6.5

CVSS Score

3.1

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-49575

CVE-2025-49575: Citizen skin vulnerable to stored XSS through multiple system messages

Summary

Multiple system messages are inserted into the CommandPaletteFooter as raw HTML, allowing anybody who can edit those messages to insert arbitrary HTML into the DOM.

Details

The messages are retrieved using the plain() output mode: https://github.com/StarCitizenTools/mediawiki-skins-Citizen/blob/072e4365e9084e4b153eac62d3666566c06f5a49/resources/skins.citizen.commandPalette/components/CommandPaletteFooter.vue#L61-L66 currentTip is set to one of these messages: https://github.com/StarCitizenTools/mediawiki-skins-Citizen/blob/072e4365e9084e4b153eac62d3666566c06f5a49/resources/skins.citizen.commandPalette/components/CommandPaletteFooter.vue#L69 currentTip is inserted as raw HTML (vue/no-v-html should not be ignored here): https://github.com/StarCitizenTools/mediawiki-skins-Citizen/blob/072e4365e9084e4b153eac62d3666566c06f5a49/resources/skins.citizen.commandPalette/components/CommandPaletteFooter.vue#L3-L4

PoC

Edit citizen-command-palette-tip-commands, citizen-command-palette-tip-users, citizen-command-palette-tip-namespace and citizen-command-palette-tip-templates to <img src="" onerror="alert(1)"> (script tags don't work here due to the way the HTML is inserted)
Open the command palette

Impact

This impacts wikis where a group has the editinterface but not the editsitejs user right.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2025-49575

CVE-2025-49575:

6.5

CVSS Score

3.1

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
starcitizentools/citizen-skin	composer	>= 2.4.2, < 3.3.1	3.3.1

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability (GHSA-4c2h-67qq-vm87 / CVE-2025-49575) encompasses multiple stored Cross-Site Scripting (XSS) flaws within the StarCitizenTools/mediawiki-skins-Citizen skin. The fundamental cause across these issues is the improper handling and sanitization of data, particularly system messages or other content that can be influenced by users with editinterface permissions, before it is rendered as HTML in the user's browser.

The primary vulnerability, as highlighted in the advisory, resides in the CommandPaletteFooter.vue component. System messages intended as tips were fetched using mw.message(...).plain(). This method does not escape HTML entities within the message content. Subsequently, these potentially unsafe messages were rendered into the DOM using Vue's v-html directive, which explicitly allows raw HTML rendering, thereby creating an XSS vector.

The security patch (commit 93c36ac778397e0e7c46cf7adb1e5d848265f1bd) addressed this specific issue by changing .plain() to .parse(), which is designed to handle wikitext and produce safe HTML output suitable for rendering.

Beyond this main issue, the same commit also rectified several other XSS vulnerabilities:

In includes/Components/CitizenComponentUserInfo.php, the getUserRegistration method was modified to use Html::element for constructing HTML instead of sprintf with potentially unescaped date strings.
In resources/skins.citizen.preferences/addPortlet.polyfill.js, an assignment to innerHTML was replaced with an assignment to textContent to prevent potential HTML injection through portlet labels.
In Mustache templates (templates/Menu.mustache and resources/skins.citizen.search/templates/TypeaheadPlaceholder.mustache), triple-stashes ({{{.}}}), which render unescaped HTML, were replaced with double-stashes ({{.}}) to ensure data is properly escaped before rendering.

These fixes collectively mitigate the risk of attackers injecting malicious scripts by controlling the content of various system messages or other data points within the wiki interface.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

6.5

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2025-49575: Citizen skin vulnerable to stored XSS through multiple system messages

Summary

Details

PoC

Impact

CVE-2025-49575:

6.5

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

CVE-2025-49575: Citizen skin vulnerable to stored XSS through multiple system messages

Summary

Details

PoC

Impact

6.5

6.5

Technical Details

Basic Information

Basic Information

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI