Plattform
php
Komponente
tableprogresstracking
Behoben in
1.2.2
CVE-2025-67646 describes a Cross-Site Request Forgery (CSRF) vulnerability affecting the TableProgressTracking MediaWiki extension. This flaw allows an attacker to perform unauthorized actions on behalf of an authenticated user. Versions 1.2.0 and earlier are vulnerable, while version 1.2.1 addresses the issue with proper CSRF token validation.
The primary impact of this CSRF vulnerability lies in the potential for unauthorized modification or deletion of table progress tracking data within a MediaWiki installation. An attacker could craft a malicious webpage containing a request to perform an action, such as deleting a table or updating its progress. If an authenticated user visits this webpage, their browser will unknowingly send the request to the MediaWiki server, executing the action as if it were initiated by the user themselves. This could lead to data loss, manipulation of progress tracking, and potentially compromise the integrity of the wiki's data.
This vulnerability was publicly disclosed on December 10, 2025. There are currently no known public exploits or active campaigns targeting this specific vulnerability. The CVSS score of 3.5 (LOW) indicates a relatively low probability of exploitation, but the potential impact warrants prompt remediation. It is not listed on the CISA KEV catalog as of this writing.
Wikis utilizing the TableProgressTracking extension in versions 1.2.0 and below are at risk. This includes organizations relying on MediaWiki for project tracking, task management, or other progress-related workflows. Shared hosting environments where multiple MediaWiki instances share the same server are particularly vulnerable, as a compromise of one instance could potentially impact others.
• php / web: Examine MediaWiki extension directories for versions prior to 1.2.1. Check access logs for suspicious requests targeting the TableProgressTracking REST API endpoints without proper CSRF tokens.
find /var/www/mediawiki/extensions/ -name "TableProgressTracking*" -type d -print0 | xargs -0 stat -c '%n %y'• php / web: Review MediaWiki's audit logs for unusual activity related to table creation or deletion. Look for requests originating from unexpected IP addresses. • generic web: Monitor for unusual activity within the MediaWiki installation, such as unexpected table modifications or data inconsistencies.
disclosure
Exploit-Status
EPSS
0.02% (5% Perzentil)
CISA SSVC
CVSS-Vektor
The recommended mitigation for CVE-2025-67646 is to immediately upgrade the TableProgressTracking extension to version 1.2.1 or later. If upgrading is not immediately feasible due to compatibility concerns or testing requirements, consider implementing a Content Security Policy (CSP) to restrict the sources from which scripts can be executed. While not a complete solution, this can help reduce the attack surface. Additionally, carefully review user permissions and restrict access to sensitive table progress tracking functionalities to minimize the potential impact of a successful attack.
Aktualisieren Sie die TableProgressTracking-Erweiterung auf Version 1.2.1 oder höher. Diese Version behebt die CSRF-Schwachstelle in der REST API. Das Update verhindert, dass Angreifer nicht autorisierte Aktionen im Namen authentifizierter Benutzer ausführen.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2025-67646 is a Cross-Site Request Forgery (CSRF) vulnerability in the TableProgressTracking MediaWiki extension, allowing attackers to perform actions as authenticated users.
You are affected if you are using TableProgressTracking MediaWiki extension versions 1.2.0 or earlier.
Upgrade the TableProgressTracking extension to version 1.2.1 or later to resolve the vulnerability. Consider WAF rules as a temporary mitigation.
There is no confirmed active exploitation of CVE-2025-67646 as of December 10, 2025, but vigilance is still advised.
Refer to the official MediaWiki security advisories for details and updates regarding CVE-2025-67646.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.