CVE-2025-49579 MEDIUM

CVE-2025-49579: Citizen allows stored XSS in menu heading message

Vendor Starcitizentools
Product mediawiki-skins-Citizen
Weakness CWE-79 · XSS
Published June 12, 2025
Last update June 12, 2025
View on NVD All CVEs

CVSS base score

6.5/10
Attack vector Network
Attack complexity Low
Privileges required High
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N

What the vulnerability does

01Description

Citizen is a MediaWiki skin that makes extensions part of the cohesive experience. All system messages in menu headings using the Menu.mustache template are inserted as raw HTML, allowing anybody who can edit those messages to insert arbitrary HTML into the DOM. This impacts wikis where a group has the `editinterface` but not the `editsitejs` user right. This vulnerability is fixed in 3.3.1.

Key dates

02Disclosure timeline

June 12, 2025 CVE published
June 12, 2025 Record updated

Related vulnerabilities

04Related CVE

CVE-2024-0282 Kashipara Food Management System addmaterialsubmit.php cross site scripting CVE-2024-4729 Campcodes Legal Case Management System expense-type cross site scripting CVE-2023-5024 Planno Comment cross site scripting CVE-2025-1064 Login/Signup Popup ( Inline Form + Woocommerce ) <= 2.8.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via xoo_el_action Shortcode CVE-2022-0429 WP Cerber Security, Anti-spam & Malware Scan < 8.9.6 - Unauthenticated Stored Cross-Site Scripting