HTML Injection Vulnerability in Citizen MediaWiki Skin by Star Citizen Tools
CVE-2025-49578

6.5MEDIUM

Key Information:

Vendor

Starcitizentools

Status
Mediawiki-skins-citizen
Vendor
CVE Published:
12 June 2025

What is CVE-2025-49578?

The Citizen MediaWiki skin enables users to customize date messages through the Language::userDate function. However, a vulnerability exists where these messages can be inserted into the DOM as raw HTML. This poses a risk for wikis that grant editinterface but not editsitejs privileges to users, allowing malicious actors to exploit this pathway. The issue has been addressed in version 3.3.1.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

mediawiki-skins-Citizen >= 64cb5d7ab3a6dc0381fae54b31e8fc4afadc8beb, < 93c36ac778397e0e7c46cf7adb1e5d848265f1bd < 64cb5d7ab3a6dc0381fae54b31e8fc4afadc8beb, 93c36ac778397e0e7c46cf7adb1e5d848265f1bd

mediawiki-skins-Citizen >= 3.3.0, < 3.3.1 < 3.3.0, 3.3.1

References

https://github.com/StarCitizenTools/mediawiki-skins-Citiz...
x_refsource_CONFIRM
https://github.com/StarCitizenTools/mediawiki-skins-Citiz...
x_refsource_MISC
https://github.com/StarCitizenTools/mediawiki-skins-Citiz...
x_refsource_MISC

CVSS V3.1

Score:
6.5
Severity:
MEDIUM
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
High
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.