Listen to this Post
The vulnerability (CVE-2025-XXXXX) in TabberNeue allows stored Cross-Site Scripting (XSS) via wikitext due to insufficient sanitization of HTML attributes in the `TabberComponentTabs, where validation via `Sanitizer::validateTagAttributes` is incomplete. The attributes are then inserted into the DOM without proper escaping in Tabs.mustache, enabling arbitrary JavaScript execution. Attackers can inject malicious scripts through crafted attributes or script tags, which execute when the tabber content is rendered.
DailyCVE Form
Platform: TabberNeue
Version: 3.0.0-3.1.0
Vulnerability: Stored XSS
Severity: High
Date: Jun 27, 2025
Prediction: Patch by Jul 10, 2025
What Undercode Say
git clone https://github.com/StarCitizenTools/mediawiki-extensions-TabberNeue cd mediawiki-extensions-TabberNeue git checkout 3.1.1 Patched version
// Vulnerable code snippet $attrs = Sanitizer::validateTagAttributes($args, 'tabber');
How Exploit
<tabber onclick="alert('XSS')"> Malicious Tab </tabber>
Protection from this CVE
- Update to TabberNeue 3.1.1
- Sanitize wikitext input
- Escape HTML attributes
Impact
- Arbitrary script execution
- Session hijacking
- Data theft
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
