HTML Injection Vulnerability in Citizen MediaWiki Skin by Star Citizen Tools
CVE-2025-49579

6.5MEDIUM

Key Information:

Vendor

Starcitizentools

Status
Mediawiki-skins-citizen
Vendor
CVE Published:
12 June 2025

What is CVE-2025-49579?

The Citizen MediaWiki skin allows for HTML injection due to improper handling of system messages within the Menu.mustache template. This vulnerability permits users with specific editing rights to insert arbitrary HTML, which could compromise the security of the wikis, especially for those holding the 'editinterface' but lacking the 'editsitejs' permissions. Affected users are encouraged to upgrade to version 3.3.1 or later to mitigate the risks associated with this vulnerability.

Affected Version(s)

mediawiki-skins-Citizen >= 54c8717d45ce1594918f11cb9ce5d0ccd8dfee65, < 93c36ac778397e0e7c46cf7adb1e5d848265f1bd < 54c8717d45ce1594918f11cb9ce5d0ccd8dfee65, 93c36ac778397e0e7c46cf7adb1e5d848265f1bd

mediawiki-skins-Citizen >= 2.4.2, < 3.3.1 < 2.4.2, 3.3.1

References

https://github.com/StarCitizenTools/mediawiki-skins-Citiz...
x_refsource_CONFIRM
https://github.com/StarCitizenTools/mediawiki-skins-Citiz...
x_refsource_MISC
https://github.com/StarCitizenTools/mediawiki-skins-Citiz...
x_refsource_MISC

CVSS V3.1

Score:
6.5
Severity:
MEDIUM
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
High
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.
CVE-2025-49579 : HTML Injection Vulnerability in Citizen MediaWiki Skin by Star Citizen Tools