CVE-2025-49577 is a cross-site scripting (XSS) vulnerability classified under CWE-79 affecting the Citizen skin for MediaWiki, developed by StarCitizenTools. The Citizen skin integrates various MediaWiki extensions into a unified user interface experience. The vulnerability arises because certain preference messages are inserted directly into raw HTML without proper sanitization or neutralization. This flaw allows any user with the ability to edit these preference messages to inject arbitrary HTML or JavaScript code into the Document Object Model (DOM) of the rendered web pages. The vulnerability affects versions of the mediawiki-skins-Citizen skin from commit a741639085d70c22a9f49890542a142a223bf981 up to but not including commit 93c36ac778397e0e7c46cf7adb1e5d848265f1bd, and versions from 2.13.0 up to but not including 3.3.1. The issue was publicly disclosed on June 12, 2025, with a CVSS v3.1 base score of 6.5, indicating a medium severity level. The CVSS vector indicates that the attack can be performed remotely over the network (AV:N) with low attack complexity (AC:L), but requires high privileges (PR:H) and no user interaction (UI:N). The impact includes high confidentiality and integrity loss but no impact on availability. No known exploits are currently observed in the wild. The vulnerability is fixed in version 3.3.1 of the Citizen skin. The root cause is improper neutralization of input during web page generation, specifically the insertion of unescaped preference messages into raw HTML, which violates secure coding practices for web content generation and allows script injection.

For European organizations using MediaWiki with the Citizen skin, this vulnerability poses a significant risk to the confidentiality and integrity of their web content and user data. Since the vulnerability requires high privileges to edit preference messages, it primarily threatens internal users or administrators with elevated rights. However, if such privileges are compromised or misconfigured, attackers could inject malicious scripts that execute in the context of the affected MediaWiki instance. This could lead to session hijacking, unauthorized data access, defacement, or further lateral movement within the organization’s network. Given MediaWiki's widespread use in knowledge management and collaboration platforms across enterprises, government agencies, and educational institutions in Europe, exploitation could disrupt critical information workflows and damage organizational reputation. The lack of impact on availability means the service remains operational, potentially allowing persistent stealthy attacks. The absence of known exploits in the wild suggests limited immediate threat, but the medium severity score and ease of exploitation with elevated privileges warrant prompt attention. Organizations with complex permission structures or those that allow a broad set of users to edit preference messages are at higher risk.

1. Immediate upgrade to mediawiki-skins-Citizen version 3.3.1 or later, where the vulnerability is fixed. 2. Audit and restrict permissions to edit preference messages strictly to trusted administrators to reduce the risk of privilege abuse. 3. Implement Content Security Policy (CSP) headers to limit the execution of unauthorized scripts and reduce the impact of potential XSS attacks. 4. Conduct regular code reviews and security testing on custom MediaWiki skins and extensions to detect improper input handling. 5. Enable web application firewall (WAF) rules that detect and block suspicious HTML or script injection attempts targeting MediaWiki endpoints. 6. Monitor logs for unusual editing activity on preference messages or other high-privilege content areas. 7. Educate administrators on secure configuration and the risks of privilege escalation within MediaWiki environments. 8. If upgrading immediately is not feasible, apply manual input sanitization or escaping for preference messages as a temporary mitigation. 9. Regularly update and patch MediaWiki and its components to minimize exposure to known vulnerabilities.