CVE-2025-49578 is a cross-site scripting (XSS) vulnerability identified in the Citizen skin for MediaWiki, developed by StarCitizenTools. This skin integrates various extensions to provide a cohesive user experience. The vulnerability arises from improper neutralization of input during web page generation, specifically related to how date messages returned by the `Language::userDate` function are handled. These date messages are inserted directly into raw HTML without sufficient sanitization or encoding, allowing an attacker with the ability to edit these messages to inject arbitrary HTML and JavaScript code into the Document Object Model (DOM) of affected wikis. The vulnerability impacts wikis where a user group possesses the `editinterface` permission but lacks the `editsitejs` permission. This permission configuration allows attackers to modify interface messages but restricts them from editing site-wide JavaScript, which could otherwise be used for similar attacks. The vulnerability affects versions of the Citizen skin from commit 64cb5d7ab3a6dc0381fae54b31e8fc4afadc8beb up to but not including 93c36ac778397e0e7c46cf7adb1e5d848265f1bd, and specifically versions 3.3.0 up to but not including 3.3.1. The issue was publicly disclosed on June 12, 2025, and is assigned a CVSS v3.1 score of 6.5, indicating a medium severity level. The attack vector is network-based, requiring high privileges (editinterface permission) but no user interaction. The vulnerability impacts confidentiality and integrity by allowing script injection, but does not affect availability. No known exploits are currently reported in the wild, and no official patches are linked, although the issue is fixed in version 3.3.1 of the Citizen skin.

For European organizations using MediaWiki with the Citizen skin, this vulnerability poses a moderate risk. Exploitation could allow attackers with interface editing rights to execute arbitrary scripts in the context of the wiki users, potentially leading to session hijacking, unauthorized data access, or manipulation of displayed content. This can undermine the integrity and confidentiality of information managed within the wiki, which may be critical for knowledge management, internal documentation, or collaborative projects. Organizations relying on MediaWiki for sensitive or proprietary information could face data leakage or reputational damage if attackers leverage this vulnerability. Since exploitation requires the attacker to have editinterface permissions, the risk is higher in environments with insufficiently restricted user roles or where interface editing rights are granted to a broad user base. The lack of requirement for user interaction means that injected scripts execute automatically when affected pages are viewed, increasing the potential impact. However, the absence of known exploits in the wild and the medium CVSS score suggest the threat is currently moderate but should be addressed promptly to prevent escalation.

1. Upgrade the Citizen skin to version 3.3.1 or later immediately to apply the official fix. 2. Audit user permissions within MediaWiki to ensure that the `editinterface` right is granted only to trusted administrators or users with a demonstrated need, minimizing the attack surface. 3. Implement strict content security policies (CSP) on the wiki server to restrict the execution of unauthorized scripts and reduce the impact of potential XSS attacks. 4. Regularly review and sanitize all interface messages and user-editable content, especially those that are rendered as raw HTML, to prevent injection of malicious code. 5. Monitor wiki logs for unusual editing activity related to interface messages or date formats that could indicate attempted exploitation. 6. Consider deploying web application firewalls (WAF) with rules tailored to detect and block XSS payloads targeting MediaWiki instances. 7. Educate administrators and users with elevated permissions about the risks of granting interface editing rights and best practices for secure content management.