Bug 2436176 (CVE-2025-67475)

Summary: CVE-2025-67475 MediaWiki: MediaWiki: Cross-site Scripting vulnerability due to improper input neutralization
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedKeywords: Security
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in MediaWiki. This vulnerability, identified as an Improper Neutralization of Input During Web Page Generation (Cross-site Scripting or XSS), allows a remote attacker to inject malicious scripts into web pages. This can lead to information disclosure, session hijacking, or arbitrary code execution within the context of the user's browser. The flaw is specifically associated with the includes/CommentFormatter/CommentParser.Php program file.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2436196, 2436201    
Bug Blocks:    

Description OSIDB Bzimport 2026-02-03 02:01:19 UTC 
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/CommentFormatter/CommentParser.Php.

This issue affects MediaWiki: from * before 1.39.16, 1.43.6, 1.44.3, 1.45.1.