Security
Headlines
HeadlinesLatestCVEs

Headline

GHSA-g3cp-pq72-hjpv: starcitizentools/citizen-skin allows stored XSS in menu heading message

Summary

All system messages in menu headings using the Menu.mustache template are inserted as raw HTML, allowing anybody who can edit those messages to insert arbitrary HTML into the DOM.

Details

The system messages for menu headings are inserted unescaped into raw HTML: https://github.com/StarCitizenTools/mediawiki-skins-Citizen/blob/072e4365e9084e4b153eac62d3666566c06f5a49/templates/Menu.mustache#L8-L10

PoC

  1. Go to any article using citizen with the uselang parameter set to x-xss
  2. A large number of alerts will be shown for various messages, e.g.: image image

On the main page of my test wiki, the following messages were shown: navigation, notifications, user-interface-preferences, personaltools, variants, views, associated-pages, cactions and toolbox.

Impact

This impacts wikis where a group has the editinterface but not the editsitejs user right.

ghsa
Open in Source
#xss#vulnerability#web#js#git

Skip to content

Navigation Menu

    • GitHub Copilot

      Write better code with AI

    • GitHub Models New

      Manage and compare prompts

    • GitHub Advanced Security

      Find and fix vulnerabilities

    • Actions

      Automate any workflow

    • Codespaces

      Instant dev environments

*   Issues
    
    Plan and track work
    
*   Code Review
    
    Manage code changes
    
*   Discussions
    
    Collaborate outside of code
    
*   Code Search
    
    Find more, search less

  • Explore

    • Learning Pathways
    • Events & Webinars
    • Ebooks & Whitepapers
    • Customer Stories
    • Partners
    • Executive Insights

    • GitHub Sponsors

      Fund open source developers

*   The ReadME Project
    
    GitHub community articles

    • Enterprise platform

      AI-powered developer platform

  • Pricing

Provide feedback

Saved searches****Use saved searches to filter your results more quickly

Sign up

Appearance settings

  1. GitHub Advisory Database
  2. GitHub Reviewed
  3. CVE-2025-49579

starcitizentools/citizen-skin allows stored XSS in menu heading message

Package

composer starcitizentools/citizen-skin (Composer)

Affected versions

>= 2.4.2, < 3.3.1

Description

Summary

All system messages in menu headings using the Menu.mustache template are inserted as raw HTML, allowing anybody who can edit those messages to insert arbitrary HTML into the DOM.

Details

The system messages for menu headings are inserted unescaped into raw HTML:
https://github.com/StarCitizenTools/mediawiki-skins-Citizen/blob/072e4365e9084e4b153eac62d3666566c06f5a49/templates/Menu.mustache#L8-L10

PoC

  1. Go to any article using citizen with the uselang parameter set to x-xss
  2. A large number of alerts will be shown for various messages, e.g.:

On the main page of my test wiki, the following messages were shown: navigation, notifications, user-interface-preferences, personaltools, variants, views, associated-pages, cactions and toolbox.

Impact

This impacts wikis where a group has the editinterface but not the editsitejs user right.

References

  • GHSA-g3cp-pq72-hjpv
  • https://nvd.nist.gov/vuln/detail/CVE-2025-49579
  • StarCitizenTools/mediawiki-skins-Citizen@54c8717
  • StarCitizenTools/mediawiki-skins-Citizen@93c36ac

Published to the GitHub Advisory Database

Jun 13, 2025

Last updated

Jun 13, 2025

EPSS score

ghsa: Latest News

GHSA-65gg-3w2w-hr4h: Podman Improper Certificate Validation; machine missing TLS verification
ghsa