CVE-2025-53370 HIGH

CVE-2025-53370: Citizen stored XSS vulnerability through short descriptions

Vendor Starcitizentools
Product mediawiki-skins-Citizen
Weakness CWE-79 · XSS
Published July 3, 2025
Last update July 7, 2025
View on NVD All CVEs

CVSS base score

8.6/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality High
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L

What the vulnerability does

01Description

Citizen is a MediaWiki skin that makes extensions part of the cohesive experience. From versions 1.9.4 to before 3.4.0, short descriptions set via the ShortDescription extension are inserted as raw HTML by the Citizen skin, allowing any user to insert arbitrary HTML into the DOM by editing a page. This issue has been patched in version 3.4.0.

Key dates

02Disclosure timeline

July 3, 2025 CVE published
July 7, 2025 Record updated

Related vulnerabilities

04Related CVE

CVE-2024-12128 Simple Ecommerce Shopping Cart Plugin- Sell products through Paypal <= 3.1.2 - Reflected Cross-Site Scripting via monthly_sales_current_year Parameter CVE-2024-4293 PHPGurukul Doctor Appointment Management System appointment-bwdates-reports-details.php cross site scripting CVE-2024-45094 IBM DS8900F and DS8A00 Hardware Management Console (HMC) cross-site scripting CVE-2021-24995 HTML5 Responsive FAQ <= 2.8.5 - Admin+ Stored Cross-Site Scripting CVE-2023-28169 WordPress Easy Event calendar Plugin <= 1.0 is vulnerable to Cross Site Scripting (XSS)