CVE-2025-53370 – This vulnerability allows any user to inject ar... (How to Fix)

Q: What is the severity of CVE-2025-53370?

CVE-2025-53370 has a CVSS score of 8.6 (HIGH). This vulnerability allows any user to inject arbitrary HTML into web pages by editing page content when using the Citizen skin with ShortDescription extension. This affects MediaWiki installations using Citizen skin versions 1.9.4 through 3.3.x. The vulnerability enables cross-site scripting attacks.

📋 TL;DR

This vulnerability allows any user to inject arbitrary HTML into web pages by editing page content when using the Citizen skin with ShortDescription extension. This affects MediaWiki installations using Citizen skin versions 1.9.4 through 3.3.x. The vulnerability enables cross-site scripting attacks.

💻 Affected Systems

Products:

MediaWiki Citizen skin

Versions: 1.9.4 to 3.3.x

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Requires both Citizen skin and ShortDescription extension to be installed and enabled.

📦 What is this software?

Citizen by Starcitizen.tools

View all CVEs affecting Citizen →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could steal session cookies, redirect users to malicious sites, deface websites, or perform actions as authenticated users.

🟠

Likely Case

Malicious users inject JavaScript to steal session cookies or credentials from other users viewing affected pages.

🟢

If Mitigated

With proper input validation and output encoding, HTML injection would be neutralized before reaching the DOM.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires edit permissions on affected pages, but many MediaWiki installations allow user editing.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.4.0

Vendor Advisory: https://github.com/StarCitizenTools/mediawiki-skins-Citizen/security/advisories/GHSA-prmv-7r8c-794g

Restart Required: No

Instructions:

1. Backup your MediaWiki installation
2. Update Citizen skin to version 3.4.0 or later
3. Clear any caches if applicable

🔧 Temporary Workarounds

Disable ShortDescription extension

all

Temporarily disable the ShortDescription extension to prevent exploitation

Edit LocalSettings.php and add: wfLoadExtension('ShortDescription'); // Comment out or remove

Restrict page editing

all

Limit who can edit pages to trusted users only

Edit LocalSettings.php to adjust $wgGroupPermissions

🧯 If You Can't Patch

Implement strict Content Security Policy headers to limit script execution
Enable MediaWiki's built-in HTML sanitization for user content

🔍 How to Verify

Check if Vulnerable:

Check Citizen skin version in MediaWiki skin configuration or filesystem

Check Version:

Check the version in skins/Citizen/extension.json or composer.json

Verify Fix Applied:

Verify Citizen skin version is 3.4.0 or later

📡 Detection & Monitoring

Log Indicators:

Unusual page edits containing script tags or HTML entities
Multiple rapid edits to same pages

Network Indicators:

Unexpected script loads from MediaWiki pages
Suspicious redirects from legitimate pages

SIEM Query:

Search for page edit logs containing <script> tags or javascript: protocols

📊 Metadata

CVE ID: CVE-2025-53370

CVSS v3 Score: 8.6 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L

CWE: CWE-79

EPSS Score: 0.03% exploit probability (8.3th percentile)

Published: July 3, 2025

Last Updated: August 22, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-53370, you might also want to check these: