CVE-2025-62508
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-10-17

Last updated on: 2025-10-21

Assigner: GitHub, Inc.

Description
Citizen is a MediaWiki skin that makes extensions part of the cohesive experience. Citizen from 3.3.0 to 3.9.0 are vulnerable to stored cross-site scripting in the sticky header button message handling. In stickyHeader.js the copyButtonAttributes function assigns innerHTML from a source element’s textContent when copying button labels. This causes escaped HTML in system message content (such as citizen-share, citizen-view-history, citizen-view-edit, and nstab-talk) to be interpreted as HTML in the sticky header, allowing injection of arbitrary script by a user with the ability to edit interface messages. The vulnerability allows a user with the editinterface right but without the editsitejs right (by default the sysop group has editinterface but may not have editsitejs) to execute arbitrary JavaScript in other users’ sessions, enabling unauthorized access to sensitive data or actions. The issue is fixed in 3.9.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-10-17
Last Modified
2025-10-21
Generated
2026-06-16
AI Q&A
2025-10-17
EPSS Evaluated
2026-06-14
NVD
CVE-2025-62508
EUVD
EUVD-2025-34930
Affected Vendors & Products
Showing 7 associated CPEs
Vendor Product Version / Range
starcitizentools citizen 3.9.0
starcitizentools citizen 3.7.0
starcitizentools citizen 3.3.0
starcitizentools citizen 3.6.0
starcitizentools citizen 3.5.0
starcitizentools citizen 3.8.0
starcitizentools citizen 3.4.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-62508 is a stored Cross-Site Scripting (XSS) vulnerability in the Citizen skin of MediaWiki versions 3.3.0 to 3.9.0. It occurs because the JavaScript function copyButtonAttributes in stickyHeader.js sets innerHTML from a source element's textContent, which causes escaped HTML in system message content to be interpreted as actual HTML. This allows a user with the editinterface permission (but without editsitejs) to inject arbitrary scripts into sticky header button messages. When other users load pages with the Citizen skin, the malicious script executes in their browsers. [2]

Impact Analysis

This vulnerability allows an attacker with the editinterface permission to execute arbitrary JavaScript in other users' sessions without requiring user interaction. This can lead to unauthorized access to sensitive data or unauthorized actions performed on behalf of other users. The impact includes high confidentiality and integrity risks, such as data theft or modification, but does not affect availability. [2]

Detection Guidance

This vulnerability can be detected by checking if your MediaWiki installation is using the Citizen skin versions from 3.3.0 to 3.9.0 and if users with the editinterface permission can inject malicious HTML into system messages such as citizen-share, citizen-view-history, citizen-view-edit, and nstab-talk. One way to detect exploitation attempts is to look for suspicious HTML or JavaScript payloads in these system messages. For example, you can query the MediaWiki database for these messages containing suspicious tags like <img> with onerror attributes. A sample SQL command to detect suspicious payloads might be: SELECT page_title, old_text FROM text INNER JOIN revision ON text.old_id = revision.rev_text_id INNER JOIN page ON revision.rev_page = page.page_id WHERE page.page_title IN ('Citizen-share', 'Citizen-view-history', 'Citizen-view-edit', 'Nstab-talk') AND old_text LIKE '%<img src="" onerror=%'; Additionally, monitoring HTTP requests for unusual script execution or alerts triggered by injected scripts can help detect exploitation. However, no specific network commands are provided in the resources. [2]

Mitigation Strategies

The immediate mitigation step is to upgrade the Citizen MediaWiki skin to version 3.9.0 or later, where the vulnerability is fixed. The fix sanitizes or properly handles the input in stickyHeader.js to prevent stored cross-site scripting. Until the upgrade can be applied, restrict or review users with the editinterface permission to prevent untrusted users from injecting malicious scripts into system messages. Additionally, audit and clean any existing system messages that may contain malicious payloads. Applying the patch from commit e006923c6dbf113c9a025ca186ecc09fe7b93a15 also resolves the issue. [1, 2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-62508. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart