CVE-2025-53368 is a high-severity cross-site scripting (XSS) vulnerability identified in the Citizen skin for MediaWiki, developed by StarCitizenTools. This vulnerability affects versions from 1.9.4 up to but not including 3.4.0. The issue arises because the Citizen skin improperly neutralizes input when generating web pages, specifically when inserting page descriptions into raw HTML during the use of the old search bar feature. Since these descriptions are not properly sanitized, any user with page editing privileges can inject malicious scripts (XSS payloads) into the Document Object Model (DOM). When other users perform searches that trigger the rendering of these manipulated page descriptions, the malicious scripts execute in their browsers. This can lead to a range of attacks including session hijacking, credential theft, or unauthorized actions performed on behalf of the victim. The vulnerability does not require authentication (PR:N) or user interaction (UI:N) to be exploited, and it can be triggered remotely over the network (AV:N). The CVSS v3.1 score is 8.6, indicating a high severity, with a vector showing high confidentiality impact, low integrity impact, and low availability impact. The vulnerability has been patched in version 3.4.0 of the Citizen skin. No known exploits are currently reported in the wild. The root cause is improper input sanitization (CWE-79), a common web application security flaw that allows injection of executable code into web pages.

For European organizations using MediaWiki with the Citizen skin versions between 1.9.4 and 3.4.0, this vulnerability poses a significant risk. The exploitation can lead to unauthorized disclosure of sensitive information (high confidentiality impact), such as user credentials or session tokens, potentially enabling further compromise of internal systems. The integrity impact is lower but still present, as attackers could manipulate displayed content or perform limited unauthorized actions via the victim's browser context. Availability impact is low but possible if attackers leverage XSS to execute denial-of-service scripts. Given that MediaWiki is often used for internal knowledge bases, documentation, and collaboration, exploitation could disrupt business operations, leak proprietary information, or facilitate lateral movement within networks. The lack of required user interaction means that simply searching for pages can trigger the attack, increasing the risk of widespread impact. European organizations with collaborative platforms or public-facing wikis using this skin are particularly vulnerable. Additionally, regulatory frameworks such as GDPR impose strict requirements on protecting personal data, and exploitation leading to data breaches could result in legal and financial penalties.

Organizations should immediately verify if they are using the Citizen skin for MediaWiki in the affected versions and upgrade to version 3.4.0 or later where the vulnerability is patched. If immediate upgrade is not feasible, implement the following mitigations: 1) Disable or replace the old search bar feature that triggers the vulnerable code path to prevent injection execution. 2) Apply web application firewall (WAF) rules to detect and block typical XSS payload patterns targeting the search functionality and page descriptions. 3) Restrict page editing privileges strictly to trusted users and enforce strong authentication and authorization controls to reduce the risk of malicious content insertion. 4) Conduct thorough input validation and output encoding on all user-generated content, especially page descriptions, at the application level if possible. 5) Monitor logs for unusual search queries or page edits that could indicate attempted exploitation. 6) Educate users about the risks of XSS and encourage cautious behavior when interacting with wiki content. 7) Regularly audit and update MediaWiki extensions and skins to ensure all components are current and secure.