CVE-2025-49576
BaseFortify
Publication date: 2025-06-12
Last updated on: 2025-08-22
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| starcitizen.tools | citizen | to 3.3.1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-49576 is a stored Cross-Site Scripting (XSS) vulnerability in the Citizen MediaWiki skin. It occurs because the system messages 'citizen-search-noresults-title' and 'citizen-search-noresults-desc' are inserted into the DOM as raw HTML without proper sanitization. This allows any user with permission to edit these messages to inject arbitrary HTML, including malicious event handlers that can execute JavaScript when a user searches for a non-existent page and triggers the rendering of these messages. [2]
How can this vulnerability impact me? :
This vulnerability can lead to the execution of arbitrary JavaScript code in the context of users viewing the affected MediaWiki skin. An attacker with permission to edit interface messages can inject malicious HTML that executes when other users perform certain actions, such as searching for a non-existent page. This can compromise confidentiality and integrity by stealing sensitive information or manipulating the user interface, although it does not affect availability. [2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if the system messages 'citizen-search-noresults-title' and 'citizen-search-noresults-desc' contain any arbitrary or suspicious HTML content that could lead to XSS. Since the vulnerability involves stored XSS via these messages, you can inspect these messages in your MediaWiki installation. There are no specific network commands provided, but you can manually review or export these messages for suspicious HTML. Additionally, testing can be done by editing these messages to include harmless test payloads like <img src='' onerror='alert("test")'> and then performing a search for a non-existent page to see if the alert triggers. No explicit commands are provided in the resources. [2]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include upgrading the Citizen MediaWiki skin to version 3.3.1 or later, where the vulnerability is fixed. Alternatively, restrict the 'editinterface' permission to trusted users only, as the vulnerability requires the ability to edit interface messages. Avoid allowing untrusted users to modify 'citizen-search-noresults-title' and 'citizen-search-noresults-desc' messages. Applying the patch from commit 93c36ac778397e0e7c46cf7adb1e5d848265f1bd also addresses the issue by replacing raw HTML insertion with Mustache templates that prevent arbitrary HTML injection. [2, 1]