa9f8cfdd616c861c8439755cb74a6c8c6e/includes/TabberParsoid.php#L96 This uses unescaped user input as the attribute of an element, thus allowing the user to break out of the attribute or element and injecting arbitrary attributes to the element, or inserting new ones (such as a script tag).

This was caused by 8278e665480f08da635aee383c6b5caaeca26ba3.

PoC

For the first XSS, render the following wikitext (whether it be through saving it to a page and viewing it, or via Special:ExpandTemplates):

<tabbertransclude>
<script>alert(1)</script> | hehe
</tabbertransclude>

For the second XSS, I have given up attempting to reproduce it after over twenty minutes of "surfing through the internals of the MediaWiki parser fishing for an XSS out of this giant contraption as I bring myself deeper and deeper into the cogs of the machine that no one knows how to maintain or fully operate ever since its conception".

For the third XSS, this is unreachable as the class is never used, though it should be fixed anyway (or the file removed).

Impact

Any user with the ability to cause another user to render wikitext (such as viewing a page that the user can edit, or an attacker tricking the victim to click on a link to Special:ExpandTemplates with the malicious wikitext in the wpInput parameter) can XSS said user.

(GitHub Advisory)

8.6

CVSS Score

3.1

Basic Information

CVE ID

CVE-2025-21612

GHSA ID

GHSA-4x6x-8rm8-c37j

EPSS Score

0.3118%

CWE

CWE-79

Published

1/6/2025

Updated

1/6/2025

KEV Status

Technology

PHP

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
starcitizentools/tabber-neue	composer	>= 1.9.1, < 2.7.2	2.7.2

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The primary vulnerability stems from the buildTabTransclude function in TabberNeueHooks.php. In the original code (introduced in d8c3db4), $pageName (user-controlled input) was directly interpolated into an HTML error message via sprintf() without escaping. This was patched in f229cab by adding Sanitizer::escapeHtmlAllowEntities(). The PoC demonstrates this vector by injecting a <script> tag via the page name parameter. The other two reported issues were deemed invalid/unreachable: (1) recursiveTagParse usage in Tabber.php is mitigated by MediaWiki's parser sanitization, and (2) TabberParsoid.php's code was unused. The confidence is high due to the reproducible PoC and explicit patch addressing this specific code path.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Summ*ry T**r* *r* s*v*r*l sour**s o* *r*itr*ry, un*s**p** us*r input **in* us** to *onstru*t *TML, w*i** *llows *ny us*r t**t **n **it p***s or ot**rwis* r*n**r wikit*xt to XSS ot**r us*rs. > **it: Only t** *irst XSS **n ** r*pro*u*** in pro*u*t

Reasoning

T** prim*ry vuln*r**ility st*ms *rom t** `*uil*T**Tr*ns*lu**` *un*tion in `T****rN*u**ooks.p*p`. In t** ori*in*l *o** (intro*u*** in *******), `$p***N*m*` (us*r-*ontroll** input) w*s *ir**tly int*rpol*t** into *n *TML *rror m*ss*** vi* `sprint*()` wi

8.6

Basic Information

Concerned about an active attack path?

CVE-2025-21612: Extension:TabberNeue vulnerable to Cross-site Scripting

Summary

Details

PoC

Impact

8.6

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2025-21612:
Extension:TabberNeue vulnerable to Cross-site Scripting

Vulnerability Intelligence
Miggo AI