CVE-2025-49576
📋 TL;DR
This CVE describes a cross-site scripting (XSS) vulnerability in the Citizen MediaWiki skin where system messages are inserted as raw HTML without proper sanitization. Attackers who can edit these specific system messages can inject arbitrary HTML/JavaScript into web pages. This affects MediaWiki installations using the Citizen skin with vulnerable versions.
💻 Affected Systems
- mediawiki-skins-Citizen
📦 What is this software?
Citizen by Starcitizen.tools
⚠️ Risk & Real-World Impact
Worst Case
Malicious users with edit permissions could inject JavaScript that steals session cookies, redirects users to phishing sites, or performs actions on behalf of authenticated users.
Likely Case
Authenticated users with message editing permissions could deface pages, insert malicious content, or perform limited client-side attacks against other users viewing affected pages.
If Mitigated
With proper user permission controls and content security policies, impact is limited to users with message editing access who could only affect the appearance of search result pages.
🎯 Exploit Status
Exploitation requires authenticated user with message editing permissions. The vulnerability is straightforward XSS via HTML injection.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.3.1
Vendor Advisory: https://github.com/StarCitizenTools/mediawiki-skins-Citizen/security/advisories/GHSA-86xf-2mgp-gv3g
Restart Required: No
Instructions:
1. Update Citizen skin to version 3.3.1 or later. 2. Navigate to MediaWiki skins directory. 3. Run: git pull origin master (if using git) or download and extract new version. 4. Clear MediaWiki cache if needed.
🔧 Temporary Workarounds
Restrict message editing permissions
allLimit which users can edit system messages to trusted administrators only
Edit LocalSettings.php to restrict $wgGroupPermissions for message editing
Implement Content Security Policy
allAdd CSP headers to mitigate impact of successful XSS attacks
Add Content-Security-Policy headers via web server configuration
🧯 If You Can't Patch
- Restrict message editing to only trusted administrators
- Implement input validation and output encoding for citizen-search-noresults-title and citizen-search-noresults-desc messages
🔍 How to Verify
Check if Vulnerable:
Check Citizen skin version in MediaWiki skins directory or via MediaWiki Special:Version pageCheck Version:
Check Citizen.php file for version number or use MediaWiki's Special:Version pageVerify Fix Applied:
Confirm Citizen skin version is 3.3.1 or later and test that HTML tags in citizen-search-noresults-title/desc messages are properly escaped📡 Detection & Monitoring
Log Indicators:
- Unusual edits to system messages, particularly citizen-search-noresults-title or citizen-search-noresults-desc
Network Indicators:
- Unexpected JavaScript execution on search result pages
SIEM Query:
source="mediawiki" AND (message="*citizen-search-noresults*" AND action="edit")🔗 References
- https://github.com/StarCitizenTools/mediawiki-skins-Citizen/commit/93c36ac778397e0e7c46cf7adb1e5d848265f1bd
- https://github.com/StarCitizenTools/mediawiki-skins-Citizen/commit/a0296afaedbe1a277337a2d8f1da83cb3a79b9ab
- https://github.com/StarCitizenTools/mediawiki-skins-Citizen/security/advisories/GHSA-86xf-2mgp-gv3g
