HTML Injection Vulnerability in Citizen MediaWiki Skin by Star Citizen Tools
CVE-2025-49578
6.5MEDIUM
What is CVE-2025-49578?
The Citizen MediaWiki skin enables users to customize date messages through the Language::userDate function. However, a vulnerability exists where these messages can be inserted into the DOM as raw HTML. This poses a risk for wikis that grant editinterface but not editsitejs privileges to users, allowing malicious actors to exploit this pathway. The issue has been addressed in version 3.3.1.
Affected Version(s)
mediawiki-skins-Citizen >= 64cb5d7ab3a6dc0381fae54b31e8fc4afadc8beb, < 93c36ac778397e0e7c46cf7adb1e5d848265f1bd < 64cb5d7ab3a6dc0381fae54b31e8fc4afadc8beb, 93c36ac778397e0e7c46cf7adb1e5d848265f1bd
mediawiki-skins-Citizen >= 3.3.0, < 3.3.1 < 3.3.0, 3.3.1