CVE-2025-53368
📋 TL;DR
This vulnerability allows authenticated users with page editing privileges to inject malicious scripts into the Citizen MediaWiki skin's search results. When other users search for specific pages, these scripts execute in their browsers, enabling cross-site scripting attacks. All MediaWiki instances using Citizen skin versions 1.9.4 through 3.3.x are affected.
💻 Affected Systems
- Citizen MediaWiki Skin
📦 What is this software?
Citizen by Starcitizen.tools
⚠️ Risk & Real-World Impact
Worst Case
An attacker with editing privileges could steal session cookies, perform actions as other users, deface the wiki, or redirect users to malicious sites, potentially compromising entire user accounts and administrative functions.
Likely Case
Malicious editors inject JavaScript payloads that steal session cookies or perform unauthorized actions when other users search for pages they've edited, leading to account compromise and data theft.
If Mitigated
With proper user privilege controls and content review, impact is limited to trusted editors misusing their access, though even trusted users could be compromised via stored XSS.
🎯 Exploit Status
Exploitation requires authenticated user with page editing permissions. The vulnerability is straightforward to exploit once an attacker gains editing access.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.4.0
Vendor Advisory: https://github.com/StarCitizenTools/mediawiki-skins-Citizen/security/advisories/GHSA-rq6g-6g94-jfr4
Restart Required: No
Instructions:
1. Backup your MediaWiki installation. 2. Update Citizen skin to version 3.4.0 or later via composer: 'composer require citizentools/mediawiki-skins-citizen:^3.4'. 3. Verify the update in MediaWiki's skin configuration.
🔧 Temporary Workarounds
Disable Old Search Bar
allSwitch to the new search bar implementation which is not vulnerable
Set $wgCitizenSearchDescription to false in LocalSettings.php
Restrict Page Editing
allTemporarily limit page editing to trusted administrators only
Modify $wgGroupPermissions in LocalSettings.php to restrict edit permissions
🧯 If You Can't Patch
- Implement strict content sanitization for page descriptions using MediaWiki's built-in sanitization functions
- Enable CSP headers to mitigate XSS impact and monitor for suspicious editing activity
🔍 How to Verify
Check if Vulnerable:
Check if using Citizen skin version between 1.9.4 and 3.3.x and if old search bar is enabledCheck Version:
Check composer.json or skin directory for version, or run: grep -r 'version' skins/Citizen/extension.jsonVerify Fix Applied:
Verify Citizen skin version is 3.4.0 or later and test search functionality with script tags in page descriptions📡 Detection & Monitoring
Log Indicators:
- Unusual page edits containing script tags or JavaScript in descriptions
- Multiple failed search attempts with suspicious parameters
Network Indicators:
- Unexpected outbound connections from wiki pages to external domains
- Suspicious Content-Type headers in search responses
SIEM Query:
source="mediawiki.log" AND ("script" OR "javascript" OR "onload" OR "onerror") AND "edit"