CVE-2025-62508
📋 TL;DR
This stored cross-site scripting vulnerability in the Citizen MediaWiki skin allows users with editinterface rights to inject malicious JavaScript into the sticky header. When other users view pages with the injected content, their browsers execute the attacker's scripts, potentially compromising their sessions. The vulnerability affects MediaWiki installations using Citizen skin versions 3.3.0 through 3.9.0.
💻 Affected Systems
- Citizen MediaWiki skin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
An attacker with editinterface rights could steal administrator session cookies, perform actions as other users, exfiltrate sensitive data, or deploy malware to visitors' browsers.
Likely Case
Privileged users (sysops) with editinterface rights could execute JavaScript in other users' sessions, potentially modifying content, stealing session tokens, or performing unauthorized actions.
If Mitigated
With proper access controls limiting editinterface rights to trusted administrators only, the attack surface is reduced to trusted insiders.
🎯 Exploit Status
Requires authenticated user with editinterface rights. Exploitation involves editing system messages to inject JavaScript payloads.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.9.0
Vendor Advisory: https://github.com/StarCitizenTools/mediawiki-skins-Citizen/security/advisories/GHSA-g955-vw6w-v6pp
Restart Required: No
Instructions:
1. Update Citizen skin to version 3.9.0 or later. 2. Navigate to MediaWiki skins directory. 3. Replace existing Citizen skin files with patched version. 4. Clear any caches if applicable.
🔧 Temporary Workarounds
Restrict editinterface rights
allTemporarily remove editinterface rights from all non-essential users until patching is complete.
MediaWiki LocalSettings.php: $wgGroupPermissions['sysop']['editinterface'] = false;
Disable sticky header feature
allDisable the vulnerable sticky header functionality in Citizen skin configuration.
MediaWiki LocalSettings.php: $wgCitizenEnableStickyHeader = false;
🧯 If You Can't Patch
- Immediately audit and restrict editinterface permissions to only absolutely necessary administrators
- Implement Content Security Policy headers to mitigate XSS impact and monitor for suspicious interface message edits
🔍 How to Verify
Check if Vulnerable:
Check Citizen skin version in MediaWiki skin directory or via Special:Version page. If version is between 3.3.0 and 3.9.0, system is vulnerable.Check Version:
Check MediaWiki Special:Version page or examine skins/Citizen/version.json fileVerify Fix Applied:
Verify Citizen skin version is 3.9.0 or higher. Test that sticky header buttons properly escape HTML content.📡 Detection & Monitoring
Log Indicators:
- Unusual interface message edits by users with editinterface rights
- JavaScript injection patterns in recentchanges logs
Network Indicators:
- Unexpected external JavaScript loads from MediaWiki pages
- Suspicious outbound connections from user browsers
SIEM Query:
source="mediawiki" AND (event="edit" OR event="save") AND target="interface-message" AND user_has_right="editinterface"🔗 References
- https://github.com/StarCitizenTools/mediawiki-skins-Citizen/commit/e006923c6dbf113c9a025ca186ecc09fe7b93a15
- https://github.com/StarCitizenTools/mediawiki-skins-Citizen/commit/fbb1d4fe9627281567706f3f6fc99a42ce16fdc4
- https://github.com/StarCitizenTools/mediawiki-skins-Citizen/security/advisories/GHSA-g955-vw6w-v6pp
