CVE-2025-53368 - Vulnerability Details

Citizen is a MediaWiki skin that makes extensions part of the cohesive experience. From versions 1.9.4 to before 3.4.0, page descriptions are inserted into raw HTML without proper sanitization by the Citizen skin when using the old search bar. Any user with page editing privileges can insert cross-site scripting (XSS) payloads into the DOM for other users who are searching for specific pages. This issue has been patched in version 3.4.0.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact Low

Availability Impact Low

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation poc

Automatable yes

Technical Impact partial

Vendors	Products
Starcitizen.tools	Citizen
Starcitizentools	Mediawiki-skins-citizen

Configuration 1 [-]

cpe:2.3:a:starcitizen.tools:citizen:*:*:*:*:*:mediawiki:*:*

No data.

References

Link	Providers
https://github.com/StarCitizenTools/mediawiki-skins-Citizen/commit/aedbceb3380bb48db6b59e272fc187529c71c8ca
https://github.com/StarCitizenTools/mediawiki-skins-Citizen/releases/tag/v3.4.0
https://github.com/StarCitizenTools/mediawiki-skins-Citizen/security/advisories/GHSA-rq6g-6g94-jfr4

History

Fri, 22 Aug 2025 14:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Starcitizen.tools Starcitizen.tools citizen
CPEs		cpe:2.3:a:starcitizen.tools:citizen::::::mediawiki::*
Vendors & Products		Starcitizen.tools Starcitizen.tools citizen

Thu, 03 Jul 2025 20:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Thu, 03 Jul 2025 19:45:00 +0000

Type	Values Removed	Values Added
Description		Citizen is a MediaWiki skin that makes extensions part of the cohesive experience. From versions 1.9.4 to before 3.4.0, page descriptions are inserted into raw HTML without proper sanitization by the Citizen skin when using the old search bar. Any user with page editing privileges can insert cross-site scripting (XSS) payloads into the DOM for other users who are searching for specific pages. This issue has been patched in version 3.4.0.
Title		Citizen is vulnerable to stored XSS attack in the legacy search bar
Weaknesses		CWE-79
References		https://github.com/StarCitizenTools/mediawiki-skins-Citizen/commit/aedbceb3380bb48db6b59e272fc187529c71c8ca https://github.com/StarCitizenTools/mediawiki-skins-Citizen/releases/tag/v3.4.0 https://github.com/StarCitizenTools/mediawiki-skins-Citizen/security/advisories/GHSA-rq6g-6g94-jfr4
Metrics		cvssV3_1 `{'score': 8.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L'}`

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2025-07-03T19:34:50.057Z

Updated: 2025-07-03T19:50:44.553Z

Reserved: 2025-06-27T12:57:16.121Z

Link: CVE-2025-53368

Vulnrichment

Updated: 2025-07-03T19:50:36.399Z

NVD

Status : Analyzed

Published: 2025-07-03T20:15:23.577

Modified: 2025-08-22T14:20:41.683

Link: CVE-2025-53368

Redhat

No data.

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact Low

Availability Impact Low

User Interaction None

Exploitation poc

Automatable yes

Technical Impact partial

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object