GHSA-g3cp-pq72-hjpv
Suggest an improvement- Source
- https://github.com/advisories/GHSA-g3cp-pq72-hjpv
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/06/GHSA-g3cp-pq72-hjpv/GHSA-g3cp-pq72-hjpv.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/GHSA-g3cp-pq72-hjpv
- Aliases
- Published
- 2025-06-13T14:08:31Z
- Modified
- 2025-06-13T16:05:30.598276Z
- Severity
-
- 6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N CVSS Calculator
- Summary
- starcitizentools/citizen-skin allows stored XSS in menu heading message
- Details
-
Summary
All system messages in menu headings using the Menu.mustache template are inserted as raw HTML, allowing anybody who can edit those messages to insert arbitrary HTML into the DOM.
Details
The system messages for menu headings are inserted unescaped into raw HTML: https://github.com/StarCitizenTools/mediawiki-skins-Citizen/blob/072e4365e9084e4b153eac62d3666566c06f5a49/templates/Menu.mustache#L8-L10
PoC
- Go to any article using citizen with the
uselangparameter set tox-xss - A large number of alerts will be shown for various messages, e.g.:
On the main page of my test wiki, the following messages were shown:
navigation,notifications,user-interface-preferences,personaltools,variants,views,associated-pages,cactionsandtoolbox.Impact
This impacts wikis where a group has the
editinterfacebut not theeditsitejsuser right. - Go to any article using citizen with the
- Database specific
{ "github_reviewed": true, "nvd_published_at": "2025-06-12T19:15:20Z", "severity": "MODERATE", "cwe_ids": [ "CWE-79" ], "github_reviewed_at": "2025-06-13T14:08:31Z" }- References
-
- https://github.com/StarCitizenTools/mediawiki-skins-Citizen/security/advisories/GHSA-g3cp-pq72-hjpv
- https://nvd.nist.gov/vuln/detail/CVE-2025-49579
- https://github.com/StarCitizenTools/mediawiki-skins-Citizen/commit/54c8717d45ce1594918f11cb9ce5d0ccd8dfee65
- https://github.com/StarCitizenTools/mediawiki-skins-Citizen/commit/93c36ac778397e0e7c46cf7adb1e5d848265f1bd
- https://github.com/StarCitizenTools/mediawiki-skins-Citizen
Affected packages
Packagist / starcitizentools/citizen-skin
Package
- Name
- starcitizentools/citizen-skin
- Purl
- pkg:composer/starcitizentools/citizen-skin
Affected versions
v2.*
v2.4.2
v2.4.3
v2.4.4
v2.5.0
v2.5.1
v2.5.2
v2.6.0
v2.6.1
v2.6.2
v2.6.3
v2.6.4
v2.6.5
v2.6.6
v2.7.0
v2.7.1
v2.7.2
v2.7.3
v2.7.4
v2.7.5
v2.7.6
v2.7.7
v2.7.8
v2.7.9
v2.7.10
v2.7.11
v2.8.0
v2.8.1
v2.8.2
v2.8.3
v2.8.4
v2.8.5
v2.9.0
v2.9.1
v2.10.0
v2.10.1
v2.11.0
v2.11.1
v2.12.0
v2.13.0
v2.13.1
v2.13.2
v2.13.3
v2.13.4
v2.13.5
v2.14.0
v2.14.1
v2.15.0
v2.15.1
v2.16.0
v2.16.1
v2.17.0
v2.17.1
v2.17.2
v2.18.0
v2.18.1
v2.19.0
v2.20.0
v2.21.0
v2.22.0
v2.22.1
v2.23.0
v2.24.0
v2.25.0
v2.26.0
v2.27.0
v2.28.0
v2.29.0
v2.30.0
v2.31.0
v2.32.0
v2.33.0
v2.34.0
v2.35.0
v2.36.0
v2.37.0
v2.38.0
v2.38.1
v2.38.2
v2.38.3
v2.39.0
v2.39.1
v2.39.2
v2.39.3
v2.39.4
v2.40.0
v2.40.1
v2.40.2
v3.*
v3.0.0
v3.1.0
v3.2.0
v3.3.0