CVE-2025-49577

Citizen allows stored XSS in preference menu headings

Description

Citizen is a MediaWiki skin that makes extensions part of the cohesive experience. Various preferences messages are inserted into raw HTML, allowing anybody who can edit those messages to insert arbitrary HTML into the DOM. This vulnerability is fixed in 3.3.1.

INFO

Published Date :

2025-06-12T18:45:18.415Z

Last Modified :

2025-06-12T19:01:58.426Z

Source :

GitHub_M

AFFECTED PRODUCTS

The following products are affected by CVE-2025-49577 vulnerability.

Vendors	Products
Starcitizen.tools	Citizen
Starcitizentools	Mediawiki-skins-citizen

REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2025-49577.

URL	Resource
https://github.com/StarCitizenTools/mediawiki-skins-Citizen/commit/93c36ac778397e0e7c46cf7adb1e5d848265f1bd
https://github.com/StarCitizenTools/mediawiki-skins-Citizen/commit/a741639085d70c22a9f49890542a142a223bf981
https://github.com/StarCitizenTools/mediawiki-skins-Citizen/security/advisories/GHSA-jwr7-992g-68mh

CVSS Vulnerability Scoring System

V3.1

Detailed values of each vector for above chart.

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality Impact

Integrity Impact

Availability Impact