CVE-2025-53370

State: PUBLISHED · Published: 2025-07-03 · Updated: 2025-07-07 · Assigner: GitHub_M

Description

Citizen is a MediaWiki skin that makes extensions part of the cohesive experience. From versions 1.9.4 to before 3.4.0, short descriptions set via the ShortDescription extension are inserted as raw HTML by the Citizen skin, allowing any user to insert arbitrary HTML into the DOM by editing a page. This issue has been patched in version 3.4.0.

CWE

CWE-79 — CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Affected

StarCitizenTools / mediawiki-skins-Citizen — v=>= 65a7ffd927467c8c3557146d1ac6de62b0369b6c, < c85a40bddc8651fff66df83a72debddcb34f0521 [affected]; v=>= 1.9.4, < 3.4.0 [affected]

CVSS

3.1 score=8.6 severity=HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L

References

https://github.com/StarCitizenTools/mediawiki-skins-Citizen/security/advisories/GHSA-prmv-7r8c-794g x_refsource_CONFIRM
https://github.com/StarCitizenTools/mediawiki-skins-Citizen/commit/c85a40bddc8651fff66df83a72debddcb34f0521 x_refsource_MISC
https://github.com/StarCitizenTools/mediawiki-skins-Citizen/releases/tag/v3.4.0 x_refsource_MISC

Source

cvelistV5-main/cves/2025/53xxx/CVE-2025-53370.json