CVE-2025-53368: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in StarCitizenTools mediawiki-skins-Citizen
Citizen is a MediaWiki skin that makes extensions part of the cohesive experience. From versions 1.9.4 to before 3.4.0, page descriptions are inserted into raw HTML without proper sanitization by the Citizen skin when using the old search bar. Any user with page editing privileges can insert cross-site scripting (XSS) payloads into the DOM for other users who are searching for specific pages. This issue has been patched in version 3.4.0.
AI Analysis
Technical Summary
CVE-2025-53368 is a high-severity cross-site scripting (XSS) vulnerability identified in the Citizen skin for MediaWiki, developed by StarCitizenTools. This vulnerability affects versions from 1.9.4 up to but not including 3.4.0. The issue arises because the Citizen skin improperly neutralizes input when generating web pages, specifically when inserting page descriptions into raw HTML during the use of the old search bar feature. Since these descriptions are not properly sanitized, any user with page editing privileges can inject malicious scripts (XSS payloads) into the Document Object Model (DOM). When other users perform searches that trigger the rendering of these manipulated page descriptions, the malicious scripts execute in their browsers. This can lead to a range of attacks including session hijacking, credential theft, or unauthorized actions performed on behalf of the victim. The vulnerability does not require authentication (PR:N) or user interaction (UI:N) to be exploited, and it can be triggered remotely over the network (AV:N). The CVSS v3.1 score is 8.6, indicating a high severity, with a vector showing high confidentiality impact, low integrity impact, and low availability impact. The vulnerability has been patched in version 3.4.0 of the Citizen skin. No known exploits are currently reported in the wild. The root cause is improper input sanitization (CWE-79), a common web application security flaw that allows injection of executable code into web pages.
Potential Impact
For European organizations using MediaWiki with the Citizen skin versions between 1.9.4 and 3.4.0, this vulnerability poses a significant risk. The exploitation can lead to unauthorized disclosure of sensitive information (high confidentiality impact), such as user credentials or session tokens, potentially enabling further compromise of internal systems. The integrity impact is lower but still present, as attackers could manipulate displayed content or perform limited unauthorized actions via the victim's browser context. Availability impact is low but possible if attackers leverage XSS to execute denial-of-service scripts. Given that MediaWiki is often used for internal knowledge bases, documentation, and collaboration, exploitation could disrupt business operations, leak proprietary information, or facilitate lateral movement within networks. The lack of required user interaction means that simply searching for pages can trigger the attack, increasing the risk of widespread impact. European organizations with collaborative platforms or public-facing wikis using this skin are particularly vulnerable. Additionally, regulatory frameworks such as GDPR impose strict requirements on protecting personal data, and exploitation leading to data breaches could result in legal and financial penalties.
Mitigation Recommendations
Organizations should immediately verify if they are using the Citizen skin for MediaWiki in the affected versions and upgrade to version 3.4.0 or later where the vulnerability is patched. If immediate upgrade is not feasible, implement the following mitigations: 1) Disable or replace the old search bar feature that triggers the vulnerable code path to prevent injection execution. 2) Apply web application firewall (WAF) rules to detect and block typical XSS payload patterns targeting the search functionality and page descriptions. 3) Restrict page editing privileges strictly to trusted users and enforce strong authentication and authorization controls to reduce the risk of malicious content insertion. 4) Conduct thorough input validation and output encoding on all user-generated content, especially page descriptions, at the application level if possible. 5) Monitor logs for unusual search queries or page edits that could indicate attempted exploitation. 6) Educate users about the risks of XSS and encourage cautious behavior when interacting with wiki content. 7) Regularly audit and update MediaWiki extensions and skins to ensure all components are current and secure.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Belgium, Italy
CVE-2025-53368: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in StarCitizenTools mediawiki-skins-Citizen
Description
Citizen is a MediaWiki skin that makes extensions part of the cohesive experience. From versions 1.9.4 to before 3.4.0, page descriptions are inserted into raw HTML without proper sanitization by the Citizen skin when using the old search bar. Any user with page editing privileges can insert cross-site scripting (XSS) payloads into the DOM for other users who are searching for specific pages. This issue has been patched in version 3.4.0.
AI-Powered Analysis
Technical Analysis
CVE-2025-53368 is a high-severity cross-site scripting (XSS) vulnerability identified in the Citizen skin for MediaWiki, developed by StarCitizenTools. This vulnerability affects versions from 1.9.4 up to but not including 3.4.0. The issue arises because the Citizen skin improperly neutralizes input when generating web pages, specifically when inserting page descriptions into raw HTML during the use of the old search bar feature. Since these descriptions are not properly sanitized, any user with page editing privileges can inject malicious scripts (XSS payloads) into the Document Object Model (DOM). When other users perform searches that trigger the rendering of these manipulated page descriptions, the malicious scripts execute in their browsers. This can lead to a range of attacks including session hijacking, credential theft, or unauthorized actions performed on behalf of the victim. The vulnerability does not require authentication (PR:N) or user interaction (UI:N) to be exploited, and it can be triggered remotely over the network (AV:N). The CVSS v3.1 score is 8.6, indicating a high severity, with a vector showing high confidentiality impact, low integrity impact, and low availability impact. The vulnerability has been patched in version 3.4.0 of the Citizen skin. No known exploits are currently reported in the wild. The root cause is improper input sanitization (CWE-79), a common web application security flaw that allows injection of executable code into web pages.
Potential Impact
For European organizations using MediaWiki with the Citizen skin versions between 1.9.4 and 3.4.0, this vulnerability poses a significant risk. The exploitation can lead to unauthorized disclosure of sensitive information (high confidentiality impact), such as user credentials or session tokens, potentially enabling further compromise of internal systems. The integrity impact is lower but still present, as attackers could manipulate displayed content or perform limited unauthorized actions via the victim's browser context. Availability impact is low but possible if attackers leverage XSS to execute denial-of-service scripts. Given that MediaWiki is often used for internal knowledge bases, documentation, and collaboration, exploitation could disrupt business operations, leak proprietary information, or facilitate lateral movement within networks. The lack of required user interaction means that simply searching for pages can trigger the attack, increasing the risk of widespread impact. European organizations with collaborative platforms or public-facing wikis using this skin are particularly vulnerable. Additionally, regulatory frameworks such as GDPR impose strict requirements on protecting personal data, and exploitation leading to data breaches could result in legal and financial penalties.
Mitigation Recommendations
Organizations should immediately verify if they are using the Citizen skin for MediaWiki in the affected versions and upgrade to version 3.4.0 or later where the vulnerability is patched. If immediate upgrade is not feasible, implement the following mitigations: 1) Disable or replace the old search bar feature that triggers the vulnerable code path to prevent injection execution. 2) Apply web application firewall (WAF) rules to detect and block typical XSS payload patterns targeting the search functionality and page descriptions. 3) Restrict page editing privileges strictly to trusted users and enforce strong authentication and authorization controls to reduce the risk of malicious content insertion. 4) Conduct thorough input validation and output encoding on all user-generated content, especially page descriptions, at the application level if possible. 5) Monitor logs for unusual search queries or page edits that could indicate attempted exploitation. 6) Educate users about the risks of XSS and encourage cautious behavior when interacting with wiki content. 7) Regularly audit and update MediaWiki extensions and skins to ensure all components are current and secure.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2025-06-27T12:57:16.121Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 6866dc736f40f0eb729b38df
Added to database: 7/3/2025, 7:39:31 PM
Last enriched: 7/3/2025, 7:54:30 PM
Last updated: 7/12/2025, 5:33:39 PM
Views: 14
Related Threats
CVE-2025-54060: CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') in LabRedesCefetRJ WeGIA
CriticalCVE-2025-54058: CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') in LabRedesCefetRJ WeGIA
CriticalCVE-2025-53946: CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') in LabRedesCefetRJ WeGIA
CriticalCVE-2025-53941: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in fedify-dev hollo
MediumCVE-2025-53927: CWE-94: Improper Control of Generation of Code ('Code Injection') in 1Panel-dev MaxKB
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.