CVE-2025-62671: 
PHP vulnerability analysis and mitigation

A stored Cross-site Scripting (XSS) vulnerability was discovered in The Wikimedia Foundation Mediawiki - Cargo Extension, identified as CVE-2025-62671. The vulnerability was discovered on August 17, 2025, and publicly disclosed on October 18, 2025. The issue affects the Cargo Extension before version 3.8.3, allowing attackers to inject malicious HTML into table fields that are printed without proper sanitization (Miggo, NVD).

The vulnerability exists in the printFilterValue function within CargoDrilldownPage.php. The function returned raw, unescaped values that were directly rendered on the page, enabling the injection of malicious HTML and JavaScript. The vulnerability received a CVSS 4.0 Base Score of 6.9 (Medium) with the vector string CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L. The issue is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation) (Phabricator, NVD).

The vulnerability allows attackers to perform stored Cross-site Scripting attacks by inserting malicious HTML into table fields. When these fields are accessed through the Special:Drilldown interface, the malicious code is executed in the context of other users' browsers, potentially leading to session hijacking, data theft, or other client-side attacks (Phabricator).

The vulnerability has been patched in version 3.8.3 of the Cargo Extension. The fix involves implementing proper output escaping using htmlspecialchars in the printFilterValue function. Users are advised to upgrade to version 3.8.3 or later to mitigate this vulnerability (Miggo).