CVE-2025-49579 is a cross-site scripting (XSS) vulnerability classified under CWE-79 affecting the Citizen skin for MediaWiki, developed by StarCitizenTools. The vulnerability arises because system messages used in menu headings, rendered via the Menu.mustache template, are inserted into the DOM as raw HTML without proper sanitization or neutralization. This flaw allows any user with the 'editinterface' permission—but without the 'editsitejs' permission—to inject arbitrary HTML content into the web pages. Since these system messages are part of the user interface, malicious HTML or JavaScript can execute in the context of other users viewing the affected wiki pages. The vulnerability affects Citizen skin versions from 2.4.2 up to but not including 3.3.1, and certain Git commit ranges specified. The CVSS v3.1 score is 6.5 (medium severity), reflecting that exploitation requires privileges (high privileges) but no user interaction, and can lead to full compromise of confidentiality and integrity of user sessions or data. The vulnerability does not impact availability. No known exploits have been reported in the wild as of the publication date (June 12, 2025). The root cause is improper neutralization of input during web page generation, specifically the failure to sanitize system messages inserted as raw HTML. This allows stored XSS attacks where malicious code persists in the wiki interface. The vulnerability is fixed in Citizen skin version 3.3.1.

For European organizations using MediaWiki with the Citizen skin, this vulnerability poses a significant risk to the confidentiality and integrity of their wiki content and user sessions. Attackers with interface editing privileges could inject malicious scripts that execute in the browsers of other users, potentially stealing authentication tokens, performing actions on behalf of users, or defacing content. This could lead to unauthorized access to sensitive internal documentation, intellectual property leakage, or disruption of collaborative workflows. Since many European public sector entities, research institutions, and enterprises rely on MediaWiki for knowledge management, the impact could be widespread. The requirement for 'editinterface' privileges limits exploitation to trusted users or insiders, but insider threats or compromised accounts could leverage this vulnerability. The lack of user interaction needed means exploitation can be automated once privileges are obtained. Although availability is not directly affected, the reputational damage and potential data breaches could have regulatory consequences under GDPR and other European data protection laws.

1. Upgrade the Citizen skin to version 3.3.1 or later immediately to apply the official patch that neutralizes input properly. 2. Review and restrict the assignment of the 'editinterface' user right to only highly trusted administrators to reduce the attack surface. 3. Implement Content Security Policy (CSP) headers on MediaWiki deployments to restrict the execution of inline scripts and reduce the impact of XSS attacks. 4. Audit existing system messages for any suspicious or injected HTML content and sanitize or remove them. 5. Monitor user activity logs for unusual edits to interface messages or privilege escalations. 6. Consider deploying web application firewalls (WAF) with rules targeting XSS payloads in MediaWiki interfaces. 7. Educate administrators about the risks of granting 'editinterface' rights and enforce multi-factor authentication to protect privileged accounts. 8. Regularly scan MediaWiki installations with security tools that detect XSS vulnerabilities and verify that all components are up to date.