CVE-2025-49575
BaseFortify
Publication date: 2025-06-12
Last updated on: 2025-08-22
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| starcitizen.tools | citizen | to 3.3.1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a stored Cross-Site Scripting (XSS) issue in the Citizen MediaWiki skin's CommandPaletteFooter component. Multiple system messages (tips) are inserted as raw HTML without proper sanitization, allowing anyone who can edit these messages (with the 'editinterface' permission) to inject arbitrary HTML, including JavaScript event handlers. When other users open the command palette, the malicious code executes in their browsers. Script tags do not work, but event handlers like onerror in image tags can be used to trigger scripts. [1]
How can this vulnerability impact me? :
If you have a wiki using the Citizen skin and a user group has the 'editinterface' permission but not the 'editsitejs' right, attackers in that group can inject malicious HTML/JavaScript into system messages. This leads to stored XSS, allowing attackers to execute arbitrary scripts in the context of other users, potentially exposing sensitive data or modifying data. The vulnerability has a moderate severity with a CVSS score of 6.5 and requires high privileges to exploit. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if the CommandPaletteFooter component in the Citizen MediaWiki skin is rendering system tip messages as raw HTML without sanitization. One practical way is to inspect the content of the system messages (tips) such as 'citizen-command-palette-tip-commands', 'citizen-command-palette-tip-users', etc., for injected HTML with event handlers like <img src='' onerror='alert(1)'>. On the system, you can attempt to edit these messages (if you have the required permissions) to include such payloads and then open the command palette to see if the alert triggers, indicating vulnerability. There are no specific network commands provided, but manual inspection or automated scanning for stored XSS in these message keys can be done. Additionally, reviewing the version of the Citizen skin to ensure it is at least 3.3.1 or later (where the fix is applied) helps detect vulnerable instances. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include upgrading the Citizen MediaWiki skin to version 3.3.1 or later, where this vulnerability is fixed. Additionally, review and restrict user permissions to ensure that only trusted users have the 'editinterface' right, especially if they do not have the 'editsitejs' right, to prevent unauthorized editing of system messages. As a temporary workaround, avoid using the vulnerable versions or disable the CommandPaletteFooter component if possible until the patch is applied. [1]